It’s been hard to avoid the weekly barrage of IT security news stories and updates recently… Yet another big company hack, another data breach / or data leak.
Some of the examples more recently have gained board level and senior exec interest – mainly I’d suggest due to impacted company CIOs, CISOs, and CEOs losing their jobs over these events, however there’s way to many recent examples of incidents to shake a stick at. Breach fatigue is becoming more real – given the shear volume and frequency of these sorts of incidents reported in the media. But it hasn’t happened to you yet… correct?
If you haven’t had to deal with an incident, this ignorant bliss can provide some temporary comfort, however there’s a lot more people becoming aware of the following phrase being used with board members, and senior management alike:
it’s only a matter of ‘when’… not ‘if’ a security / data breach WILL occur
Some practical advice to cyber incidents
Whist the purpose of this article is not to instill fear, uncertainty or doubt (A.K.A “FUD” as us pragmatic security folk refer to it, and avoid like the plague) – but is actually to acknowledge that these events are increasing in size and frequency on an exponential scale, and it’s an unfortunate reality that it’s only a matter of time before you may experience one first hand yourself.
However, rather than focusing on the bad stuff, let’s flip this topic on it’s head and look at it from a different angle.
Proactive Incident Response
News worthy data breaches, hacks and security incidents offer on the flip side an opportunity for businesses to demonstrate and build trust in their brand. What the? Yes – they do.
Companies who demonstrate that even though the proverbial cyber armaggedon shit has hit the fan, the impacted company who have the responsibility of looking after your data, are responding whole-heartedly, with your interests in mind, rather than a response that indicates self protection or trying to cover up. Case in point two incidents at polar opposite extremes – the recent cover up by Uber where they paid hackers to keep quiet (which is terrible for their brand), compared to the Australian Red Cross, who have been commended on how well they handled their recent and most significant data breach in history. The Australian Red Cross leadership team managed this incident very well, with honesty and timely provision of factual information about the breach and the data impacted.
I’m not going to focus on mandatory data breach notification for now, as there’s enough material out there already to fuel an energy company, however what I think important is to make people realise the positive side of being ready for an incident, and having great comms and a comms strategy in place and ready to roll.
As I mentioned earlier, the unfortunate reality is that it is no longer a matter of “if” an incident will occur – but “when”. Therefore I cannot stress enough the importance of having solid incident response plans in place, plus a solid comms plan and chain of command for when it does.
Given the world we live in today, it’s even more important for companies big and small to spend some time rehersing their response to a variety of security incidents that have already occurred. Harsh reality, but as the scouts say it – it’s better to “be prepared” for when that not so pleasant day comes – when a breach or data incident occurs.
Most people within the industry talk about running regular ‘cyber simulations’ (red on blue flag exercises) at least once per quarter, to ensure everything is ready, super proactive, and ready to go. It’s an opportunity not only to test business processes, incident response and communications plans, but to challenge their capbilities in responding to real world cyber incidents through realistic simulations.
Be Prepared For The Terrible Ten Cyber Scenarios
Have you thought through what would happen if any of the more common incident scenarios did indeed happen? Why not make things easier, and engage with the relevant people within your business to ensure everyone knows and understands the roles they play, and are better prepared for when an incident does actually happen?
I call these the “Terrible Ten Cyber Scenarios” – because these are ten real scenarios I hope no one should have to deal with, but some actually have. Unfortunately there’s various real examples of these happening to a wide variety of companies globally. Hence why every business should think about, and be ready for them. In no particular order, they include some nightmare scenarios:
1. Public disclosure of a company breach, data loss or hack by a journalist online prior to any incident detection, knowledge or notification
2. Exposure of confidential customer data
3. Destructive cyber attack on company production systems
4. Large scale virus compromise of company systems
5. Prolonged denial of service attack preventing customer use of company systems
6. Brand damage through targeting / ridiculing of key high profile executives or board members online
7. Disclosure of internal company / staff data not intended to be public
8. High value fraud against customers or company systems
9. Ex filtration of company intellectual property (IP) for commercial, strategic or political gain
10. Social media brand attack – defacement of company online public assets
So how about enhancing your companies trustworthiness?
Let’s play this one out and walk through the first one to demonstrate the difference in adopting a proactive trustworthy approach.
Whilst working for a large organisataion that has lots of customers (and annual revenue to boot), you receive a notification from a reputable, and globally known IT security journalist informing you that they’ve been notified of a large security incident involving your company. Whilst no one has been given any other indication or detection of an issue, everyone in the office spins into a frenzied panic.
A short time later, you receive a call from your public affairs / comms rep – informing you that they’ve just heard from a popular local IT News journalist, who is asking for a formal comment / response on a potential incident at your company. They’re looking for more info so they can publish an article about it online in the next couple of hours. Tick, tock, tick, tock….heart goes pa-doom pa-doom…
The proactive step
Whilst obviously you will need to kick off a team that focuses on performing a preliminary assessment and containment of the incident / breach, at this stage you still don’t know too much about it, or what has been exposed…. (yet). Once the initial contact from the reputable external source notifying you of the incident has been validated as authentic, there’s still not too much to go on, but you know it’s going to be big in the media. The incident itself could be big or small, but there’s no info to confirm either way.
So what do you do? Be pro-active.
The best approach is to inform senior company staff of the incident, to so that they hear it directly, rather than second or third hand from another team, department or worse – from external. That way, they can be prepared, and won’t be caught off guard. Even though that’s not much info – a heads up is better than none.
The point is, that by being prepared for an incident, and most importantly having comms at the ready, demonstrating pro-activeness, you can enhance – rather than degrade your brand’s perceived trustworthiness. By being able to provide factual, accurate and specific information on what has occurred, and what data was affected in a very timely, genuine and empathetic fashion you can make a massive difference, whereby you actually come out on top.
Same for big Australian companies and consideration for contacting the Office of the Australian Information Commissioner.
If you can give them heads up about the incident, tell them exactly what you know (which is not much at this stage) you are demonstrating to them (and everyone) that you are providing the facts as you know it, and doing the right thing. Most importantly you are giving them an early heads up. That way they can support and guide you through the process moving forward.
Obviously, there’s a number of legal obligations to be aware of, especially given the upcoming changes to mandatory data breach notification in February 2018, so it’s best to read up on the information provided from The Office of the Australian Information Commissioner – who have published a detailed guide on developing a data breach response plan.
It’s also worthwhile reporting details of security incidents – particularly where there is likely to be a risk of fraud as a result of the incident to ACORN. https://report.acorn.gov.au/ – They can assist with helping, and potentially forwarding your info to the relevant law enforcement team.
So are you ready?…