5 tips for cybersecurity incident response
Experts and politicians agree that security and privacy incidents are a given. “Cyberthreats are an urgent and growing danger," President Obama said. He also mentioned that as the nation’s infrastructure goes online, cybersecurity has become “a growing public safety and public health” issue. And as the new cyber-risk handbook from the National Association of Corporate Directors puts it: “If a sophisticated attacker targets a company’s systems, they will almost certainly [be breached].”
According to some estimates, between $9 trillion and $21 trillion of global economic value could be at risk from cyber attacks. Teams of cyber-attackers are using increasingly sophisticated tactics to deploy malware and mount multi-stage attacks that search for security holes until they find a way in. And they’re successful: The Global State of Information Security Survey 2015 by PricewaterhouseCoopers found that the total number of security incidents climbed to 42.8 million, a 48 percent increase from 2013.
With privacy risks on the rise, new regulatory requirements and enforcement programs, and new legal precedents for liability in cases of breach, corporate well-being in 2015 will depend greatly on how organizations respond to the inevitable. For these reasons, the most important focus for organizations this year must be on incident response. Organizations must present a unified front against privacy and security threats.
Some trends to watch for — and try to implement — in 2015:
1. Consolidating incident management responsibilities and tools: In many organizations, privacy and security have been considered separate functions, with the IT organization responsible for information security and a compliance office or legal counsel responsible for privacy. But both are needed to fully investigate incident causes and safeguard against future events while ensuring the organization’s compliance with complex and changing breach laws. For example, IT might investigate an incident and recommend better network security, while a privacy investigation might conclude that the incident is a data breach according to regulatory guidelines. However, data could have been de-identified or encrypted to meet regulatory breach exception and reduced compliance and reputation risks. Both recommendations together would create stronger future protection than either alone.
2. Privacy training for business partners: This year, for the first time, business associates of healthcare organizations are being audited by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). While HIPAA covered entities (CEs) can be penalized for security lapses by their business associates, any kind of business can be placed at risk by their business partners. As the NACD Director’s Handbook points out, company subcontractors and employees can present at least as big an exposure for companies as attacks from the outside. Companies should strongly consider employee background checks while extending their security education and training programs to key business partners who handle their information.
They should also consider including those partners in their own ongoing risk analysis programs, especially since security weaknesses in those partners’ own information systems can provide attackers with a back door into corporate information systems. As Vijay Basani, president and CEO of EiQ Networks, wrote in SC Magazine: “We also predict that large companies will require and demand that small vendors and suppliers attest to implementing security best practices as well as engage in regular review of their supplier and vendor's security posture.”
3. Cross-industry sharing around threats and best practices: Companies across all industries have been paying attention to the massive data breaches in the news and the lessons to be learned from them. In 2015, industry and cross-industry working groups — including Internet Security Alliance, the National Institute of Standards and Technology, and PHI Protection Network — will continue to share intelligence about emerging cyber-threats and security strategies.
4. Board oversight of data privacy and security: Boards are becoming more and more engaged in and committed to understanding security and privacy issues. Whereas corporate boards used to look at data security as an IT issue, now board members are seeing firsthand the potential damage that data breaches can do, from reputational harm to regulatory and legal actions. As a result, security and privacy are increasingly being seen as governance issues. Budgets must be aligned around not just protection but response. It is up to board members to evaluate the business risks of privacy incidents and determine the appropriate mix of spending on security programs, incident response programs and tools, and insurance against cyber-risks.
5. Automating incident response: More frequent attacks, higher risks, and, in the healthcare industry, lower reporting thresholds mean that organizations are responding to incidents more frequently. One healthcare industry survey found that time spent just on the risk assessment portion of incident response has increased by 50 percent. Organizations are beginning to look at the scalability of their response processes, evaluating their organizational structure and staffing, and adopting automation tools to aid collaboration and streamline the processes of risk analysis and documentation.
While incident response will be the focus for this year, in the end only a small number of incidents turn out to be breaches. The good news is that if you can detect them effectively and mitigate the risks quickly, you can potentially keep some of them from becoming breaches.
But if personally identifiable information (PII) or protected health information (PHI) is involved, you have to assume the incident is a breach and then prove that it isn't. In this world of increasing threats, it will be incident response — not prevention — that will determine your organization’s success.