The Inevitability of Cyber Breaches: How to Prepare for When it Happens
By David Wheeler, Of Counsel for Greenberg Traurig
In May, experts gathered to discuss the characteristically quiet but significant changes in accounting and IT standards and they impact how we do business. In this article, David Wheeler challenges firms to consider how to sound the alarm when their most valued asset is threatened: their information.
With just a few keystrokes, today’s technology allows you to access essential business data from your device of choice and take your business anywhere. With so much information in mass transit on the cyber highway, a breach or an incident is bound to occur. Can your firm respond swiftly and effectively to a cyber-threat? Do you know who needs to be involved to mitigate staggering damage to your business?
With so much valuable information accessible through cyber-networks, the implications of a breach cannot be resolved with only a technical solution. Data threats require a concerted response involving c-suite leadership to secure company information. Organizations that preemptively develop a response plan before a security incident occurs can significantly reduce the duration, disruption and recovery costs of such incidents. Below are thoughts and practical recommendations that should assist as a guide to strong cyber incident response planning.
The Incident Response Team Should Have Comprehensive Expertise
As a good practice, responding to cyber incidents should be quarterbacked by the organization’s incident response team under the direction of a team coordinator. Although the first responders may be members of the organization’s information technology staff or other company employees, the incident response team’s responsibility is to provide overall strategic and tactical response guidance. Ideally, the team should be comprised of c-suite members, including chief information security officer, chief privacy officer, or chief security officer, human resources, risk management and information technology, and may also include an outside cyber forensic partner, public relations consultants, as well as in-house or outside legal counsel.
This team’s first priority during an incident is to take control of the situation with the intent of mitigating potential harm to the organization, its clients, business partners, or affiliates. After the attack is effectively contained, the team can implement improvements that prevent attacks from reoccurring and report to executive management the outcome of any security incidents so appropriate actions may be taken. The team should use a phased approach to address the cyber incident:
Phase One: Detection, assessment, and triage
Phase Two: Containment and reduction of continuing harm
Phase Three: Remediation and recovery
Phase Four: Post-incident concerns
An Incident Occurs: Controlling Risk and Limiting Damage
Phase One involves detection, assessment and triage; critical activities for a successful response to a cyber-security incident. Indications of cyber incidents can come from many different sources, lost or stolen technology, the Intrusion Detection System (IDS) may trigger an event, the network monitor may indicate a spike in unauthorized traffic, or a server may be hit with a Distributed Denial of Service (DDoS) attack. The incident response team should always consider that cyber incidents may have legal, human resources and public relations implications, and initially, should not be disclosed to anyone without a specific need-to-know, e.g., other team members. An important result of the activities in this phase is the determination of the severity of the incident. Based on available data, the team must establish whether or not an incident has occurred. All security events should be evaluated and verified by reaching one of three conclusion-action points:
- Verified and Proceed;
- Undetermined and Proceed; or
- Refuted and Terminated.
The Team should give careful consideration to the collection and preservation of event evidence and findings.
The Team’s Goal is to Contain the Event and Reduce Continuing Harm
In Phase Two, attention is focused on performing detailed impact analyses to properly prioritize response activities required for high impact breaches. During this phase the organization should engage in containment, initial incident recovery, along with evidence preservation activities. At this stage, the cyber incident response team should follow a formal plan to manage the remaining incident response processes. Incidents should be formally identified by category, with the focus being appropriate identification and documentation of containment strategies. Since triage actions are often executed in a crisis environment, one of the critical activities in Phase Two is to validate that the containment and related triage activities will be effective. These activities should ensure all affected systems are contained from other systems and that operations are not adversely affected.
Remediate and Recover
Phase Three delves meaningfully into remediation and recovery.Based on the severity of the incident, incident response plan activities should address mitigation of the incident by finishing containment. Further, the analysis and investigation results should lead to eradication activities, and ultimately recovery from the cyber security incident. If possible, affected systems should be purged, restored and refortified with protective measures, and placed back into its normal operating environment. If an incident has resulted in the destruction or corruptions of data, then special recovery steps may also be necessary, e.g., the engagement of specific elements of a disaster recovery plan. Once the incident has been contained and critical services/data recovered, the team coordinator should conduct meetings with technical staff, external entities, and other participants to understand root-causes for incident origination, the strength of existing controls that defend against such incidents, and any other lessons-learned throughout the incident response process. Depending on the severity and scope of the incident, the team coordinator should conduct debriefing with the incident response team to ensure all matters have been addressed and that all systems are back to normal with a preventative measure in place.
The Incident Response Plan should Include Activities that Support Implementation of Lessons Learned
Phase Four considerspost-mortem or post-incident matters. After the incident is adequately handled, the team should issue a report of findings that detail the root cause and total cost of the incident, along with the steps the organization should take to prevent future incidents. In this phase, an incident recovery report should be prepared to include, at a minimum:
- A statement of the circumstances surrounding the incident
- A summary of the incident activities and timeline
- Conclusions and supporting evidence
- Recommendations for short and long term mitigation
As the event comes to a close, all evidence should be securely archived and stored. In most cases, at least the original evidence, one back-up copy, the report and supporting documentation should be maintained under an appropriate retention framework. Special circumstances may dictate that some investigation material be destroyed, but only with the advice of counsel. Further, if destruction is necessary, secure disposal processes should be followed. Additional remediation activities may include, updates to policies, updates, modifications to business partner processes and upgrades to technical infrastructure.Following the incident response, or during implementation of remediation activities, analyses should be completed to identify the strong and weak aspects of the response plan. Any issues discovered during this activity should be used to improve the overall quality and efficiency of the plan, its policies and standards, and accompanying procedures.
Finally, most significant incidents will require some form of notification to the affected parties. For example, if personal financial or health-related information is compromised or suspected of being compromised, notice to consumers under federal law frameworks, such as FCRA/FACTA, and HIPAA may be required. If other personal information is compromised or suspected of being compromised, state laws may require notice to affected individuals located in those states where the compromise occurred or in states where the individuals reside. In some cases, management will have to consider involvement of law enforcement for criminal investigation, and prosecution. In such cases, with the assistance of legal counsel, the team coordinator should consider and submit a report to the local branch of the FBI, US Secret Service, or State or local law enforcement.
Plan Today to Avoid Pain Tomorrow
Your cyber-network is your company’s nervous system; the network integrates institutional knowledge with necessary business functions. A cyber-attack compromises its confidentiality, integrity, and ability to securely maintain sensitive business relationships, and possibly, could severely damage your company’s brand. A strong incident response plan will help avoid missteps and will help reduce the uncertainty when confronted with a cyber-security incident. The size of the plan, and activities associated with the plan will be driven by the size and type of organization. But once in place, an organization will be better prepared to handle cyber-security matters.← The Rise of Coworking: The Momentum behind Flexible, Ultra-Short Leasing Strategies Sharing the Future City →