For years, the security ecosystem has been in response mode. When an attack happens, the common reaction is centered around damage control or applying security band-aids, and it doesn't always happen in a speedy fashion. With the average data breach set to cost organizations $150 million by 2020, security teams need to start acting quickly and efficiently to focus their limited resources on the most critical and emerging risks.
The classic security approach simply won't work given that many of today's attacks still leverage well-known vulnerabilities – or flaws that have been documented, with available patches, and can, therefore, be prevented. In fact, recent data shows that only 1 percent of data breaches stemmed from a zero-day attack, meaning the other 99 percent could be prevented. WannaCry and Petya are great examples; two of the biggest ransomware attacks from 2017, where hackers exploited vulnerabilities for which patches had been available for months. On top of that, the average discovery to notification timeframe is 29 days, which proves that we have a long way to go in order to meet reporting requirements for compliance frameworks like GDPR.
The clock is ticking and security teams must work faster than the cybercriminals who are hoping to exploit any exposed weaknesses. While there's no hard and fast rule, here are some quick guidelines security teams should keep in mind to better prioritize and improve response speed.
Don't skimp on basic security hygiene and training
Companies today can't afford to be reactive. To holistically protect their data -- and the data of their customers -- they can't keep putting off basic security hygiene. For example, deploying patches in a scheduled, timely manner or policies on passwords and interactive login use. Enforcing a strong interactive account use and password policy is a tried and true cybersecurity best practices that organizations consistently fail to enforce. One way to improve this is by establishing clear cybersecurity guidelines and providing regular employee training that reiterates the key messages of the policy. These should be given as part of new hire orientation and onboarding process, and they should be continually reinforced so that employees are encouraged to stay up to date on the latest policies, procedures, and compliance regulations.
Implement continuous, real-time visibility
Taking a continuous, real-time approach is the only way organizations can stay proactive when it comes to fighting threats. This means analyzing the complete picture and uncovering patterns or relationships between security events — rather than focusing on fighting daily fires or one-off instances.
This is especially important when it comes to Article 33 of GDPR, which outlines the protocol for reporting a data breach no later than 72 hours after having become aware of it. It also lists the following reporting requirements:
● Describe the nature of the personal data breach including where possible, the categories and an approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
● Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained.
● Describe the likely consequences of the personal data breach.
● Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Reporting this information within the 72-hour window is only possible if you have full and unobstructed visibility over all your devices and the data they contain.
Build an effective incident response plan
Incident response (IR) plans provide companies with a clear set of guidelines for limiting damage and reducing recovery time and costs after a cyber-attack. The goal of an IR plan is to test a company's ability to respond to a security incident. Unfortunately, most companies fail to take advantage of their benefits. According to recent study conducted by the Ponemon Institute, 77 percent of respondents still lack a formal cybersecurity incident response plan (CSIRP) and half of the companies that had plans in place indicated that it was “ad hoc” or informal.
It can be daunting for organizations to get started with incident response, but here are a few examples of documentation that I suggest be required as part of the IR plan:
● Create a non-disclosure template and procedures
● Draft communications response templates
● Set-up procedures for securely storing and communicating all data or documents created through incident validation or the data incident investigation
● Identify the Data Incident Response Plan Committee members. These are the people who would get the initial call to participate in either incident or breach workflows
● Identify roles and responsibilities for all individuals
● Build incident validation procedures
● Establish a third-party investigations contact for support. They live and breathe incidents and can provide guidance to internal teams.
● Prepare a call tree list, which includes a real-time maintained set names and contact information for all individuals who should be notified or involved in the investigation and the best method for contacting each of the them
● Build network diagrams
● Design detailed application data workflows
Balancing the needs of your business against the exposure to threats is one of the hardest things for companies to do. Starting with a full risk assessment can help companies uncover any weak links and evaluate its overall security posture. From there, organizations should create a flexible security strategy and establish a process in place for dealing with incidents quickly and effectively.