Firms need better breach response, clear regulatory guidelines
Organisations today lack a proper framework that will help them respond quickly when they experience a cybersecurity incident. Governments can help by establishing clear guidelines and protocols, but overly restrictive requirements may discourage companies from disclosing they suffered a breach.
As it is, companies are on edge that they may face litigation from customers when a security incident occurs.
More were moving to keep things under wrap over concerns about class action lawsuits or any other potential legal action, said Forrester’s senior analyst Jess Burn, who specialises in incident response and crisis management as well as security training.
Insurance and attorney-client privilege often got in the way of full transparency from these companies, particularly in North America where the society was perceived to be highly litigious, Burn said in a video interview with ZDNet.
Organisations would disclose what was required by regulators and park everything else under a dedicated contract that ensured investigations, following a breach, were kept under attorney-client privilege, she said.
This meant that any party involved in the investigation could be prevented from disclosing confidential communications between the breached organisation and its lawyers.
Burn observed that lawyers increasingly were involved in any communication that companies released with regards to a breach. Reports and documentations on the breach assessment, which organisations might be required to carry out and pay for when they suffered an incident, also would be heavily controlled.
The complexity of determining and understanding the extent of a breach also further compounded the issue. She explained that some cyber insurance providers would not cover state-sponsored attacks, but defined such breaches so broadly that it would take some effort before attacks were officially attributed.
This could drive some organisations to stay silent until they were able to fully ascertain their position before reporting the breach, she said.
Firms should already know who to call
Legal issues aside, organisations foremost should have a plan in place to help them navigate quickly when there is a cybersecurity incident. This still is lacking in most companies today.
Too many still were parking the bulk of their money on protection, rather than defining how they needed to respond in the event of a security incident, said Richard J. Watson, Asia-Pacific cybersecurity consulting leader at EY Global.
The top priority for companies should be to ensure they had a framework on how they should respond to a breach, he said in an interview with ZDNet. This would was critical in building up cyber resilience and ensure network availability, especially as employees worked from home and remotely, he said.
Companies simply were not prepared and would attempt to work out how they should respond in the midst of a security incident, said CrowdStrike’s Asia-Pacific Japan services director Mark Goudie.
“It’s like a doctor flipping through a manual book while operating on a patient,” Goudie said in an interview. “They’re haven’t trained and aren’t ready.”
Burn concurred, adding that many organisations waited until they were breached to call in the investigators.
“The best practice is to have a retainer in place and have some onboarding before a breach happens,” she said. “Bring in a company that can assess your readiness and incident response plan, and run through a tabletop exercise to get your team and executives ready.”
“The mistake is to wait and call a hotline of some well-known incident response provider for help [after a breach occurs]. It’s too late. You would waste three to five days [which] they [need to] understand your company workflow and systems. You need to establish a relationship with them and an outside attorney, and have them help you rehearse your entire incident response plan,” she noted.
Goudie added that having a retainer ensured organisations had access to help when a major vulnerability, such as the recent Log4j, was uncovered. Incident response services providers, for instance, would be inundated with service calls and were likely to prioritise existing customers over new ones that had yet to sign a retainer.
In addition, an incident response plan would better enable organisations to identify a threat more quickly, have visibility of the threat, and respond quickly. The goal here was to prevent the security incident from escalating into a data breach, he said. adding that there often was a window during which this could be stopped.
Watson noted that while it was easy to detect when there were suspicious activities within the network, it was tougher to determine the severity of a potential breach.
He, too, suggested organisations worked with an incident response vendor to help them navigate breaches, during which two courses of action needed to happen. Companies first had to work out whether there was any data exfiltration or privacy violation and, hence, decide if the relevant authorities must be notified of the security incident.
Affected organisations then had to figure out the type of breach that occurred and potentially prepare for data preservation, he said. This could impact the speed of response since it was essential that evidence and diagnostics data be preserved.
Companies that failed to properly prepare or have a well-defined process in place likely would end up rebuilding their systems, as this was the fastest way to get their operations up and running. In the process of doing so, however, they could end up removing all evidence.
This meant that they would not be able to identify and understand the cause the breach, so the vulnerability could be plugged to prevent a recurrence, Watson said.
Companies that did not make efforts to preserve evidence in an attack also might limit their ability to file an insurance claim, he added.
He said EY espoused a seven-step approach in the event of a security incident, which encompassed mobilising the planned response, acquiring evidence, investigating, threat hunting, containment, mitigation, and recovery.
He reiterated the need for a more balanced division of investment in security protection as well as response and recovery.
Goudie also underscored the importance of establishing response plans and playbooks for different threats, whether these were ransomware or nation-state attacks. These should guide the operations team on what they needed to do so they could react quickly, he said.
Regulations to drive information sharing
Noting that most regulations currently were focused on data breach and ensuring there was adequate disclosure, Watson also called for more reporting on other types of incidents such as ransomware and indicators of compromise.
Pushing organisations to share information on attack activities they identified and blocked in their network could benefit the industry, particularly if other organisations had failed to stop similar attack tactics, he said.
He suggested governments led efforts to establish common standards or platforms for information sharing on indicators of compromise, so organisations within critical sectors such as finance, utility, and manufacturing could leverage such networks of knowledge.
Having standardised protocols also would automate such processes and ease the submission and sharing of data, he said.
Watson further mooted the need for regulations to go beyond protection and include incident response, such as a minimum set of requirements mandating how companies must respond in the event of a breach.
“There’s implicit trust right now that companies are carrying out adequate investigation, since the onus is on them to report to the authorities, but we know that companies generally don’t have sufficient response in place,” he said. “You can’t know what you don’t know. And yet, regulations now rest on the fact that companies are doing a good job sizing the breach and responding.”
Such assumptions reflected an inherent flaw in the system, he said, stressing the need for organisations to have the appropriate incident response framework and resources in place.
Goudie, though, noted that mandates and punishments could result in further penalising organisations that already were victims of a breach.
Regulations that were overly restrictive also could see companies spending more time responding to mandates than on responding to the security incident itself, he said.
He, too, pitched the need for metrics to drive information sharing so the industry could better understand and learn how threat actors gained access to breached networks. Such data could be distributed to the relevant authorities and shared amongst companies in the affected vertical.
He noted that threat actors typically used the same tactics and procedures to carry out attacks, including those targeting certain industry sectors.
“If we can understand their playbook and inform the vertical about how a victim [in that vertical] was compromised, this helps the whole industry become more resilient for the next attack,” he said.
Burn noted that any unwillingness to provide information and the lack of transparency were detrimental to the security industry, during a time when there should be more data sharing to better combat attacks.
With the general public now used to seeing news about security incidents amidst the rise in breaches, she said consumers were more forgiving when companies suffered a cyber attack.
However, they would be less inclined to do so if businesses were found to be less forthright about a breach and made efforts to hide the truth from customers, the Forrester analyst said.
She pointed to Norwegian manufacturing company Norsk Hydro, which won much praise for its openness and transparency after suffering a ransomware attack in 2019. It shared details about the incident and how it worked to recover from it, after refusing to pay the ransom.
“I think we need to find a way [to address] concerns about lawsuits and fight attacks with transparency,” Burn said.
She added that while companies should be penalised if their negligence was found to be the cause of a breach, organisations should be given some latitude to not be penalised for telling the truth.