January 2018 Issue
Given the scale and speed of technological advances in recent decades, companies are generating more sensitive business data than ever. Though they are storing that data in ways that are beneficial to their businesses, they are also becoming more attractive targets for malicious actors. As a result, the frequency and sophistication of cyber attacks is increasing.
There were 918 data breaches in first six months of 2017, according to Gemalto, up 164 percent compared to 2016. Those breaches resulted in 1.9 billion data records being lost or stolen. The cost of breaches is also increasing. IBM/Ponemon’s 2016 Cost of Data Breach Study found that the average was $7.1m for US companies and $4m globally. Their 2017 study states that the average total cost of a data breach in the UK was £2.48m, and the average cost per lost or stolen record was £98.
Given the rising threat, it is imperative that companies develop the capacity to respond. Where cyber security was once regarded as an issue solely for the IT department, today it is a whole-company concern. Data breach issues are part of what keeps C-suite executives up at night, particularly as cyber security and data protection is now intrinsically linked with so many other elements of a company’s business. Public reputation, share price, customer loyalty and regulatory scrutiny are all potentially connected to cyber security, and a breach can be damaging in a number of different ways. “The most damaging aspect is often a loss of customer confidence and a loss of morale within the workforce of the affected business,” says James McGachie, a legal director at DLA Piper. “Businesses must remain vigilant and never be complacent – the risks of getting it wrong and facing massive fines, claims for damages and class actions should be a sobering thought.”
There have been a number of significant, high profile data breaches this year alone. Companies of all sizes have been found wanting in their cyber defences. From credit reporting agencies to clothing retailers, cyber criminals have gained access to vast quantities of data. Uber, Forever 21, Yahoo and Verizon have been among the most noteworthy recent breaches, with the personally identifiable information (PII) of millions of customers stolen. Data loss of this magnitude has ramifications for customers and for organisations alike. Companies will face considerable regulatory and political pressure and could see their share prices drop rapidly. Significant costs will likely be incurred as companies attempt to remediate the breach. They may also face potential litigation and higher cyber insurance premiums.
It is a case of when, not if, a breach is going to occur and companies should plan accordingly. This requires them to be proactive and agile; attack vectors are evolving as hackers and other cyber criminals become better equipped and more confident. There has been a shift in tactics over the last few years. “Destructive attacks have become a dominant threat, particularly in the form of ransomware,” says William Ridgway, counsel at Skadden, Arps, Slate, Meagher & Flom. “In the wake of ransomware’s explosion, many cyber criminals have moved on to targeted cyber extortions against businesses, armed with more sophisticated malware and demanding steeper payments. These attack techniques have been embraced by cyber criminals because they enable attackers to attack all businesses, not just ones that hold personally identifiable information or other sensitive data. Any business that relies on electronic data to operate is vulnerable to ransomware, which means nearly every business is a target.”
Forty percent of financial firms suffered data breaches in 2017, according to Thales. Of those, 21 percent said they have been targeted on several occasions, and 90 percent feel more vulnerable to attacks, primarily because of a lack of adequate protection. While the technological advances that many companies have benefited from in recent years have facilitated growth and driven return on investment (ROI), conversely they have also emboldened cyber criminals. The rapid pace of change and the advent of industry 4.0, for example, have made it increasingly difficult to guard against cyber crime. As companies continue to embrace new technology, the likelihood of attack increases, notes Mr McGachie. “The growth in internet connectivity through the Internet of Things provides a much larger number of potential points of entry for sophisticated malware – and in some instances wiper-ware – to enter and infect a firm’s networks,” he adds.
Following years of relative inactivity, firms are awakening to the impact of data breaches, principally because they have seen the disastrous effect on other businesses. “Many organisations are underprepared or under-resourced to manage and recover from a serious data breach or other cyber incident,” says Paul Kallenbach, a partner at MinterEllison. “The increase in high-profile global cyber incidents, particularly over the last 24 months, is slowly changing this perception, and translating into concrete action. However, challenges still remain in ensuring that boards have the right expertise to ask the right questions, and have the processes in place to ensure that cyber security is firmly on their regular agenda.”
Soliciting expert advice is just one of the ways companies can prepare for a cyber attack. The emphasis is on companies to reinforce their cyber security provisions and ensure their cyber response plans are comprehensive.
Data breach response planning is no longer a ‘nice to have’; it is mandatory. Companies rely on vast quantities of data, and stakeholders and regulators expect that data to be adequately protected.
However, according to EY’s 2016 Global Information Security Survey, 42 percent of firms surveyed said that they did not have an agreed communications strategy or plan in place in the event of a significant attack. Only 39 percent of companies said that they would make a public statement to the media. Data breach notification remains a contentious topic. In the US, Congress has repeatedly failed to agree on federal data breach notification legislation. Other jurisdictions are making progress, however. In the EU, the General Data Protection Regulation, which comes into force in 2018, includes, for the first time, a broad breach notification requirement which will affect companies operating in Europe (and the US). In Australia, the federal government has also passed the Privacy Amendment (Notifiable Data Breaches) Act 2016 to amend the Privacy Act 1988, which will require breached companies to provide notifications where they have reasonable grounds to believe that an ‘eligible data breach’ has occurred.
But merely having a plan in place in not enough – it must be frequently revisited, tested and updated. “Data breach response plans will be invoked during what is possibly one of the most stressful times for an organisation,” says Brian Lapidus, leader of the identity theft and breach notification practice at Kroll. “For this reason, data breach response plans must be as current and comprehensive as possible. Regular reviews will help ensure plans are continuously taking into account organisational dynamics such as personnel changes, company acquisitions, technical modifications, geopolitical factors and regulatory requirements. Likewise, an effective data breach response plan will outline the roles and responsibilities of those involved, ensuring that individual team members understand the scope of their roles and have the training to be confident in carrying out their duties in the event of a breach incident.”
For the response plan to be fully up to date, the board must take the lead. They must set the tone from the top, ensure the rest of the company buys into the process and prioritise the response plan. “Outside of the US, the lack of mandatory data breach notification laws has led some companies to be complacent in this regard but having a robust and tested incident response plan has a big impact on the outcome of any data breach incident,” says Raf Sanchez, international breach response service manager at cyber breach insurer Beazley. “An incident response plan should be flexible enough to cover any conceivable incident, from a minor accidental data disclosure to a major hacking or exfiltration incident.”
Response plans are an essential tool, though they are often found wanting when activated following a breach. Stress testing on an annual or semi annual basis will help identify areas of weakness, improve response times and protect ROI. When a real breach occurs, the experience and preparation that teams have gained in a controlled test environment can help eliminate shortcomings, confusion and inefficiencies during the real thing. “The recurring issue we have seen with incident response planning lies not with the plan itself, but with the extent to which the response team has meaningfully tested that plan through real-world scenarios or tabletop exercises,” says Mr Ridgway. “These exercises inevitably reveal problems or missing components, and it is vital for a business to iron out those issues before an attack strikes.”
While regular testing is essential, the plan itself must also be well defined. “Key features of a well-structured response plan include internal and external communication plans, template notifications to both stakeholders and regulatory authorities, an agreed chain of command in leading the breach response, and overall ownership in terms of identifying the breach, determining its size and scope and ultimately its containment,” says Mr McGachie.
The response plan should be a ‘living’ document, according to Mr Kallenbach, which tracks recent events at an organisation, be it a data breach or a ‘near miss’. “Other areas which should be covered include a list of members of the company’s data breach response team, a clear definition of data breach reporting and escalation protocols, identification of key data, systems and networks, legal, regulatory and contractual obligations flowing from the data breach, and a procedure for notifying affected individuals,” he adds.
Data breach response teams are a critical component. Waiting until the company has been breached before convening a response team is not an option. Once a breach has occurred, time is of the essence.
The response team should be charged with analysing security breaches and taking any necessary measures. This should happen under the guidance of an incident response manager whose primary duties are to oversee and prioritise the steps taken by the company during the detection, analysis and containment of an incident. The response manager should also convey the special requirements of high severity incidents to the rest of the company.
The response team should comprise a cross-section of company personnel, including legal, privacy and compliance, IT, information security and other relevant individuals from various business units. Companies should also employ external assistance. Outside privacy counsel, computer forensic specialists and a crisis management adviser would also be strong additions to any response team. “An effective incident response team needs to be flexible, and be comprised of members who are expert in their designated fields but crucially who have trained or practised dealing with the issues over which they have responsibility,” notes Mr Sanchez.
Furthermore, communication should the watchword for the response team. Post-breach communication must be handled efficiently and confidentially where needed. Details of the breach, indicators of compromise, adversary tactics and procedures must all be catalogued and communicated so that any compromised systems are addressed. Also, the response team must ensure that malicious actors are not alerted to the fact that the company is ‘on to them’.
The ‘new oil’
Given the vast quantities of data modern companies produce, collect and rely on, it is unsurprising that malicious actors are increasing their attacks. As Mr Sanchez notes, data has been called the ‘new oil’ for companies and is a massive driver for growth. “Data flows at huge speeds in real-time across networks and between data centres and the value of this data is increasing at exponential rates. Just as regulators are attempting to update outmoded legislation from antitrust to privacy laws, so too are criminals and other malicious actors attempting to use this data for their own purposes,” he adds.
While legislators can only hope to keep pace with malicious actors, companies must uphold their end of the bargain. This requires companies to maintain and test their own data breach response plan. They must take action to prevent employee negligence – such as embedding better security processes in the workplace, standardising security policies, employing technology solutions where appropriate and providing regular, ongoing training for staff to eliminate some employee mistakes. Of course, internal threats as a result of negligence or malevolent activity can be hard to guard against and do leave companies vulnerable. According to a 2017 report from Haystax Technology, 74 percent of respondents felt “vulnerable to insider threats”.
In the coming years, data breaches will become more frequent and more devastating. Though companies are taking steps to protect themselves, the threat vectors are evolving. Ransomware, ransomware-as-a-service and DoS attacks have all emerged as serious threats to organisations, and malicious actors will only become better equipped and bolder as the years go by.
As companies continue to embrace new technology, not only will the levels of data produced increase, but opportunities for cyber criminals will also rise. Internet of Things (IOT) products and services are set to become mainstream, paving the way for a variety of new threat vectors to appear, leaving companies even more vulnerable to attack. “Many businesses have not accounted for all of the new types of devices that may be interconnected with their data systems. This opens up a whole host of potential new attack vectors that the company may not even be aware of,” says Mr Lapidus. IOT devices will create a treasure trove of data for cyber criminals. Embarrassing and expensive breaches in the coming years are inevitable as there is no such thing as the perfect cyber defence. What companies can control, however, is their breach response.
© Financier Worldwide