“An issue ignored is a crisis ensured” - Dr Henry Kissinger
The adage “it’s not if, but when” your business is subject to a cyber-attack is becoming a little worn within the cyber security industry. It also flies a little too close for my liking to the negative approach of using “fear, uncertainty and doubt” to sell security services and products. However, rhetoric aside, it is certainly true that we live in a world where security incidents are accelerating with both frequency and volume.
Recently published, Symantec’s Annual Threat Report highlights that in 2018, web attacks increased by 56% and “nearly one in ten targeted attacks now use malware to destroy and disrupt business operations”, constituting a 25% increase from the previous year.
What’s more, organisations, either through choice or because of new legislation, are now being forced to proactively disclose when they’ve been subject to a data breach. This provides the security industry and more importantly consumers, with insight into the dirty laundry many organisations have previously tried to hide.
In its latest Notifiable Data Breaches Quarterly Statistics Report, which captures data notification breaches received between 1 October and 31 December 2018, the Office of the Australian Information Commissioner (OAIC) reported 262 breach notifications. 64% of these were caused by malicious or criminal attacks against organisations, with the health industry reporting the most breaches.
If it’s accepted that a security incident could happen to anyone, the focus naturally turns towards how organisations should respond. You need only think of the public criticism heaped on Equifax and Uber after their respective breaches to know how to turn a security incident into a crisis!
Beyond public shaming, there’s also the financial impact from badly handled breaches, with failure to report a data breach potentially leading to fines up to $2.1M (AUD). If your organisation has operations in the European Union, penalties are even higher under the General Data Protection Regulation (GDPR) and up to $10M (EUR) or 2% of the company’s global annual turnover (whichever is higher).
“Trying to plan during a crisis is like trying to install air bags while your car is heading for a wall at high speed.” - Phil Corgan
At Digital Resilience we offer incident response planning as a service for our customers. We’ve developed the following guidance to assist you in your planning efforts:
Ensure the team has the full backing of senior management
Involve cross-functional areas including IT security, IT operations, physical security, HR, legal and communications teams
Establish the appropriate levels of response to an incident: these may be no response, automated response, or involving team members or management
Look outside the organisation if necessary, to augment the internal team’s skills and knowledge
Ensure necessary levels of authorisation and autonomy (there’s no need to involve senior management for an issue with minimal business impact, for example)
Integrate your incident response plans with business continuity planning
Train all incident response personnel in their responsibilities
Test the incident response plan annually to ensure effectiveness and applicability
If an incident does occur, make sure to keep an incident response log for an accurate record of all actions and outcomes
Finally, implement a review process to learn from any incidents that required a response, and to uncover where to make process improvements