In business, a guaranteed way to make a problem worse is not to take an appropriate level of responsibility for it. This is especially true when attackers strike and steal a company’s data.
The headlines are littered with stories of companies that suffered a cybersecurity incident and drew criticism for their handling of the issues. When a UK telco lost 157,000 customers’ personal details to hackers in October 2015, it was criticised for poor communications over the incident, lost 101,000 subscribers and spent £42m fixing things. Then the ICO fined it £400,000 for inadequate security measures.
That pales in comparison to a recent credit agency breach, which saw at least 143 million people’s details fall into the hands of hackers. Critics called out the firm for a delay of more than five weeks before revealing the breach, and setting up a breach notification website that asked for users’ sensitive information and was so badly configured that OpenDNS blocked it as a phishing site.
>See also: Incident response: 5 key steps following a data breach
Mistakes like these can tank a company’s reputation, if not its finances. Senior management must do three things to prepare themselves and avoid this problem:
Create a comprehensive security policy, including an incident response plan so that the company is ready to respond quickly and competently should the worst happen.
Confirm its importance with buy-in from senior management.
Communicate it to the workforce.
Create a policy
A security policy is the first line of defence against attackers, and outlines the procedures involved in protecting systems and data. It folds people and technology together, ensuring that employees and contractors understand how to use computing systems responsibly and safely.
A policy will often include categories like acceptable encryption, acceptable application use, password protection and data transportation. It will also incorporate other, less obvious components like a clean desk policy, and processes for disposing of paper documents (no sensitive documents in the dumpster).
>See also: Prevention, detection and incident response: the cyber security industry
A competently-written and well-communicated security policy can dramatically lower the chances of compromise, but attackers only need be lucky once. If they find their way in and a company suffers a data breach, then the second line of defense kicks in: its incident response plan.
An incident response plan is a crucial part of any security strategy. Just as first responders know exactly what to do and how during an emergency, an incident response plan takes key personnel through the necessary steps to contain and eradicate a cybersecurity threat, recover from the disruption, and remediate the damage. There are several authoritative guides to creating one.
In the UK, cybersecurity non-profit CREST publishes a detailed guide for preparing a cyber security incident response plan. In the US, the National Institute of Standards and Technology publishes an excellent guidance document covering several stages in this process.
The industry resources to create these plans may be there, but companies are often behind the curve in their preparation. Only 48% of respondents to the NTT Security Global Risk: Value report had an incident response plan, with the rest in varying stages of implementing or designing one. 10% of companies were either ignorant of an incident response plans existence or knew that they had failed to prepare one.
Confirm the policy’s importance
These plans are important because they enable an organisation to take ownership and responsibility in the event of a data breach. They’re the difference between fast, efficient recovery, and slow, painful attrition. They help mount a carefully-orchestrated, competent response and avoid a disorganised, knee-jerk reaction that leaves customers confused and angry.
>See also: 6 critical steps for responding to a cyber attack
A security policy is akin to Frankenstein’s monster. It takes skill and expertise to stitch together, but it is useless unless senior management breathes life into it. An effective board will put its weight behind this policy and communicate it to the rest of the company.
Incident response is a multi-disciplinary effort that needs sponsorship from the highest level of an organisation. When a company suffers a breach, speed and power are essential. Key team members must be suitably empowered to get things done.
That sounds great in theory, but it doesn’t often happen in practice. 73% of the 1,350 international non-IT decision makers surveyed in NTT Security’s 2017 Risk:Value report believed that preventing a security breach should be a regular item on the boardroom agenda. Only 56% of respondents of boards talked about it regularly, though, and 44% of companies had not yet implemented a full security policy.
Communicate the policy to employees
How can CISOs ensure that an incident response plan succeeds? Start by communicating it. Of the relatively small proportion of companies that had implemented such a plan, just 47% of respondents understood what was in it.
>See also: Incident response – how late is too late?
The incident response team may be a selected subset of the workforce, but it is important that they understand the plan and are ready to execute.
A robust security policy and incident response plan are excellent foundations to prepare a company for cyber attacks, but it takes more than mere shelfware for true protection. CISOs must make these plans and policies living, breathing documents that permeate their company’s culture. That’s an excellent project for 2018.
Sourced by Stuart Reed, senior director, NTT Security