Steve Mair, Principal Consultant
John T Chambers, former executive chairman and CEO of CISCO Systems is credited with first stating that:
“There are two types of companies: those that have been hacked, and those who don’t know they have been hacked.”
This aphorism is generally accepted within the information security and wider risk management industries as being true.
If we accept that this is the case, then it is logical that we should prepare our companies for cyber-attacks, not only for the breach itself but also how they should respond.
Some of the key questions we should be asking are listed below, followed by the details and information on the answers to these all-important issues:
- How will you respond to the press / social media / public if they ask about it, or if the story gets out?
- How will you identify what data has been stolen?
- How will you determine the scope and scale of the breach?
- How will you know how the breach happened, and how do you stop it happening again in future?
Press / social media
For many organisations, how they respond and deal with public perception after a breach is paramount. A positive, well thought out and competent approach that demonstrates to the public that the organisation is in control will likely result in limited reputational damage and no significant decline in public confidence.
The opposite is true too. If the public perception is that the organisation does not know what it is doing, or has no clear plan for addressing the breach, then confidence will drop and may have a significant effect on the organisation’s share price.
As an example of the perils of saying the wrong thing at the wrong time, Gerald Ratner’s infamous statement in 1991: “‘We sold a pair of earrings for under £1, which is cheaper than a shrimp sandwich from Marks and Spencer, but probably wouldn’t last as long,’caused the share price in his business to lose £500million in a matter of weeks, the majority of his 2500 stores were sold and he ended up resigning a year later.
It is often the first impressions that count in these circumstances. Your organisation should plan how they are going to deal with an event, who they need to contact, who will talk to the press etc. They should also have contact details for appropriate people within the press and media to hand. It is also sensible to have at least some pre-prepared statements which have been agreed by the board in advance, so that the appropriate messaging can be provided at the right time.
Identifying stolen data and determining the scope and scale of the breach
The 2020 Cost of a Data Breach Report stated that “On average, companies in the 2020 study required 207 days to identify and 73 days to contain a breach in 2019, combining for an average “lifecycle” of 280 days.”
Working out what has been taken, and when, can be very challenging for many organisations. This is usually done by interrogating files known as event logs, which capture information relating to activity on a system or network. The organisation can decide what events are to be captured. Typically, the organisation will need to have been capturing and retaining system and event logs from their servers and network devices (including firewalls and routers), and probably also endpoint devices (including laptops and desktops). Logs take up a huge amount of disk space, which in the past has been very expensive, so there is a risk for many organisations that not everything has been logged or that logs have been held for the 9 or 10 months needed.
Trawling through those logs to identify “normal” operations, then to find “abnormal” actions is not practical for a human, but there are many tools available that can interrogate and map the logs. These are usually advertised as (Security Information and Event Management) SIEM tools, but there may be individual tools for specific requirements or sets of logs.
These tools are used along with forensic techniques to determine exactly what happened and when. Typically, specialist incident response teams and digital forensics experts are called in to help identify exactly what happened, and when.
Your organisation should determine exactly what events it wants to capture in its logs and should also ensure that log files are retained for an appropriate length of time: it is not uncommon to retain them for one year.
In addition, you should identify one or more trusted organisations to help with incident response: these may be kept on a retainer so they are available when needed, or at the very least ensure you have up-to-date contact details so that they can be engaged as soon as possible. The incident response team should include experts in digital forensics because you will need people to review exactly what happened to determine how the breach happened and they may also be able to confirm what data has been stolen or accessed.
Preventing it from happening again
Once you know what happened, and how, you need to review existing security practices to protect your organisation from a recurrence. For example, if the initial attack came through an infected email, you may look at better email scanning and/or phishing awareness training for staff.
This would be an iterative process, and that from each successive attack you look to strengthen defences.
If the organisation does not have an Incident Response plan, one should be created and tested. This may be linked to the organisation’s Business Continuity Plan, but it is a separate discipline and should be treated as such. A common way of testing the Incident Response plan is to run tabletop exercises to confirm that all relevant aspects are included and known.