Monday, 13 November 2017

Strategies for Surviving a Cyber Attack

Another month, another high-profile attack… or so it seems at the moment.  Organisations of all kinds and sizes need to think seriously about cyber security. As recent incidents at Talk Talk and Equ

Another month, another high-profile attack… or so it seems at the moment.  The latest in the long line was US data firm Equifax – with a breach that affected more than 143 million American consumers.  Even if you aren’t holding that much customer data, how do you recover from a breach like that?

Organisations of all kinds and sizes need to think seriously about cyber security.

As recent incidents at Talk Talk and Equifax demonstrate, poor cyber security and poor incident responses can lead to serious reputational damage.

We All Need to Prepare

If we learnt anything from the WannaCry and NotPetya attacks earlier this year, it is that organisations don’t have to be the target of an attack to fall victim to it.  And other reports have also demonstrated that small businesses are wrong to think they are too small to be a target.

It is important for everyone to have a plan in place.

Your plan needs to be comprehensive and consider, at a minimum, the following elements:

• Assess your risks and your risk appetite (what does a worst-case scenario look like for your organisation?)

• Ensure appropriate security and monitoring measures are in place (if you're not sure what 'appropriate' means then get above the baseline recommended by the Cyber Essentials scheme at the very least)

• Train staff in cyber awareness skills to ensure they understand the risks and act accordingly

• Have an appropriate backup regime (and test it)

• Test your security – platform vulnerability and penetration testing

• Develop an incident response plan (and make sure everyone understands their responsibilities, perhaps through drills and test scenarios)

• When suspicious activity is identified, act quickly to contain it

• Execute your incident response plan, including reporting to relevant authorities, and managing the external messaging

• Restore and return to business as usual

• Lessons learned

Not Only a Technology Issue

It is important to consider not only the technical aspects of your security response plan, but also the “soft skills” involved.

First, make staff aware of the security risks – for example, educate them about good password management, how to spot a phishing attack, how to recognise suspicious problems with web pages, and how to report any suspicious activity.

You will need to dedicate skilled resources to manage your security monitoring tools, including setting up reports and notifications so you can act swiftly to contain and minimise the effects of any attack.

And, perhaps most importantly, you will need to have a communications plan in place.

One led by IT or your data protection lead that notifies regulatory authorities such as the ICO.  A second led by your PR and marketing teams to deal with the press and potential reputational damage.  And another led by your customer service teams to ensure customers and other affected stakeholders are kept informed, as required.

Feeling the Effect of GDPR

GDPR will have a big impact on your communications plan, as it puts increasing onus on organisations to report any data breach swiftly and in full.  Not only will you be obliged to notify the regulatory authorities, the Information Commissioners Office (ICO) here in the UK, but also any individuals whose personal data has been compromised during the breach in a way that could affect their rights and freedoms, and any third parties involved.

ICO has warned UK businesses that they need to be prepared to “Tell it all, tell it fast, tell the truth”.

It’s good advice and one that many organisations could learn from… which brings us to the final important aspect of recovery from a data breach – the need to learn the lessons.

Continual Improvement

Perhaps this is the most glaring failure of the Equifax story; don’t let your organisation share this complacency.  If you’ve been targeted once, that does not mean you won’t be targeted again; rather, the reverse.

Take time to learn the lessons, put new tools, practices and policies in place where appropriate, and beef up your monitoring, training, and communication plans.

If you would like help with any of the issues raised in this article – whether process, policy, planning or technology – the Grant McGregor team can help.  Get in touch on 0131 603 7910.

Photo by Štefan Štefančík on Unsplash