In fact, Symantec report that 40 per cent of all targeted attacks are now on smaller firms (with less than 500 employees).
If you are attacked and suffer a breach – what should you do? A good security breach management plan has four main elements.
1. Monitoring, containment and recovery
A good security breach management plan starts with the ability to detect whether a breach has occurred. Given the fact that cyber threats are evolving and growing rapidly, a cyber-strategy based on only preventative controls (i.e. firewall perimeter) is unlikely to be effective. It is essential to ensure that all key aspects of your organisation are being monitored for cyber threats as well as data loss events so that the Board and key management can respond in an efficient and informed manner.
Don’t forget third parties and Cloud service providers – Trustwave reported in 2013 that of 450 data breaches, a massive 63 per cent were involving third party outsourcing providers. Reviewing your outsourcing and third party contracts, ensuring that you also receive sufficient security monitoring MI and that you have a periodic assurance process to review the security of your key third parties is essential.
If a breach has occurred, you will need to have an agreed and documented approach for who will take overall charge on investigating the breach and the key persons involved in the containment and recovery plan – to get things back to business as usual as quickly as possible. As part of this stage, it will be important to start thinking about who should be informed (e.g. staff, customers, regulators) and ensure that any workarounds to contain the breach (e.g. changing security codes, data recovery) are effective. At this early stage it is essential to try and contain the breach to limit losses.
2. Residual risk assessment
This stage is all about establishing the scale of the risks of the security breach as well as assessing whether there are any ongoing risks that need to be managed (e.g. regulator communications). It will be important to identify the loss event particulars including:
- What was the loss incurred – data, passwords, physical assets?
- How sensitive was the loss? – explore what another party could do with the stolen information assets;
- Securing any access and audit logs is often an important step to ensure there is a comprehensive audit trail for further on-going assessments. This might need the skills of forensic technicians to ensure there is a robust and secure audit trail of the original systems;
- What controls were in place to limit the loss (i.e. if data was stolen, was this encrypted?); and
- If it was sensitive data – who could be potentially impacted? What could the data be used for or could the data be used to identify or impersonate an individual? If the information asset losses were passwords – what could these be used to gain access to and have you other compensating controls (e.g. two-factor authentication) to limit unauthorised access?
3. Notification and communications
Consider what the risk assessment tells you about who are the likely persons that may be affected by the security breach? Consider how these people are to be informed and by whom. Ensuring there is a clear and approved message is essential. A notification policy should incorporate a description of how the breach occurred, the steps you’ve taken to contain and assess the risks of the breach and should describe the information assets that were affected.
Informing key persons can be an important part of a well governed breach management plan – allowing the other parties to be aware and provide advice where appropriate. In respect of regulators, also consider whether you have any legal or contractual obligations to report security breaches. This might include to regulators, but also to your third parties, partners or customers.
4. Post event investigations
After the event, it will be important to take the key learnings from the security breach – as well as evaluating the effectiveness of how your organisation responded. One of the key questions to ask is what can be done to prevent a similar or related breach from arising in the future. Many organisations who have suffered a breach have been forced to take a step back to assess their security framework holistically – far too many security frameworks start and end with ‘IT’. Leading organisations are appreciating that security risks are now a business-wide risk that should be managed as part of an end to end risk framework.
Take a fresh look at whether you fully understand what information assets are potentially at risk across your organisation, where key information is stored and what controls are in place to ensure that your organisation is appropriately protected. You need to fully understand the potential gaps in security to ensure that the Board can properly assess the associated risks ensuring that your security framework is effective.
Gavin Davey is Associate at Moore Stephens.
Share this story