|

Security Breaches: Are You Ready?

By Sean Hare, CAE, CGEIT
April 1, 2019
0 comments

How leaders plan for and respond to a cybersecurity breach can make or break the company’s reputation.

 

Cybersecurity is the application of tools and techniques to protect the availability, integrity, and confidentiality of an organization’s information. It emphasizes multiple layers of safeguards and controls using both technology and protocols to ensure a reasonable defense against attacks and avoid an actual breach from occurring. Even with valiant defensive efforts, the number of cyberattacks is skyrocketing in all forms. Considering the material and financial gains, attacks will continue to escalate.

 

Cybercriminals don’t have to fool everyone or find every network vulnerability. They just need to fool one person or find one access point. If you’re compromised, you face the loss of your customers’ personal information, and, in the age of individual privacy rights, you may lose their trust and damage your company’s reputation. With so much at risk, will your organization be ready when a breach does occur?

 

It’s a simple question to ask, but if your organization isn’t prepared in advance to deal with a breach, it will probably fail in its response. The impact can be monumental and crippling to both brand and reputation. You need to have a plan with a selected team that can respond in minutes so that the threat can be appropriately managed to a successful resolution. The fiduciary, legal, and regulatory responsibilities go beyond combating the intrusion and controlling the damage.

 

A responsible organization needs to have a specific preventative plan in place to minimize risk. There are many companies that provide fraud alert and identity-theft protection products, but at the very least, cybersecurity preparedness should also include the following.

 

  1. Contracts and policies. Ensure that your organization’s third-party contracts, corporate policies, and insurance policies are centrally located, controlled, and secured because legal counsel may need swift access. These documents should be regularly sent to the legal team so that it always has the latest information on file. Perform regular audits of the contractual agreements, and review them for language, dates, and overall completeness.

 

  1. Data-related vendors. Annually certify that all third parties entrusted with your company’s data are appropriately compliant in their systems and processes (i.e., PCI DSS, SOC1/SOC2 audits, and so on). For optimal performance, require physical access to their internal controls and data centers. These requirements can be contractually mandated with language provided by your organization.

 

  1. Security tests. Your company must run regular tests to ensure that the proper and most up-to-date network security is applied and to identify any vulnerabilities. This can be managed in the form of penetration testing and network audits. It’s recommended that both of these are performed by independent third parties and that each layer of testing has measured results and recommendations for improvements. Also require that third-party data carriers provide appropriate updates, audits, and planned tests to ensure that they’re meeting exceedingly high data protection and cybersecurity standards.

 

  1. Training. Even with the best cybersecurity technology, people are still the best resource in preventing breaches. Training may be the most important method because it provides awareness. Most successful cyberattacks involve a person who unknowingly assists in the attack, which often is achieved through a simple mouse click. Training should explain what cybercriminals target, in-depth do’s and don’ts, impacts, and the staff’s role in prevention, detection, and controls. It should also cover basics such as network access, email protocols, frequency and strength of password changes, and controls to systems access. This training needs to be thorough, easy to understand, and impactful.

 

The first 24 hours after a breach are the most critical. Actions need to be taken immediately once the breach is discovered so that the damage can be contained. Global regulations require notice to regulators and those affected within 72 hours of discovery. Here are several steps to consider in ensuring your organization is prepared to meet such a demand.

 

  1. Control the breach. Seek to isolate and contain the breach as quickly as possible. You may need to shut down and remove computers, servers, and devices from your network. You may need to shut down your entire network. Professional cyber-remediation companies specialize in digital breach response, and they can help you secure your systems and networks quickly. Most of these organizations require agreements to be in place ahead of time. Record in detail the date and time of the data security incident, the personnel who discovered the breach, the nature of the breach, the types of data stolen, and all the employees who had access to the affected systems.

 

  1. Contact your insurance company. One of the most important investments in risk mitigation is to have cyber insurance. When contacting your insurance company about the incident, have an outline of events and any known exposures readily available for reference. Your agent can provide guidance and support for coverage confirmation, available support services, and necessary steps to be taken. They may also provide access to their counsel specializing in data security incidents. If your company doesn’t have cyber insurance, it’s highly recommended that you contact your organization’s agent and inquire about appropriate coverage.

 

  1. Contact legal counsel. Legal counsel is another key resource throughout a breach. They need to be proactively provided with any new or updated information regarding the incident. Counsel will act as privacy and compliance experts to shape the security incident response and identify the risk of litigation and fines. They will provide significant input on any communications and determine the need to notify affected individuals and organizations, including customers, vendors, the media, card issuers, payment authorization and handling companies, and law enforcement. They also will research domestic and international laws, global data regulations, and subsequent requirements to ensure all fiduciary responsibilities are fulfilled. Active communication with stakeholders will be key with the legal team providing an advisory role in that domain in order to protect your organization and any individuals potentially affected. Legal counsel may also manage the offering of nonmonetary remediation for your customers.

 

  1. Manage your communications. The importance of communication in successfully managing a data breach can’t be overstated. Communication provides the avenue for your organization to establish responsibility and care for those who’ve been affected. All communications need to be timely, transparent, and concise. The CEO, communications/public relations lead, and legal counsel should work cohesively in this role from the start. The various channels of communication as well as the audiences to whom the communications team will be speaking need to be identified (for example, customers, shareholders, and the board of directors). All statements should be consistent in covering what has occurred, what’s being done, and what the outstanding risks are. Your company’s crisis communications plan should be tailored to meet these needs. All employees should refer requests for information to the communications team.

 

Today’s communications and commerce are dependent on the world’s digital infrastructure, where cyberattacks are beyond commonplace. Despite the efforts of an organization to protect digital assets, breaches do occur. How a company responds can be just as important as the efforts to prevent one. Planning ahead, allocating the proper resources, and defining roles will create the path to a timely and well-executed response, which can save your company’s reputation.

 

Sean Hare, CAE, CGEIT, is VP of IT and Operations at IMA. He can be reached at share@imanet.org.
0 No Comments

You may also like