The old data breach proverb, “It is not a matter of if, but when,” has become somewhat cliché in information security circles, but it could not be any closer to that undeniable truth: Necessary preventative measures can only do so much, and companies will invariably be, well, ‘hax0red.'What happens afterward is what will make or break the organization. That is right: A data breach is perfectly survivable. It is just a matter of having that specially tailored, yet malleable, game plan on standby prior to the breach ever being uncovered.
That way, when an executive or business owner gets the dreaded call that there has been a breach, what will be going through their head in lieu of panic?
“Thankfully we planned for this,” John Stewart, CSO of Cisco, says. A data breach is not a unique experience, he adds. “You're eventually going to be hit. It's not worth the effort of thinking you won't be hit. It's no longer a relevant conversation.”
Developing a data breach response strategy requires having a little understanding of breaches, knowing the trends, identifying where the organization could be most vulnerable, and figuring out the best course of action to take upon discovery of the incident.
An incursion does not always involve hacking into a computer and stealing relevant files. Sometimes it is as simple as physical documents containing personally identifiable information (PII) being inadvertently thrown in the trash. Additionally, a data breach can be intentional, such as an employee stealing data for his or her own nefarious purposes – a type of insider threat.
And that, insider threats, are one of the most common vectors for breaches, along with phishing and attacking web apps, Barry Shteiman (left), director of security strategy with Imperva, says, adding that vulnerabilities and other issues in third-party software also enable breaches, most notably in the banking sector, but also on commercial websites and retailers.
Insider threats involve compromising someone on the inside or being that individual on the inside with access to secure information, Shteiman says, explaining that many times lateral movement occurring within organizations is not from hackers, but from disgruntled staffers. In May, for instance, Home Depot began notifying 30,000 customers that an employee had accessed accounts and distributed some of the information – including payment card data – to third parties.
“Phishing bypasses a lot of security because it allows people to lure users, instead of systems, into doing whatever they want,” Shteiman says. “Hackers attacking web apps and getting to the data behind [those apps] – that might be [through] malware.”
At Imperva, Shteiman sees what customers are experiencing and analyzes that data to identify the trends. Of note, he says he observed that some vulnerabilities being used in modern-day breaches date back to 2009. That means, companies are not patching software, enabling attackers to have just as much success taking advantage of old flaws, rather than buying newer and more expensive exploits on underground markets.
Shteiman poses a sobering thought: At least one of those aforementioned breach vectors is probably happening on your network right now.
And Shteiman is not alone. When CyberArk conducted its “Annual Global Advanced Threat Landscape” survey earlier this year, 52 percent of the 373 IT security executives and other senior management from around the world who responded said that they believe an attacker is already present on their network.
Unfortunately, not all organizations have the resources to analyze data internally for the development, implementation and management of cyber incident response plans. For smaller businesses, Stewart encourages aligning with separate groups that can be entrusted with IT security systems. “Use the major organizations that do these types of things,” Stewart says. “I think outside people can be very beneficial.”
Implementing a game plan
Understanding is only one slice of the pie, however. What cogs should be turning when the breach actually occurs?
Shteiman says that the CSO and the CIO should be responsible for implementing the game plan internally and, additionally, should have access to the board, which itself should have a mind set on security since being financially responsible for the organization they have the most to lose. For online businesses, the CTO may be called on to take more of a leadership role, Marc Maiffret, CTO of BeyondTrust, says.
“The CEO should always be involved,” Cisco's Stewart (below) says. “What you need is a decision process, and sometimes that's a two-person process. There should be no ambiguity about final decisions.”
Shteiman agrees, and says it is especially beneficial to just assume hackers are already on the network, malware is already installed, and people are looking at stuff. With that mind, in the early moments of a breach discovery, the focus can be on protecting what is vital.
“You can't prevent water from getting in the front door, but the important assets could be kept dry,” Shteiman says. “The crown jewels of the company should be kept safe. When you map your critical assets, then you can put controls around them. Make sure access controls are there, and auditing is there. You can't constantly be checking over everything [in the organization]. It is too expensive and too large a task to do.”
While technical staffers work on identifying and mitigating the threat, Stewart says that company executives should begin thinking about the customers first, followed by the shareholders second and the employees of the organization third.
Shteiman believes that the CMO should be tapped to handle all public disclosures, explaining the CMO should be adequately prepared to handle crisis communications and protect the brand. Maiffret adds that companies typically forget how big of a role the marketing and PR departments play in a data breach, and that those individuals should be educated on what to say and how to convey information to the public.
When to notify impacted individuals, and the public, has become a controversial topic in data breach response – particularly because customers tend to grow increasingly agitated the longer a company takes to report an incident.
Both Stewart and Shteiman agree that, personally, they prefer to be notified sooner than later, but both say it might not be worth it for an organization to act immediately – particularly if there is nothing relevant to communicate to the public – because it could cause undue concern, as well as hurt the brand.
A delicate balance
“One misstep that some companies make in a breach is their level of openness in explaining the event to their customers,” Maiffret (left) says. “While we live in a time where people want instant and constant updates on any events, it is a balance to be forthcoming and honest with customers, but also having restraint and a willingness to say when there are things that are still unknown and being investigated.”
Further, it is important to keep in mind that breaches are hardly inexpensive. Not even counting the long-term brand-related damage of losing company data or customer information – profits fell 21 percent for Target in the first quarter of 2014 following the well-publicized breach there in late December 2013 – Stewart and Shteiman say that the average costs associated with breaches typically fall in the hundreds of thousands of dollars range, if not more. Target announced last month that its breach may cost $148 million.
Those numbers can be staggering, especially for the little shops, since reports indicate that 60 percent of breached small businesses close within six months. Shortly after being the victim of an extortion-based distributed denial-of-service attack in June, hackers deleted sensitive data from Code Spaces and the young company announced it would not be able to survive the cost of resolving the issue and issuing refunds to customers.
There are a lot of things to do prior to and following the discovery of a breach, but there are also a few things that should be avoided altogether. Never yell or place blame, Stewart says, explaining that it is never helpful for staffers to be called to task, especially when up against something significant. Also, never downplay the breach to the public, Maiffret says.
Survey says: Impact and influence
When asked which cyber attacks or data breaches in the past year had the biggest impact on their business' security strategy:
Survey respondents stated that the following trends were the most impactful in terms of shaping and changing security strategies:
Source: CyberArk, 8th Annual Global Advanced Threat Landscape survey