Playing Nice: How to Build Trust and Expedite Breach Reporting
Playing Nice: How to Build Trust and Expedite Breach Reporting

Security and trust go hand-in-hand. If one is missing, the other will falter, as we just saw with the TigerSwan breach where the resumes of more than 9,000 U.S. military personnel, many with Top Secret security clearances, were exposed, potentially for most of the year. 

While the files were unearthed by a security analyst at cybersecurity firm UpGuard, and attempts were made to notify TigerSwan the very next day by email and phone, the files were not secured until a month later. TigerSwan wasn't familiar with UpGuard, and therefore, their notifications were ignored or flagged as a phishing scam. If a basic level of trust can help secure breached data in a timelier manner, how does the industry get there? More importantly, how can we speed up the process before new General Data Protection Regulation (GDPR) and Privacy Shield mandates go into effect next May?

Increased education and awareness

Awareness and experience are often assumed within the cybersecurity field, when in reality, a great deal of professionals do not know how to report a breach officially, or even how to share that information with others within their organization unofficially. In order to identify an incident and respond quickly, organizations need to develop a multistep management and response process that they can come back to and place their trust in. Part of these plans will cover the ‘must-know' facts and steps for incident reporting, but that is often as far as these plans go. Even though this type of reporting is critical, they don't always integrate information on external notifications to authorities when a breach occurs. This step will become even more important, as when GDPR regulations go into effect, organizations will need to report breaches within 72 hours or risk punitive fines.

Continuous Monitoring

2.5 Exabytes of new data are produced every day, and the vast majority of this data is supposed to be temporary. However, the originator is often unaware that their “temporary” data still exists, due to some misconfiguration or unintentional command. The bottom line is, if a company isn't aware of data, how can they protect it? As months go by, someone else will discover this data, and there is no way to predict what they will do with it. While data classification seems like the ideal solution to avoid breaches in theory, continuous monitoring for potential data policy violations is the ideal countermeasure in practice. A more proactive approach would be to mandate close monitoring and analysis of activities in real-time with more automated tools. Continuous, real-time monitoring of users' behavioral biometrics, such as keyboard characteristics or mouse movements would shorten breach and threat discovery, enabling institutions to avert or minimize breach impacts.

Contracts and Trust

As mentioned above, a basic level of trust is essential for success in cybersecurity, but that is often easier said than done. As we saw with TigerSwan, the incident investigation process took much longer than necessary because one company was unfamiliar and wary of the other. Information sharing can be difficult, but it is a vital piece of the security puzzle, and companies should build up their own trusted network to ensure efficient communication. One way the industry can combat this is to implement independent and trusted organizations such as Information Sharing and Analysis centers (ISACs). The cyber threat intelligence (CTI) is also a solution for mass information sharing without the need to expose the source.

On a more organizational level, companies should draw up contracts with their third party vendors that contain detailed requirements and can therefore protect both parties in a controversial situation. Contracts should serve as the basis for trust, and tools like privileged access management and log collection can support this with continuous monitoring of third party activities and enforce the terms of the contract.

Come Clean

Only 28 percent of ransomware incidents are reported to the authorities, and many organizations would rather pay the ransom in untraceable bitcoins than be blamed for a hack in the media. This is a sobering statistic. With GDPR on the horizon, though, incident reporting will be mandatory for all organizations that are managing personal data or critical infrastructure. The companies that would “rather give blood than information” will be facing a hard reality very soon. At the end of the day, reporting a breach upfront is almost always guaranteed to fare better than keeping information secret. It's likely that it will come out eventually, and then a company risks losing the trust of key stakeholders.

Among other things, GDPR has revealed that more and more countries are concerned with data breaches and an increasing number of agencies are popping up all around the globe to manage and investigate them. However, a level of organic trust needs to be developed amongst cybersecurity experts across verticals so that information sharing comes more naturally and companies can work together to prevent lengthy lapses in detection and shutdown before the reporting phase is even reached.