By Steve Benton, BT Deputy CSO, GM Cyber and Physical Security Operations and Programmes
We’ve all heard the famous prophecy that states: if we fail to prepare then we must prepare to fail. This statement is never more relevant than in the event of a data breach.
In today’s climate of global connectivity where businesses’ core applications are exposed to open Internet traffic and critical data flows between multiple devices and locations at any given time, security teams should be asking not if their data will be breached, but when.
Failing to prepare for the inevitable, risks you becoming another business turned PR spectacle that mishandles their incident response and suffers serious reputational damage. We only need to look at the stories of data breaches in recent headlines to grasp the impact of insufficient preparation.
To have the best chance of an effective response and a full recovery, businesses should have a robust incident response strategy in place that combines technical, communicative and legislative measures.
The black swan: Expect the unexpected
Bringing these three factors into one robust response plan can be challenging but the fact is, although you hope you never have to action it, you need to know you’re covering all bases.
One of the best ways to prepare is by running a black swan event — a data breach test run, against a truly worst-case scenario that stresses and puts your departments through their paces. Simulating a data breach is an excellent way of mapping out your current defences, assessing the general hygiene of your estate and ensuring protocols are in place and understood across all departments and levels of seniority.
Technical preparation and response
A black swan event will help first responders to truly understand the importance of knowing the facts of a breach and deliver a measured reaction that prioritises containment.
A good technical response should be based on vulnerability management. What systems and parts of your infrastructure have been affected? Are you aware of the patching levels of your applications? Know your data. What data has been impacted? What does it contain? Have the attackers compromised the integrity of this data? Have the attackers exposed or stolen this data?
The technical team’s ability to understand these facts will be based upon a comprehensive knowledge of your inventory; only when these questions have been investigated can you get a forensic wrap around the damage done.
The last thing the technical security team should do in the event of a breach is panic. With poor preparation and an insufficient knowledge of what’s on your estate and where, you’ll find yourself grasping at straws and potentially inflicting more damage onto your network.
Having an incident response plan in place is incredibly important but maintaining strong cyber-hygiene and controlled management of your network applications and data flows is the best way to limit the need to use it.
Media and press: Preparing for the storm
Once your technical team know the facts, the way you communicate them, both internally and externally, is crucial to a successful incident response. It’s important to understand that the extent of the breach will surface one way or another; to speculate or downplay this will only do your business reputational damage in the long run.
For your black swan event, you should make sure that any public-facing employees receive sufficient media and public comms training — a lot of the fallout from breaches rests, not just on facts, but on how they are funneled to the media team and the public. Everything should be rigorously rehearsed from media interviews, to press releases, through to what action should be taken in the event of an unexpected leak and who will communicate the information based on its severity.
Crafting effective and adaptable boilerplates and providing an honest and prompt company response that tells customers whether they’re at risk and what will be done to protect their data will ultimately reflect well in the media.
Compliance is key
During a black swan event, businesses need to be asking themselves what unique legal requirements data might have, why it might be targeted and what their obligations are as custodians of that information.
Businesses generally have a 24-hour window to pass knowledge of the breach on to the Information Commissioners Office (ICO), or equivalent regulatory body by region. Without a strong prior understanding of the type of data that has been affected and the legislation regarding its protection, your security team will find themselves scrambling towards the deadline with a limited and potentially inaccurate report.
It’s important for businesses to remember that this reporting window opens from the moment that an issue is detected — whether it’s a data analyst or the CISO — there has to be an ingrained culture of fast and effective communication surrounding potential threats.
Build the culture you want to see
It’s in building this culture of shared responsibility and communication that businesses can craft the most effective and sustainable incident response plan. Cyber defence is, and always will be, a team effort. Training employees at all levels to understand that they are operating in an environment of mutual confidence and trust, and free from individual blame, is crucial.
It’s also important for employees to learn from previous breaches and examine the whole timeline of an incident: What happened? What decisions were made? Did we get to the root cause quickly enough? If it was a protocol issue, you can update your playbook. If it was a technical issue, you can explore deploying new technology across your network. If it was a lack of expertise, you can increase training models or consider bringing on a partner to fill the gaps. The solutions that come from this analysis can help bolster your future incident response plan.