Steve Durbin, Managing Director, Information Security Forum
Data breaches are happening more frequently, compromising larger volumes of data than ever before. We seem to hear about new data breaches every day. The number of compromised records grows, while organisations are subjected to larger financial penalties, stronger legislative and regulatory scrutiny, and tangible reputational damage. For organisations that suffer a breach, responding in an intelligent and confident manner is critical.
Given today’s connected landscape, how can organisations protect themselves and their customers, while safeguarding or even increasing business value? Moreover, what are some of the obstacles they must overcome around data breach prevention and response?
Preventing the Next Data Breach
Data breach prevention is based on the premise that it is possible for an organisation to increase an adversary’s ‘work factor’ to such a degree that malicious activity becomes unprofitable and attackers move on to easier targets. Basic technical preventative measures are popular because they scale easily and are more reliable than employing a person for the same task.
There are a wide range of motivations for malicious actors, and without investment in measures such as threat intelligence, an organisation could easily spend too much or too little time and money on prevention. Some organised criminal groups have capabilities equal to nation state intelligence agencies and will be capable of overcoming nearly any private sector attempts at information security. Their ability to operate globally, to reach an ever-increasing range of targets, also continues to improve.
Supply chain security always rises towards the top of the discussions I have, and it is clear that weaknesses here are prevalent and persistent. Oversights in managing third parties, and the complexity associated with managing what can be many thousands of suppliers, is often beyond the ability of any individual or department to fully handle.
The Information Security Forum (ISF) has looked at supply chain security and offered guidance such as the Supply Chain Assurance Framework (SCAF) to assist our members in the procurement phase of a supplier relationship. These basic measures address the initial element of complexity, but not all procurement will be done with such rigor, and poor supplier security will continue to result in regular data breaches.
Responding to a Data Breach
Many organisations realise that incidents will occur regardless of the precautions they’ve taken, so seek to respond to breaches in a resilient and professional manner. But, these capacities can often be lacking, and the resulting disorganisation damages customer trust, brand value and ultimately, reputation.
Responding well is more difficult than prevention and detection because it forces interaction between a wider range of internal and external stakeholders such as shareholders, customers, vendors and regulators. This can create significant coordination and communication problems, and these interactions take place in a high-pressured and time-poor environment where the commercial and professional stakes are high, but tolerance for error is low.
So how can information security demonstrate business value when responding to a data breach, and what are the key organisational capabilities to have in place – technical, procedural, people and political? Follow these three simple steps:
• Develop a Plan
• Practice the Plan
• Respond Decisively
Managing Your Message
Due to today’s 24/7 news cycle, it is nearly impossible for organisations to control the public narrative of an incident. Responding to unwelcome information released on someone else’s terms is a poor strategy, and a defensive posture plays poorly with customers whose personal details have just been compromised.
Preparation is essential. For example, this can be done through inter-departmental scenario planning which tests the organisation’s media and customer response strategy. Creating and testing response plans may also attract interest from senior management, particularly if their organisation, or a competitor, has suffered an incident where they suffered reputational damage. This is an opportune moment to demonstrate the business benefits of a coherent response plan.
Messaging should be about creating transparency, within the organisation and with the public. The organisation should be seen communicating in an ethical and trustworthy manner. This is not a time for using communication as a PR opportunity or attempting to pull the wool over people’s eyes. Nor is it time to pull down a veil of silence. Communicate effectively throughout the incident (and afterwards) in an honest and transparent manner about the breach, the impact, what you are doing to address the impact of those affected.
Data breaches have become a regular feature of modern life, and one that will have affected most of us by now. This will continue as long as efficiency and ease of data access trump security, a state of affairs which makes economic sense for many organisations, at least until they suffer their own data breach. Once a breach happens, the value of security as a business enabler becomes clearer.
The real difficulty lies in acknowledging that breaches are inevitable, and that resources invested in advance can pay dividends when a crisis occurs. It takes maturity for an organisation to recognise it cannot control the narrative after a breach becomes public, and that leadership involves being honest and transparent with customers to maintain credibility in difficult circumstances.
A robust data breach response includes developing a plan, regular scenario planning, taking decisive action and managing the message. These actions will involve a wide range of internal stakeholders, and may involve the services of external crisis management and media experts. Once a breach happens, swift decision-making requires accurate data. Organisations need to take stock now in order to ensure that they are fully prepared and engaged to deal with these ever-emerging security challenges, before it’s too late.Read more: The Next Generation of Assessing Information Risk
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cybersecurity, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
This article is brought to you by Enex TestLab, content directors for CSO Australia.