There doesn’t seem to be a day goes by where there isn’t a company of some size making the news about being breached, these tend to vary in scale from a few thousand records to millions of records containing information about every aspect of their customer.
Here’s the scary thought, according to the Experian data breach report in 2015 – https://www.experian.com/assets/data-breach/white-papers/2015-industry-forecast-experian.pdf almost half of businesses are expecting to have a breach of some sort within the next 12 months. Moving forward 48% of companies are looking to invest more in their internal IT security to ensure they are not making the news in the coming year.
By the time we hear about how a company has been breached, the damage has already been done to the company and the customer. We only have to look at the TalkTalk incident who were attacked at the end of 2015 and how they handled the incident, recent reports show that they have lost 7% of their customers since the incident ( http://www.infosecurity-magazine.com/news/talktalk-trouble-7-customers-leave/ ), and this will continue to rise as more and more customers come up for renewal (so that they aren’t forced to pay early termination fees).
What companies need to look at further is how to plan, deal with, and resolve when they receive the news of an ongoing cyber attack. How many companies do you know that have dedicated resource for dealing with cyber attacks? Does your company make available the policies and procedures available should an incident occur? What about disaster recover testing? These are all the things that need to be looked at.
Once an attack or breach has been discovered, even if its been found internally by the IT department, companies still need to manage the incident properly. They shouldn’t put blinkers on for a number of days or weeks and hope that the incident will go away. There should be a detailed plan to be followed, digital forensic analysis should be performed to see how the incident was initiated and what information was accessed.
Once things are finally under control and the underlying access has been revoked (you have revoked access straight away right? ) the company should then start looking at informing both the policy department (or similar department depending upon your country) as well as communicating with your customers, so they have a chance to inform the bank and / or change their passwords. The worst thing a company could do is sit on the incident, internally debating about what to do, should they contact anyone? Do the developers hve time to fix this problem quickly? What about audit logs, can these be checked easily?
So here’s the question, how many people reading this post realise that their current company (or any other company they know) have next to know procedures in place to deal with an incident? Does your company have anyone available to work on a security incident?
Even if you’re a small company with only a few people, the knowledge should be there, just in case. In the UK, there is a government incentive, called Cyber Essentials which aims to help promote how important information security is and includes sections such as DR and password security etc. More information can be found here – https://www.cyberstreetwise.com/cyberessentials/
I hope you found this post got you thinking, especially if you are one of the senior manages and not too much of a rant, I look forward to your comments.