PC PORTAL

Experienced. Trusted. Solutions.

Management

By

Nine lessons for strong incident response and recovery in a data breach

Data breaches are rarely out of the headlines, but the recent proposed fines against BA and Marriott will have pushed this risk back to the forefront for many businesses. Like many security threats, breaches are nothing new; we’ve covered this subject on our blog many times in the past.

A data breach can take many forms; it can involve an employee losing a laptop or mobile device that contains data about an organisation’s employees or customers. It might involve a criminal infiltrating IT systems to steal payment card numbers or bank account details. When the data involved is personally identifiable information, the General Data Protection Regulation comes into play. Under GDPR, organisations must report a breach to the data protection supervisory authority within 72 hours. A look through our archives netted us a valuable haul of nine lessons from past breaches that can help to guide you in forming an incident response plan.

Lesson 1: pay attention to security alerts

Let’s start back in March 2014. News of the now-infamous breach at the US retailer Target was still fresh, having happened the previous November. The security breach resulted in the loss of 40 million payment card details, as well as 70 million other personal records. The kicker? Not long before, Target had installed a network monitoring tool costing a cool $1.6 million. However, operators dismissed its early alerts that could have averted or at least mitigated the subsequent breach. Side note: back in those heady days, data breaches were still things that happened to other people. Our blog quoted the security expert Neira Jones, who confidently predicted that a retailer in the UK or Europe would suffer a data breach before long.

Lesson 2: scammers read the news, too

Fast forward to summer 2015 and the high-profile breach at Ashley Madison. The website’s interesting business model – encouraging extra-marital affairs – meant the loss of more than 30 million personal records had an extra sting. Apart from launching a thousand double entendres (we may have been guilty of a few ourselves), Ashley Madison catapulted the issue of data breaches firmly into the public consciousness. As it turned out, that proved to be a double-edged sword. As our blog writer Lee Munson noted, scammers often take advantage of the publicity surrounding a large breach. He warned companies to watch out for “spam email, identity theft, carefully crafted phishing emails and even potential blackmail attempts”.

Lesson 3: check password re-use

Later that year, four security breaches came to light in one single week. The victims were Experian, Patreon, and Australian retailers Kmart and David Jones. In our blog, we advised being aware of how information can be used against victims. For example, if someone’s password was compromised in one of those breaches, it’s worth checking whether they use the same passwords on other websites.

Lesson 4: check for vulnerability to SQL injection attacks

Soon after, the Chinese toy company Vtech revealed that an unauthorised party had accessed more than six million accounts. That was enough to make it the fourth largest ever breach to that point – however minor by today’s standards. Possibly the least surprising detail in the story was that the attacker used SQL injection to access the data. Lee Munson noted that even in 2015, this was an ancient and well known attack vector.

Lesson 5: employee negligence can lead to breaches too

Not all breaches are the work of external miscreants. ESET estimated that 138,000 smartphones and laptops are left behind in UK bars every year. Let’s leave aside some questionable maths in arriving at such an arresting stat. There’s no denying the risk from leaving devices just lying around when they could well hold personal information. That could include passwords, location history, personal photos and financial information. The survey found that two thirds of lost devices had no security protection. As anyone familiar with data protection and privacy issues will know, encrypting sensitive data is now a must.

Lesson 6: a data security breach can seriously harm your ability to do business

Whatever the source, the steady drip of breaches was starting to have an effect. By early 2016, data breaches ranked second on a listing of the biggest threats to business continuity. TalkTalk, victim of a serious breach the previous year, was a case in point. In the wake of the incident, and the company’s ham-fisted attempts at handling the fallout, a quarter of a million customers took their business elsewhere. Not long after, we covered a separate report that found the cost of online crime had tripled over the previous five years. Lee Munson wrote: “a data breach is not a one-time cost but rather an event that can cause extreme reputational damage (think TalkTalk) or additional loss of revenue when the damage is widespread”.

Lesson 7: mind your language

All too often, companies that have suffered a data breach are quick to throw about phrases like “sophisticated cyberattack”. But it’s often premature and just downright wrong, when any investigation is still ongoing, and the facts are unclear. “It’s hard to escape the suspicion that victim organisations reach for these terms as a shield to deflect blame. By definition, they imply the incident was beyond their means to prevent,” we wrote. Our post carried the headline “Time to remove ‘cyberattack’ from the infosecurity incident response manual?” Our inspiration was the Associated Press Stylebook’s decision to stop using the word cyberattack unless it specifically referred to widespread destruction. As AP lead editor Paula Froke said: “the word is greatly overused for things like hacking”.

That said, positive communication is a key part of any incident response plan. After detailing what word not to use, our post included advice for companies preparing post-incident statements.

  • Deal only in verified facts
  • Avoid speculation
  • Explain the incident in business terms
  • Include details of users or services affected by the breach.

Lesson 8: prepare a security incident response team

By mid-2017, the prospect of GDPR started coming into view, and the need to handle breaches appropriately started becoming clear. Senior management must lead the response efforts. “This is a business issue, not an IT problem,” said Brian Honan, who was speaking at an awareness-raising event. Brian recommended that organisations should assemble an incident response team from across all business functions. Ideally, the team should include people from:

  • IT operations (because they know how data storage systems work)
  • HR (because a data breach could involve staff data, or because a member of staff may have caused the breach inadvertently or deliberately)
  • Legal (because GDPR obliges organisations to notify the regulator)
  • PR or communications (because the company will need to deliver accurate messages to external stakeholders, the media, or internal staff as appropriate)
  • Facilities management (because the organisation may need to recover breach evidence from CCTV or swipe card systems).

Lesson 9: test the security incident response plan

The most critical lesson is to develop and test their incident response processes in advance. Speaking at the same GDPR event, Brian stressed that companies shouldn’t wait for a breach to happen before testing how its policies work. “Find out in advance how well your team works when an incident occurs. Carry out table-top exercises and scenario planning. It is important to have processes and infrastructure in place to respond to a security breach. Developing your incident response plan while responding to a security breach is not the best time to do it,” he said.

Our trawling expedition proves it’s worth planning for something even when you don’t intend for it to happen. The steps we’ve outlined here should help you to recover from a data breach or security incident faster.

If you would like to evaluate your breach response, see our risk assessment services page for more information. Or, if you need guidance in developing a structured incident response plan, contact us.

The post Nine lessons for strong incident response and recovery in a data breach appeared first on BH Consulting.

By

Beyond governance, risk and compliance: privacy, ethics and trust

We are currently experiencing the fourth industrial revolution (FIR), characterised by a blurred fusion of all things physical, digital and genomic. Each revolution has been accompanied by a privacy legislation wave, linking its governance to the accelerating pace of change. So we find ourselves in the fourth privacy wave, where technological changes outpace regulation – causing consumer fear and digital distrust, and resulting in strong ethical arguments for aggressive improvements in organisations’ privacy practices.

One of those arguments is consumer trust. The 2017 Edelman Trust-Barometer reveals that trust is in crisis around the world. To rebuild trust, Edelman argues that organisations must step outside their traditional roles and work towards a new, more integrated operating model that positions consumers and their trust concerns, at the centre of the organisations’ activities. Organisations should address data protection not just because legislation mandates it, but because empowering customers to control their data engenders trust, creates shared ‘value’, and wins consumer loyalty.

“The trust dynamic between consumers and organisations is on a knife’s edge, with consumers reporting that the values of honesty and integrity have been eroded when it comes to personal data – leaving them feeling cynical and increasingly unwilling to share their data at all”     –        Whose Data Is It Anyway? CIM Survey 2016               

Although many FIR technologies are positively transforming consumer lives, they still depend hugely on large quantities of consumer data, giving rise to increased personal data sharing. A recent study by Columbia Business School found that 75% of consumers are willing to share their data if they trust the brand and are more willing to do so in exchange for benefits, such as reward points and personalisation – but only if it’s on ethical, fair and transparent terms.

Big data = big ethics?

The more data consumers share, the more an organisation can leverage that data for personalisation and innovation, which leads to increased share value. However, according to Gartner, in 2018 half of business ethics violations will occur through improper use of big data analytics. The exponential growth in adblocking over recent years shows how consumers feel about improper use of their data (with Irish and Greek consumers topping the European average, at over 50%).

Just as consumers are known to share more information when they trust an organisation, the opposite is true with distrust. Boston Consulting Group has found that consumers radically reduce data sharing when they distrust an organisation.

Digital ethics and privacy are one of Gartner’s top ten strategic technology trends for 2019.  It writes: “any discussion on privacy must be grounded in the broader topic of digital ethics and the trust of consumers, constituents and employees. Ultimately an organisation’s position on privacy must be driven by its broader position on ethics and trust”.

Doing rights vs doing right

Shifting from privacy to ethics moves the conversation beyond ‘doing rights’ toward ‘doing right’ This ethical approach to data privacy recognises that feasible, useful or profitable does not equal sustainable, and emphasizes accountability over compliance with the letter-of-the-law. In the digital economy, the existence of, and compliance to regulation will no longer be enough to engender consumer trust.

Organisations need to find ways to let their consumers know that they use consumer data in a law-abiding and ethical manner. Organisations that ethically manage data and solve the consumer-privacy-trust equation are more likely to win loyal consumers who pay a premium for their products and services. For example, Lego has placed the protection of children’s data at the heart of its information protection strategy. It limits integration with social media, shows strong corporate responsibility regarding use of customer data by suppliers and partners, and it forbids third-party cookies on websites aimed at children under 13. Apple too, mandates that any new use of its customer data requires sign-off from a committee of three “privacy czars” and a c-suite executive.

Sustaining trust

As data stewards, organisations should understand the dynamics and profile of their consumers and the factors that lead to their trust. Organisations can then communicate their compliance initiatives in a way that can more openly nurture and sustain the trust relationship with the consumer.

This in turn will enable them to better design how and where they should communicate their data protection activities to maximum effect. It also results in a more socially responsible and sustainable privacy protection regime for the fourth privacy legislation wave.

Valerie Lyons is chief operations officer at BH Consulting and IRC PhD Scholar at DCU Business School

The post Beyond governance, risk and compliance: privacy, ethics and trust appeared first on BH Consulting.

By

Here’s how to get the most from a cybersecurity assessment

Would your organisation pass a cybersecurity assessment? Not one of 200 UK NHS trusts did, after the Department of Health checked them following the WannaCry ransomware outbreak.

The NHS trusts’ complexity meant the assessments set a high bar. But for many SMEs, the assessments identify opportunities to improve, rather than obstacles to overcome. They show an organisation’s current security levels and spot potential gaps.

That’s becoming ever more important as cybercrime continues to rise. One recent survey found that the average SME website is attacked 44 times a day. We also know that many common security attacks exploit well-known vulnerabilities.

The test criteria

To find out what’s involved in a cybersecurity assessment, I asked Stephen Rouine, cyber risk specialist at BH Consulting. Here are some of the common things he looks for when he carries out an assessment:

  • Boundary firewalls and internet gateways protecting the outside
  • Does the organisation scan for malicious URLs and warn users if they visit an infected site?
  • Secure configurations on servers, laptops, or phones. Does each device have antivirus software? Do screens automatically lock themselves if the device is idle?
  • What antivirus software is the organisation using, how is it configured and is it the latest version?
  • Do all users have administrator accounts or privileges on their systems?
  • How does the organisation manage patches for keeping software or operating systems up to date? Is this manual, in-house or does it use a third-party company?

Following the questionnaire and visit, the client receives a report with findings and recommendations of any changes needed. These will address some of the basic security gaps that might emerge during the assessment. For example, they might need to disable the autorun feature that opens a USB key once it’s plugged into a Windows machine. Ideally, users should manually navigate to the USB key before opening any files, and the antivirus package should scan the key’s contents first.

The time commitment

For most SMEs, the on-site visit and questionnaire process takes around half a day. Any follow-up actions usually take a similar amount of time. So, the company can improve its security for a minimal commitment of time and resources. Stephen emphasised that it’s important for senior management to commit to the assessment and certification process.

Once it has met and passed all of the assessment criteria, the company can apply for Cyber Essentials certification. This is an independent, international standard that growing numbers of organisations are adopting.

The business benefits outweigh the time and cost involved, Stephen added. Reaching the standard will protect the business from many common attacks and compromises. It shows customers and suppliers that the business takes security seriously. “Most of our clients see it as a necessary first stage of getting more secure. In the case of one client, Cyber Essentials allows them to go to tender with UK government agencies, so it opened up their client base,” Stephen said.

It’s also worth pointing out that maintaining security is an ongoing process, not a once-yearly exercise. Threats and risks are changing all the time. Completing an assessment and applying for Cyber Essentials certification puts businesses at the security starting blocks, not the finish line. As Stephen pointed out: “It’s important to state that this check will only prevent basic attacks and security incidents, but it may not be enough to protect from sophisticated intrusions.”

For more details on BH Consulting’s cybersecurity assessment service, visit this page.

 

 

The post Here’s how to get the most from a cybersecurity assessment appeared first on BH Consulting.