There are two types of organisations: those who have had a cyber breach and those who don’t know they have had a cyber breach. Despite the headlines about Ransomware, Bank Transfer Frauds and other major cyber-crimes, and reports of fines given out by the ICO and European counterparts, these stories barely scratch the surface. Cyber breaches are much more prevalent than reported. Why? Firstly, because many companies do not monitor their networks effectively enough to know they have been breached; and secondly, if there is not a statutory obligation to report, many organisations do not.
In a recent worldwide survey sponsored by ISC2 – CyberEdge’s annual Cyberthreat Defence Report - 81% of organisations declared they had suffered a successful cyberattack last year, with a record 62% saying they had been compromised by ransomware. 58% of ransomware victims paid ransoms last year but a third still failed to recover their data. The USA reported just under 70% affected by ransomware, while the UK was at 55%. I believe that this points to a large untapped market in the UK and think we are likely to see an increase in attacks over the next 12 months. Ransomware attacks will increase in Europe and the UK, building upon their huge success in extracting money from businesses and organisations in the USA.
Perhaps even more shockingly, according to Check Point Software Technologies recent mid-year review, 80% of ransomware attacks in the first six months of 2020 used vulnerabilities reported in 2017 and earlier, and more than 20% of the attacks used vulnerabilities that are at least seven years old. This clearly shows there is much more education and awareness raising required. Not enough organisations are doing the fundamentals to protect themselves or understanding the risk involved from failing to get the basic cyber security steps right.
Law firms are a particular target as they hold large amounts of very sensitive data, bringing together information from many high-profile people and organizations that would be both difficult, and time consuming, to target one by one.
In 2020 alone, an alternative legal services provider was closed down for nearly a month by a ransomware attack while several other law firms have seen their data exfiltrated, held for ransom, then leaked to the public—including sensitive client medical records.
In very simple terms, there are four things you need to do:
- Ensure you are not vulnerable to attack by keeping your devices, software and systems up to date.
- Keep an off-line backup and regularly carry out test restores to ensure it is working properly. An off-line backup is one that an attacker cannot access in the cloud or via your system. Consider employing a 3-2-1 strategy to backing up your data: three copies of your data which includes two backups on two different storage mediums, with at least one of those being offsite and offline.
- Monitor your network, so that you can detect when you have been attacked, keeping logs for months rather than days (30 days is not enough)
- Have a plan for when things go wrong, as they inevitably will, and exercise that plan to make sure it works.
Cyber security incidents have a huge impact on an organisation in terms of reputation, cost and productivity. Effective incident handling when you are in the media spotlight will go a long way to reduce the negative impact on your reputation. Being able to detect and quickly react to incidents (because you have exercised scenarios beforehand) helps prevent the attacker from inflicting more damage and therefore reduces financial and operational impact.
You need to have the appropriate policies, procedures and personnel in place to deal with an incident as well as having carried out an assessment of the business risk. As the UK’s National Cyber Security Centre states, 1 in 10 organisations don't have an incident management plan. If you're one of these organisations, then you should do something about it right now. And don’t think you can exercise without a plan already in place – you could write the conclusions without testing anything.
The classic day and time for an incident is a Friday late afternoon (WannaCry, the worldwide Ransomware attack in May 2017 that so badly affected the NHS was one I remember all too well). This causes problems with availability of both staff to tackle the problem and decision makers. So, it is vital to have an accessible document which stipulates what role individuals are expected to play in their organisation’s response.
This incident management plan should explicitly state who has the devolved responsibility and authority, as well as what this authority covers (especially important for outside of normal working hours). Most importantly, it should detail who the “lucky” person is who should represent the organisation to the media. The document should also describe who needs to be informed and when, depending upon levels of severity and escalation paths.
The plan should also detail who will be part of the incident response team and who are the reserves. This might include the IT team, your outsourced provider, internal or external PR specialists, HR, internal or external legal advisors, internal or external cyber security experts and senior decision makers. Make sure you have secondary contact details for all of them (not just work email and phones).
You should try to map out an escalation path based upon the severity or priority of an incident. The severity level will inform how quickly the incident needs to be dealt with and who it should be escalated to. As with any other business crisis, you do not want the head of the organisation woken up in the middle of the night every time something goes wrong.
In those cases where there is a successful external attacker or a malicious insider, consider this to be a high or critical severity incident and respond accordingly. This type of incident is likely to always require input from top decision makers in the organisation. A low priority incident should be ok for the IT security team to deal with on their own. You should record contact names and numbers (including out of hours) of who to escalate to and how quickly the escalation needs to occur.
Part of the plan should cover guidance around key decisions that may need to be made such as whether a regulator (such as the Information Commissioner’s Office) needs to be informed, will an external advisor be required (and paid for) and who will decide whether part of the network or website needs to be taken down to contain the problem (and who will carry this out). All big decisions with costly implications if you get them wrong.
Draw up some checklists to help you work through things systematically, in the heat of the moment or in a crisis that runs for many days, it is easy to forget an important step. Make sure you detail how to capture digital evidence so that it can be used as evidence with law enforcement, insurers and/or regulators.
Of course, the best way to find out if your plans, processes, escalation paths and devolved responsibility thresholds work is to exercise the incident management plan. If there is any chance you might be one of those called upon to be involved during a live incident, you should be involved in an exercise. Plan to do this together with your operational staff as this will often highlight issues around authority for critical decisions. For instance, who makes the decision about whether to pay a ransom? This is typically not going to be the head of IT or the CISO acting on their own.
One key area to exercise is managing communications. You may have a separate communication plan, or it may be part of your incident management plan (covering both internal and external communications). Managing the media when the news of a security breach has already gone viral and is being shared by your customers on social media channels is a really testing scenario, but one worth exercising.
Testing cyber resilience through structured crisis management exercises is a requirement of any well managed organisation and regulators now consider it to be a fundamental part of corporate risk management. This means that senior management needs to be prepared and practiced in responding to cybersecurity crisis incidents. Taking part in simulation exercises is a very good way of achieving this. In fact, any staff with incident response responsibilities should be properly and regularly trained. And you should aim to test your incident response plan at least annually at a minimum.
Regulators, such as the ICO for GDPR, make it clear that responsibility for incidents or data breaches sits with the organisation and not an individual. The top team is ultimately responsible for any cyber security incident as the group with a governance role. Regulators will look very unfavourably on any organisation that tries to blame a specific worker.
Getting buy-in and participation in incident response planning and exercises from the top team can be difficult if the risks are not well understood, so some awareness training may be needed before engaging them in an exercise.
Wake up and smell the cyber threat
In conclusion, wake up to the fact that you will be impacted by a cyber breach at some point, check if you have an Incident Response and Incident Management Plan (if you haven’t, create one very soon) and ensure you exercise that plan at least on a yearly basis so that the key people, processes and policies can be put through their paces in a safe environment and not be subjected to a first-time run during a live incident. Yes, it can be a chore – but avoiding it simply isn’t worth the risk.
This article was first published on 02/10/20 in Computers and Law here.