The harm done to brand reputation after a cyber-attack can be hard to control, so planning a resilient incident response after a breach is imperative.
By Steve Durbin
Every year, we spend more money and time combating the dark forces of cyberspace: state-sponsored operatives, organized crime rings and super-hackers armed with black-ops tech. The attack methods mutate constantly, growing more cancerous and damaging. Massive data breaches and their ripple effects compel organizations of every kind to grapple with risk and security at a more fundamental level.
Recently discovered attacks on government agencies around the world, including a reported breach of the NSA’s own spy-and-hacker unit, have security experts despairing—will we ever catch up to the bad guys? Even more routine intrusions are rarely detected quickly. On average, it takes companies almost 150 days to detect a breach, long enough for significant damage to be done—millions of records collected and sold to the highest bidder, government and trade secrets exposed, passwords stockpiled to be leveraged in future attacks.
The harm done to brand reputation can be long lasting and hard to control. Breached companies are liable for significant restitution to customers and suppliers, face closer scrutiny and higher fines from regulators, and often struggle with a sudden drop in sales or loss of business. The appearance of negligence, repeat attacks or unpredictable fallout from a breach can significantly unravel public goodwill that took decades to build. The trust dynamic that exists amongst suppliers, customers and partners is a high-profile target for cyber-criminals and hacktivists. The Sony breach is a fascinating example of the myriad ways a breach can turn nasty for even the most established brand. The 2016 election season has been similarly tainted by hacktivists and leaked emails.
Take It to the Board
Information risk must be elevated to a board-level issue and given the same attention afforded to other risk management practices. Organizations face a daunting array of challenges interconnected with cyber-security: the insatiable appetite for speed and agility, the growing dependence on complex supply chains, and the rapid emergence of new technologies. Cyber-security chiefs must drive collaboration across the entire enterprise, bringing business and marketing needs into alignment with IT strategy. IT must transform the security conversation so it will resonate with leading decision-makers while also supporting the organization’s business objectives.
Cyber-Resilience Is Crucial
Every organization must assume they will eventually incur severe impacts from unpredictable cyber-threats. Planning for resilient incident response in the aftermath of a breach is imperative. Traditional risk management is insufficient. It’s important to learn from the cautionary tales of past breaches, not only to build better defenses, but also better responses. Business, government and personal security are now so interconnected, resilience is important to withstanding direct attacks as well as the ripple effects that pass through interdependent systems (e.g., supply chains, social and healthcare services, and customer cohorts).
I strongly urge organizations to establish a crisis management plan that includes the formation of a Cyber Resilience Team. This team, made up of experienced security professionals (employees, investors, customers and others), should be charged with thoroughly investigating each incident and ensuring that all relevant players communicate effectively. This is the only way a comprehensive and collaborative recovery plan can be implemented in a timely fashion.
Today’s most cyber-resilient organizations are appointing a coordinator (e.g., Director of Cyber Security or a Chief Digital Officer) to oversee security operations and to apprise the board of its related responsibilities. The new legal aspects of doing business in cyberspace put more pressure on the board and C-suite. For example, an enterprise that cannot prove compliance with HIPAA regulations could incur significant damages even in the absence of a breach, or face more severe penalties after a successful attack.
Cyber Insurance for Privacy and Compliance Protection
Data breach liabilities are spreading swiftly. As a result, more organizations are purchasing cyber insurance, which has become a viable option for a wide range of organizations and industry sectors.
Growing concerns about privacy and regulatory exposure are key motivators for acquiring cyber insurance. Healthcare and financial institutions commonly acquire cyber insurance due to the enormous volumes of highly sensitive customer data they handle. Recently, I have seen players in a number of new industries, such as manufacturing and supply chain, purchasing cyber insurance due to regulatory concerns.
It’s important to remember that insurance is no replacement for sound cyber-security and cyber resilience practices. In fact, robust practices that are compliant with industry standards can often reduce insurance premiums. Examine the fine print—many policies do not cover state-sponsored attacks and may not provide you with the full financial cover you seek. Each class action lawsuit over data breach damages prompts changes in case law precedents insurance policies.
Supply Chain Security
The supply chain continues to stand out as an arena where information security is lacking. Supply chains are the backbone of today’s global economy, and businesses are justifiably alarmed about managing major supply chain disruptions. A World Economic Forum report, “Building Resilience in Supply Chains,” indicates that significant supply chain disruptions reduce the share price of affected companies by as much as seven percent on average.
Businesses must focus on the weakest spots in their supply chains now. Not every security compromise can be prevented beforehand, but being proactive now means that you— and your suppliers—will be better able to react quickly and intelligently when something does happen. This readiness may determine competitiveness, financial health, share price, or even business survival in the aftermath of a breach.
We no longer hide behind impenetrable walls, but operate as part of an interconnected whole. The strength to absorb the blows and forge ahead is essential to competitive advantage and growth, in cyberspace and beyond.
Here is a quick recap of the next steps that businesses should implement to better prepare themselves:
*Re-assess the risks to your organization and its information from the inside out. Operate on the assumption that your organization is a target and will be breached.
*Revise cyber security arrangements: implement a cyber-resilience team and rehearse your recovery plan.
*Focus on the basics: people and technology
*Prepare for the future: to minimize risk and brand damage, be proactive about security in every business initiative.
The ISF offers organizations of all sizes an “out of the box” approach to help assess cyber risk versus reward through strategic, compliance-driven, and process-related approaches.
The ISF’s Standard of Good Practice for Information Security (the Standard) is a comprehensive and current source of information security controls, used by many organizations as their primary reference for information security. The Standard is updated annually to reflect the latest findings from the ISF’s Research Program, input from global member organizations, trends from the ISF Benchmark, and major external developments including new legislation.
Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.