Originally published in Commercial Risk
Organisations of all sizes and across all industry sectors are becoming targets of cyber criminals. Attacks are becoming more frequent, more sophisticated and with dire consequences. A focus on mitigation is vital and requires an incident response plan.
In South Africa, the Cybercrimes and Cybersecurity Bill, introduced to parliament in February 2017, aims to consolidate offences relating to cybercrimes, as well as to create new cybercrimes and offences to bring South Africa in line with relevant international conventions and model laws.
Specifically, the Bill introduces a reporting and preservation of evidence obligation for electronic communications service providers (as defined in the Electronic Communications Act 36 of 2005), as well as financial institutions (as defined in the Financial Services Board Act 97 of 1990).
An electronic service provider or financial institution, which is or becomes aware that its computer systems are involved in the commission of any offence (as set out in Chapter 2 of the bill), “must without undue delay … and not later than 72 hours after having become aware of the offence”, report it in the prescribed form and manner to the South African Police Service and preserve information of assistance to the investigation. Failure to comply may result in a fine of R50,000.
In assessing risks, two questions should be asked – firstly, what security protocol or programme is in place and, secondly, what incident response plan is in place. The primary objectives of an incident response plan are to mitigate and manage potential cyber security breaches (both in relation to the organisation and to its clients and customers), to increase confidence of clients and customers and reduce any liability for the organisation. Incident response plans can take a variety of forms and there are no mandated requirements; each organisation’s incident response plan should be tailor-made. A non-exhaustive list of considerations to bear in mind includes:
Evaluate and prevent
Conduct an IT risk assessment by data and network mapping to determine what data, intangible assets and devices your business holds and their value. It is also important to gather threat intelligence on a regular basis. Any gaps in protection, IT or otherwise, should be remedied. If not already in place, consider the need for the development of internal cyber security policies and procedures addressing, among other things, key security controls, the process for reporting breaches, remote rules, controls around using personal devices and social media use. Understand your data protection and other legal obligations.
Engage with the board and seek authorisation for the development of cyber security protocols, necessary resourcing and a budget for implementation. Set up an incident response team (with backups), including IT, legal, PR, HR and board. Consider whether to specifically appoint a chief information security officer, who would act as the team leader in the event of a breach. Draft a clear data breach incident response plan which will be initiated on the occurrence of a breach, whereby the pre-approved incident response team will be alerted and follow clear protocols to remedy the breach, minimise loss and preserve evidence.
Scenario test at the outset and at regular intervals, ideally by having security drills where the plan is put into action as if a breach was happening. Any flaws with the plan can then be identified and remedied. Distribute company policies on cyber security and response to all personnel. Regularly update all documents.
Mandatory training to personnel should be given at regular intervals, updated to reflect changes in any company policies or the incident response plan. Clear employee reporting channels should be set up and communicated.
Common shortfalls in incident response plans
Many organisations fail to integrate response plans across all business units and locations. Plans do not always take into account the most effective ways to manage incidents across the whole business. Plans should not be developed in silos and best practices and knowledge should be shared across all locations. Incident response plans easily become outdated and are often too generic. They should be constantly evaluated, tested and updated. Specific guidelines for identifying and categorising events, as well as the suggested actions, should be included. The decision making for how to respond to an incident is often left to one or two key people – this can result in a failure to implement and make decisions timeously if the responsible person is unavailable or lacks capacity to deal with the incident immediately. Decision making and escalation should accordingly be spread across the whole business.
A data breach, whether from a cyber intrusion or the loss of a device, can be a challenge for any organisation. However, in tandem with adequate IT security, the best defence is to be prepared for a breach so that the response can be quick and effective.