Many have heard that “it is not a matter of if a company will be attacked, but when.” Statements like this used to be met with skepticism – companies would say we do not have information hackers want, we outsource our security so we have no risk, or the IT department said it will never happen to us. Over the last few years and the litany of high profile incidents, however, there has been a noticeable shift in how companies assess their cybersecurity risks the steps taken to lessen the likelihood of an incident and to be better prepared to respond if one occurs. There is no room for doubt–cybersecurity is an issue that the executive leadership teams and Boards of Directors must address.
After working with companies to respond to over 750 potential incidents, our advice to companies is to become and stay “compromise ready.” This is easier said than done and involves finding the right mixture of the following elements based on the company’s risk profile and appetite. Companies should also consider how these activities can be conducted so they are subject to the attorney-client privilege and work product protection.
Risk & Security Assessments – If you do not know what sensitive personal information and business data you have, where it resides, and who has access, you cannot implement appropriate safeguards to protect it. When facing a potential security incident, the inability to provide an accurate network diagram and describe the company’s sensitive data flow will complicate the forensic investigation. We often see companies (even large companies with sophisticated IT/IS departments) not able to provide these at the outset of an investigation.
Another good starting point is a security or compromise assessment. Unlike a penetration test that looks for vulnerabilities that could be exploited, in a compromise assessment a forensic investigation firm looks for indicators of compromise to see if an attacker has already broken in. This kind of assessment can provide a baseline level of confidence going forward and identify gaps where companies can improve their security measures.
Some companies choose to start with fixing the biggest potential problem areas first. Examples might include unencrypted portable devices, website privacy policies, text messages sent for marketing purposes, call recording, and data collection at the point-of-sale.
Technology – There are two important areas to focus on here—building defense in depth to keep attackers out and detection capabilities to find them quickly when they break in. Knowing where sensitive data resides and confining it to a segmented environment makes it easier and less expensive to deploy advanced security measures. But companies cannot rely on technology to keep attackers out forever, so they have to get better at detection. Mandiant’s annual security trends report has identified a median time from break in until detection of over 200 days. Improvement here can make a big difference.
Incident Response Planning – A company cannot undo the fact that an incident occurred, but it can be viewed as responding well by focusing quickly on identifying what occurred, stopping it, communicating with affected individuals and providing tailored mitigation services (i.e., credit monitoring is not always the right solution), and remediating to prevent a reoccurrence. An incident response plan serves as the flexible playbook to guide the incident response team when performing these tasks. Part of building the plan should be identifying the law firm, forensic firm, crisis communications firm, and other service providers the company will work with. The plan should be practiced with the involvement of external services providers through tabletop exercises using mock-breach scenarios. Practice helps identify gaps and build the right instincts.
Personnel – Computer networks are set-up, used, maintained, and monitored by people. People make mistakes. Training and awareness will never eradicate all risks, but it can limit preventable issues, identify incidents sooner, and put the company in a better posture with regulators.
Third Party Service Providers – Companies should conduct due diligence before engaging, negotiate for appropriate contractual protections (e.g., obligating the vendor to use appropriate safeguards, give notice of an incident, and indemnify the company if an incident occurs), and exercise oversight during the work. Regulators are looking closely at this area.
Threat Information Gathering – As companies implement defenses, attackers change tactics. One of the most prevalent attack vectors now is phishing and spear-phishing, which is why companies are starting to provide more training to employees on phishing. Companies are also joining threat sharing organizations.
Cyberliability Insurance – Talk to your broker to evaluate adding this insurance or make sure your limits and coverage are appropriate.
Ongoing Diligence – Companies cannot do this all at once. The goal should be to continuously get incrementally better. Having resources dedicated to these efforts (e.g., CISO, CPO) and the right “tone from the top” are important.