Stephen O’Boyle, Global Head of Cybersecurity and Information Resilience Services at BSI explores how organizations can prepare for a cyber incident.
Across the globe organizations are adapting their working structures, staggering teams in the office (where possible), or working from home to adhere to current government health guidance regarding physical distancing and employee wellbeing.
This hybrid working model, a mix of office and home, presents a range of challenges, most notably around cybersecurity risk if left unmanaged. Risks in this scenario are primarily based around loss of visibility of employee activity and data, employee susceptibility to phishing attacks, and employees using shadow IT.
Hybrid office and Shadow IT concerns
Research by the cybersecurity and information resilience team at BSI shows that almost half of all organizations are unprepared for the implications of ‘shadow IT’ on their business in a hybrid office scenario. This is when an employee uses an unsanctioned cloud service, device, or software, for their work, which can often lead to an increased risk of a data breach. In a rush to enable the business to work remotely, IT teams may have put solutions in place that did not go through normal security governance lifecycle processes.
We are witnessing cybersecurity risks and threats mounting daily. Working from home may be causing additional employee fatigue, leaving potential for poor judgment when it comes to identifying risks and deciding whether to click on a potentially malicious link or attachment. The lack of governance and the haste to empower remote users creates opportunities for hackers, as traditional security mechanisms can often be absent.
How to prepare for a data breach
There are six stages of a data security or data privacy breach that SMEs should follow to help detect and ultimately manage a data breach and provide remediation that can ensure an enhanced state of information resilience:
1. Preparing for a data breach:
An incident response plan should define the roles, responsibilities and activities that need to be carried out if a data breach did occur:
The list below is a useful preparation guide:
- Up to date risk register of information security risks covering all assets
- Implement security tools to detect potential breaches
- Understand and document the scope and coverage of security tools
- Have a defined incident response plan, with actions defined for when a breach is detected
- Document the parameters that will determine the severity of the breach and the potential impact on the business and affected individuals
- Have plans to alert key stakeholders, management, partners, authorities and clients
- Create playbooks to handle the most common types of breach scenarios and use cybersecurity awareness programmes to ensure the employees are aware of the threat landscape and trained on what malicious activity looks like
- Prepare templates to capture key events and activities as they occur during the incident
- As part of business continuity planning and in the unfortunate event of a data breach, it is useful to carry out a business impact assessment covering all services and systems to determine the priority in the event of multiple system breaches
- How cybersecurity aware is your organization? Do you have a security governance structure? Is this outsourced or inhouse? Ensure that patching is up to date to ensure any functionality issues are fixed, and that the scanning and managing of vulnerabilities is constantly being addressed. Also ensure that staff are trained up on cyber-criminal activity and what techniques they use in social engineering.
2. Identifying a data breach
The ability to respond to a security event, detect a security incident and then identify that a data breach has occurred depends on how a team has modified security tools to detect malicious activity and alert as appropriate.
3. Contain and eradicate the data breach
Isolate the incident and ensure no further vulnerabilities are exploitable. When a team has identified a breach has occurred, the next step is to stop any further egress of data and ensure that any potential vulnerabilities have been removed.
Ensure security protocols are in place and remediation can be established so that an organization can return to business as usual. To help in carrying out the containment and eradication process, the team should follow best practice. These are the defined set of instructions that ensure the right steps are taken in the correct order to ensure that the breach is contained quickly, the relevant authorities and stakeholders are informed, and evidence is collected. If this doesn’t happen, then one of the first things an incident response team should do, is define a plan and identify a course of actions (CoA) to contain and eradicate the breach.
4. Recovering from a breach
It is possible to recover from a breach and returning operations to business-as-usual is the aim. After a breach has been contained, consider the best way to restore assets and protect a network to prevent future security breaches and focus on necessary measures to rebuild consumer (and/or employees) trust in a brand or products.
5. Post incident review
Undertaking a post-incident review allows an organization to carefully understand each part of an incident and the key decisions, remediation steps and actions taken in detail. A good post-incident review exposes network or technical vulnerabilities, internal control weaknesses, policy issues or human error may have led to or exacerbated the compromise, or indeed affected the ability to contain, eradicate and recover efficiently.
6. Lessons learnt due to a data breach
One of the best ways to understand how data can be protected is by reviewing the lessons learned from previous incidents. A key step is to perform a ‘root cause analysis’ to determine how the incident occurred, if it was due to a human failing or was it a system failure such as a misconfiguration, or zero-day vulnerability. A zero-day attack is a software-related attack that exploits a weakness that a vendor or developer was unaware of. Once the root cause has been identified it is possible to resolve the issues. Irrespective of whether organizations are remote working or office based, organizations need to be prepared for data breaches all the time and have protocols in place.
To better understand why and how a data breach occurred, it is necessary to reflect on two intrinsically linked components: the human element and the technical element.
Inadequate management or configuration of the technology stack increases the risk of an information security breach, and when combined with the unpredictable behaviour of the human, attackers are presented with almost perfect opportunities to exploit weaknesses and cause a data breach.
The Consulting Services team at BSI provides an expansive range of solutions to help organizations address challenges in cybersecurity, information management and privacy, security awareness and compliance.