By Dr Sandra Bell, Head of BC & ISDG Consulting (Europe), Sungard Availability Services
Not a week goes by without a cyber-incident hitting the press. TalkTalk, Carphone Warehouse and Ashley Maddison are some of the most recent but unless the response is handled correctly they will end up costing the victim far more than the perpetrator initially intended. The principles of responding to cyber incidents are no different to responding to any emergency or crisis but there are a few “gotcha’s” to look out for and a few simple steps organisations can take to ensure that their response is effective.
Gotcha 1 – It is not always obvious that you have been attacked
If your building has been broken into or your basement is flooded it is fairly quick and easy to spot that something has happened. However, cyber incidents are often harder to recognise and it is not uncommon for them to have been going on under the radar for months before anyone notices. For example research by Arbor Networks in May 2015 reported that retail organisations were taking an average of 197 days to identify breaches and, whilst financial services organisations were better, they were still taking 98 days.
Whilst these numbers may at first sight seem unbelievable they make perfect sense when you consider that cyber criminals habitually take maximum advantage of the facts that: the anonymity of the cyber world means that the chances of detection is low; and that conventional security regimes are tailored to detecting and punishing large scale incidents.
Therefore, rather than carry out one successful heist for £50m, where the probability of being caught is higher and the associated punishment more severe, the cyber criminal’s cost benefit analysis points to 50 million heists of £1 where their activity can go largely undetected and, even if they are caught, the punishment is minor.
Repeated incursions for small amounts of data are therefore much more common. However, this slow burn brings with it two major problems with respect to incident management.
The first is that the early symptoms of cyber incidents are often wrongly classified as technical glitches and consigned to the IT department for long term management and resolution. This means that cyber-attacks are often not identified in sufficient time to launch an effective response because the wider impacts, such as reputational damage and legal implications, are not addressed until the incident has reached critical mass.
The second is that, because the wider business believes that the symptoms are being managed by the IT Department, they turn a blind eye to them and it is often external agencies, such as the press, that first join the dots together and recognise them as cyber incidents.
If this happens then the organisation can find itself firmly on the backfoot and share prices can literally plummet as they are forced to choose between “trial by twitter” if they decide to say nothing until they have investigated thoroughly or publish unanalysed details that are then taken out of context and speculated upon by a world-wide team of experts.
The trick therefore is to make sure that: IT systems are continuously monitored, all anomalies are reported to a central point, and a team that represents the wider business regularly reviews them to ensure that the organisation spots cyber-attacks before the press, customers or other stakeholders.
Doing this would mean that they would often find that they could contain and eradicate the attack before it does too much damage or attracts external attention and, should the incident come to light, they are in good position to provide sufficient information to give confidence that they are in control of the situation.
Gotcha 2 – Not knowing what has been compromised
Even if an organisation spots an attack early it is not always easy to work out what has been compromised. Most organisations IT systems have evolved over time. They frequently started life all neat and tidy and the IT Director could hand on heart say where all the information was held, transmitted and processed. However, they are now frequently complex behemoths who have taken on a whole life of their own and under-resourced IT departments have all too often been forced to regress from the architects and controllers of the systems to the people who just keep the complex IT beast fed and watered on behalf of the company.
Whilst the complexity offers agility, cost-effectiveness and resilience, it also makes it harder to work out what has gone wrong and what information may have been compromised. This is borne out by research by Sungard AS pointing out the Jekyll & Hyde nature of Hybrid IT (http://www.sungardas.co.uk/Documents/Jekyll-and-Hyde-Whitepaper.pdf) and the Arbor Networks research mentioned above that found that retailers and financial services organisations took an average of 39 and 26 days respectively to investigate, contain and eradicate data breaches.
As cybercrime increases so do people’s expectations with respect to the security of their personal data. Likewise, regulators and law makers across the globe are increasingly forcing organisations to know where the information they are holding is at any one time. Organisations that cannot do this will find it increasingly difficult to trade on the world market and savvy consumers will vote with their feet if organisations cannot give them a straight answer about their data within hours of a breach happening.
It is therefore essential for organisations to keep track of their information systems and information assets so that, should the worst happen, they can respond.
Gotcha 3 – Leaving the response to the techies
As mentioned previously the responsibility to identify cyber incidents often rests solely in the IT department due to a combination of the tendency to use impenetrable language to describe the symptoms and the slow burn of the events themselves.
Whilst the failure to involve the wider organisation can cause delays in attack identification, leaving the response to the techies can also cause problems.
Effective incident management requires teamwork, task work and high levels of personal competencies such as empathy and diplomacy to ensure the achievement of group goals (Hayes and Omodei, 2011). Researchers have also found that Extraverted-iNtuitive-Thinking-Judging (ENTJ) MBTI Test Personality types are well suited to such roles (Hammer 1996) as they exhibit high degrees of empathy, organisation, analytical thinking and decision making, enjoy being in charge and can visualise systemic or long-term changes they would like to see. Conversely, techies are often Introverted-iNtuitive-Thinking-Perceiving (INTP) personality types who, whilst able to build conceptual models to understand complex problems and are adaptable and have the metal agility to respond to changing environments, often struggle to work in teams and are uncomfortable with time pressures.
Therefore, whilst it is absolutely essential to have deep technical expertise to investigate, contain, eradicate and recover the affected IT system the response team must reach across every discipline within an organisation and be coordinated and led someone who competency set matched that of an emergency manager.
That is not to day that only certain MBTI personality types are able to manage incidents effectively but that other types may often to be playing to their weaker suits.
Gotcha 4 – Bluntness of the technical fix
To a layman a compromised IT system often looks much the same as an un-compromised system. Therefore, whilst all can see and understand the disruption associated with a flood or a fire, there is frequently an expectation that an IT system will be fixed and up and running within hours of a cyber-attack.
However, recovering from a cyber-attack takes time and involves expert resources. The typical steps required to contain a cyber-attack include: block (and log) unauthorised access; block malware sources (e.g. email addresses and websites); close particular ports and mail servers; change system administrator passwords where compromise is suspected; firewall filtering, relocate website home pages, and isolate systems.
Likewise, once the attack is contained the systems cannot be returned to their users until: the infected systems are rebuilt; compromised files are replaced with clean versions; temporary constraints imposed during the containment period are removed; passwords on compromised accounts are reset; patches installed; perimeter security strengthened; and the end to end system checked for functionality.
It is therefore it is highly recommended that alternative working arrangements and backups are in place!
Gotcha 5 – Underestimating liabilities
Finally, even if the organisation successfully navigates the recognition, response and recovery from a cyber-attack many fall at the last hurdle by underestimating their liabilities. Most organisations focus on lost time and damaged reputation. However, there are a whole host of additional liabilities that organisations often overlook when carrying out the cost benefit analysis of cyber security and cyber-attack response measures.
In addition to direct theft and information corruption other direct liabilities include Blackmail attempts and Ransomware. These threats are on the rise and as example McAfee Labs 2015 Threats Report showed that there was a 165% increase in Ransomware in the first quarter of 2015 alone.
Other costs include regulatory liabilities: both wide reaching and sector specific. For example the Current EU law requires organisations to have in place appropriate technical and organisational security measures to protect personal data and the new Data Protection Regulation is proposing fines of €100 million or 5% of the organisation’s annual worldwide turnover, whichever is the greater. Likewise some industry sectors can be heavily penalised for data loss. For example within the UK financial services sector, the regulator has historically levied greater fines for security breaches than the Information Commissioner.
Additional liabilities may also include: Breach of Statutory Obligations: Breach of Contract; Breach of Equitable Duties and Negligence.
The final word of advice is therefore take all liabilities into account when deciding to invest in either security measures to prevent the likelihood of an attack or response measures to mitigate the effects.