Proactive Policy Helps Jump-Start Cybersecurity Investigations
Having a solid cyber breach response plan in place is imperative when every day wasted brings the enterprise closer to litigation.
The age of plausible deniability for cyber vulnerabilities is coming to an end, and the era of accountability is beginning. This is according to cybersecurity consulting firm AsTech Consulting’s CEO Greg Reber, who adds that as the public’s awareness of cybersecurity vulnerabilities and risks is ratcheting upwards, so is the level of blame they place at the feet of not just security executives but company leadership as a whole.
From 2009 to 2014, we saw a shift in board accountability – from the CSO losing his job following a breach to the CEO needing to step down and whole boards of directors being held accountable for unmitigated cyber vulnerabilities, he says.
These risks are also driving enterprise boards to maintain their awareness of and responsibility for cybersecurity. According to David Remnitz, EY’s FIDS Global and Americas Forensic Technology & Discovery Services (FTDS) Leader, as cyber risks and breaches gain attention at the highest levels – among activists, shareholders and board members – they increasingly become part of the board agenda.
Adds Paul Alvarez, a Senior Executive in EY’s on-the-ground cyber investigations: “It’s no longer just a matter of hiring the right people or buying the right tools; this is a problem that must be kept at the board level.”
Remnitz says that “Cyber risk is now operational risk, and that fits into the C-suite’s agenda. A cyber risk is a risk to the business’s reputation, its investor activity or shareholder value, and it’s a legal risk.”
According to Reber, “The threat of legal action does drive behavior.”
For example, he says, if the manufacturer of a connected device such as an Internet-enabled refrigerator does not do its due diligence in investigating cyber risks and vulnerabilities, and a consumer’s home network and data is compromised as a result, not only will consumers not purchase that device, but they will also sue the manufacturer for putting their data at risk.
“Good cyber hygiene is critical for companies today,” says Remnitz. “In large companies we’re seeing huge overhauls and refreshes of cybersecurity philosophies,” including bringing in fresh eyes – either from outside the security or IT departments or outside the company – to review processes and products; benchmarking by comparing cyber strategies and procedures with similar companies in the same sector; and extending risk analyses into the supply chain.
While the board does not need to know all of the minutiae of cybersecurity – the “bits and bytes,” as Reber calls it – metrics are still essential. For example, board members should know if information leakage or data loss is trending up or down for the enterprise. If it’s going up, they should realize this is a sign to reevaluate the enterprise’s risks and adjust resources accordingly.
A key to comprehending these metrics is to understand the enterprise’s unique, customized threat landscape, according to Alvarez. This report, either produced internally or by an external consultant, explains the common threats to the enterprise based on the industry and risk level, which helps to make the threats more real to the board. Enterprises can also use information-sharing programs or general standards such as the NIST Cybersecurity Framework to enhance their cybersecurity preparedness.
Alvarez adds that “Enterprise leaders need to have an honest, internal conversation about what breaches the organization can actually handle, and identify outside counsel, aid or remediation before an incident.” Knowing the realistic risks that the enterprise faces can help to facilitate that conversation.
According to Stephen Grossman, chair of law firm Montgomery McCracken’s Data Privacy and Cybersecurity practice and co-chair of its E-Discovery practice, a shifting legislative environment regarding cybersecurity means that security professionals should get counsel involved in assessing internal and external risks to the organization. In less regulated industries, such as retail and hospitality, it can be difficult to tell what measures will pass muster in a post-breach investigation, he says, and it’s unclear where to best invest company resources. Having counsel on-board to help document measures and benchmark against recent regulatory or litigation trends can help the business from falling into pitfalls of prior breaches, he adds.
In fact, Grossman recommends gathering a multi-disciplinary team, including IT, general counsel, HR, the chief privacy officer, the CSO, the CIO and the compliance officer, to build a stronger cybersecurity program. Often, having more departments involved at the drafting table will shore up senior management support.
“In terms of a post-event investigation, much of your risk (of litigation or backlash) comes down to what the organization has done in proactive measures,” says Grossman. “Waiting until after a breach to assess your cyber program is far too late. Enterprises need to have a well-crafted response plan in place; it needs to be a living, breathing document and program that changes along with the organization; training needs to have been conducted and documented. The best practices for investigating a breach happen before the investigation.”
A 2015 report from FireEye’s Mandiant unit showed that the average time a company takes to detect a data breach was 205 days in 2014. While this rate has been dropping steadily since 2012, enterprises do not have any time to waste following the discovery of a breach (often through a third party, by the way) to begin investigating and mitigating its impact.
According to Alvarez, a good investigative procedure means understanding and following industry best practices on preserving data (start with NIST 800-86, he says), maintaining and documenting a chain of custody; taking good notes of when evidence was discovered, what actions were taken, and who was involved; tracking the hours extended on handling the incident (this will help when calculating a damage assessment); tracking the assets, information or damages lost; and securing anything that may need to be turned over to law enforcement. It should also be written into the enterprise’s business continuity or emergency operations plans what to do if there is a breach or threat to isolate the system and respond without completely derailing the business’s operations.
In some enterprises, the CSO may not be directly involved with cybersecurity investigations; however, this does not mean they should not get involved. Remnitz noted that during a cyber breach, the roles of the CIO, CISO and CSO overlap, and CSOs should be able to assist through the following steps:
- Be prepared to help verify that a breach has occurred and handle it.
- Understand the enterprise’s customized threat landscape.
- Drive the conversation about examining all risk – physical and cyber included.
- Be a regular participant in cybersecurity exercises and understand the CSO’s role.
- Look at training for security employees as well – how will security officers or GSOC monitors assist in the aftermath of an attack?
- Bring in external expertise to review security systems and procedures.