Developing a Cyberbreach Strategy
Throughout the business world, breaches have become a constant reminder of the critical need to assess and take action on cyberrisk. But they can also make addressing the issue seem like an ever more daunting task, leading many to either put off substantive measures or blindly buy the latest insurance or software to “take care” of the problem and move on.
“The biggest mistake companies make in the breach recovery process is just not being aware of the risk in the first place,” said John Mullen, managing partner at Lewis Brisbois Bisgaard & Smith LLP and chair of the firm’s data privacy and network security practice. “You would be amazed—I do up to 100 presentations a year, and at 80% of them, people still look at me like it’s the first time they have heard about it, and I have been doing this for over a decade. The people in the know are in the know, but there is an amazing amount of people who have no clue.”
There are countless ways a cyberbreach can unfold, and countless ways response can go wrong, but laying the strongest possible foundation ahead of time ultimately makes the difference between successful response and absolute disaster for a company that gets hacked or otherwise compromised. According to Mullen, a breach coach who reports that his firm sees a new breach case every business day of the year, “If you don’t do all of the prep stuff, you’ll never get response right.”
I see too many companies thinking it’s only IT and, by my anecdotal stats, that means that not even half of the risk is being addressed.
For Mullen, the first pillar of a data breach strategy is self-knowledge. “Until you know what you really look like, you can’t begin to be ready,” he said. He urges all companies to get assessed and specifically do so with an outside company with which they do not already do much business. Companies that currently assess aspects of the business have some skin in the game, and the goal is to make sure the results reflect the whole picture, including the vulnerabilities introduced by vendors, partnerships and staff.
“You get as many breaches coming in from vendors and employees messing up as you do from bad guys, so that’s where policies and procedures and training and risk management all lump together,” Mullen explained. What’s more, this security assessment should encompass the entire business, not just IT. “Somebody should come in and holistically look at all of your privacy policies and procedures, what you tell your employees to do, what you tell your customers you will do, plus your IT. Then, you have a decent sense of where everything is.”
This process should involve players across the entire enterprise. “There is an instinct by people who don’t understand it to say it’s an IT problem. It is almost cliché to say it’s not, but it’s not, and I think companies don’t appreciate that it is way past IT,” Mullen said. “You know, 60% of the breaches we get aren’t IT-based, they’re based on either an employee mistake or vendor mistake. I see too many companies thinking it is only IT. By my anecdotal stats, that means not even half of the risk is being addressed.”
That may seem a daunting proposition to risk managers—or any member of the C-suite other than a chief technology or information officer—but it should not be. “Many people don’t know where to start. It’s not that different—you have done it before with every other business risk,” said Patrick Dennis, president and CEO of enterprise investigative infrastructure company Guidance Software. “In many ways, risk and members of the C-suite probably have more skills than many people in IT in terms of truly assessing these risks as they relate to the business.”
To these stakeholders, he advised, “Don’t let the fact that it is about computers or cyber dissuade you. Don’t let the small slice of things represented in the mainstream media make you feel like you don’t understand what this is about. There is a much broader swath of activities happening every day that are probably more representative of what your enterprise will face—focus on that middle set of cases on the bell curve.”
One of the most obvious components of risk is the data itself: what it is, where it lives, who has access and where it goes. To that end, Mullen recommends developing a way to identify and evaluate this asset flow, like a data map or data stream. “Many companies share data, and they don’t even know what data they are sharing with their vendors. They have a general idea, but they don’t know the real detail,” he said.
Once they do, the company can evaluate the true risk posed by existing procedures and strengthen where necessary. For example, he said, it is critical to look at whether you are allowing vendors access to your system to get data or you are sending data to them. Giving data and granting access present entirely different levels of risk. “It’s one thing to send some records to Jim and Bob to handle collection payments, it’s another thing to give them access to your account system, because then they’re in it,” he said. “If a bad guy gets in at their end, he can steal all kinds of data from you while using their credentials, and it looks OK because you allowed it.”
Examining these threats, their probability, and their likely impact is essential, and proves that there is a role for risk management from beginning to end of the cyberbreach process, according to Rocco Grillo, managing director and global leader of incident response and forensics investigations at Protiviti. “We look at the different types of scenarios that could potentially impact the company,” he explained. “Ultimately, this is all about risk: what is the likelihood that 1) we’re going to get compromised, and 2) this scenario could happen to us? When you look at your key assets, what are the risks involved? What is the probability? What is the investment that we’re going to make to protect those assets and implement countermeasures to potential attacks? And from there, how much are we going to pay a cyber insurance firm for the likelihood of these data loss scenarios?”
You can compare it to car insurance or home insurance: Just because I have it, I’m not going to drive with my eyes closed—you need to have precautions in place.
The second step is getting insured, Mullen said. “It’s one thing when you call me on a Thursday night and you are freaking out because you think you have bad guys in your system—that’s bad. But at least if you call me with insurance, you have resources you can rely on to help dig out of this hole and fix it,” he explained.
Indeed, those resources are the real selling point of a cyber policy. Mullen’s services as a breach coach are often provided by insurers that contract with his firm in advance so that, when a breach hits, insureds have him—and a Rolodex of service providers, from forensics teams like Grillo’s to processing centers that mail notification letters—to systematically guide them through investigation and recovery. The actual claim payout may offer some financial relief by helping to pay for notifying customers or setting up a call center, but the coverage is very rarely used to address primary sources of loss, like reputation damage or business interruption.
While the prospect of covering such losses eases some anxiety for executives who buy cyber policies, business interruption is a component of exceptionally few claims, Mullen said. “Having it definitely gives somebody comfort going to bed at night, but from a realistic point of view, I bet you that 1% or less of the claims have business interruption components. It’s really about crisis management services and covering your risk on the liability side,” he explained. “It is all about getting the response done well, getting the response done compliantly, given whatever bad facts you’re faced with, and limiting your exposure on the regulatory and third-party sides.”
That being said, insurance can help in the rare case of litigation. “Less than 5% of cases get into litigation, but if you’re a risk manager, you don’t want to be the one with the 5% problem without that cover,” he said. “It is unlikely you will use it, but it’s like an airbag in a car: you want the brakes to work—that’s the crisis management—but if you need that airbag once every five years, you want that baby to go off.”
To that end, he recommends approaching assessment and insurance like a “showering” regime: get assessed, get insured and repeat. This should be done at least annually, he said, urging risk managers to regularly check in with a broker to ensure coverage is up to date.
But buying a cyber policy does not absolve any company of the responsibility to take action internally. In fact, it often underscores the amount of work an enterprise needs to do, both to control deductibles and ensure an incident will even be eligible for coverage. “Cyber insurance plays an essential role,” Grillo said. “You can almost compare it to car insurance or home insurance: Just because I have it, I’m not going to drive with my eyes closed—you need to have precautions in place. Cyber insurance isn’t about just transferring risk, it is a supplement to your overall approach to defending the organization.”
If you used all the technology in the world, 46% of compromises are still based on employee behavior, so no matter what, you’ve got a 50-50 shot at any point in time.
“The things that many of the senior executives, C-suites or boards of a lot of our clients are looking for are: 1) Do we have a robust and mature incident response program? 2) Has it been tested? and 3) What are our key assets, or the proverbial ‘crown jewels?’” Grillo said. “We could have an incident response plan, but we need to know what we’re trying to protect. And when we identify those key assets, we want to test what would happen in the event there is a compromise or attack on them.”
This “crown jewel” approach is a key technique Grillo and his firm recommend for all clients. Standard business risk assessments and other existing metrics should already have done the work. Whether it be customer records or proprietary information, these priorities need to be made clear in discussions of cyberrisk strategy at every level of the organization, from determining budget allocation at board meetings to planning daily activity in the IT department.
James Carder, CISO and vice president of security intelligence company LogRhythm, also believes that this is the best way to approach building a data security strategy, and a far smarter, more cost-efficient way to prioritize resources to that end. If done effectively, he said, you stand a far better chance of catching an incident early and remediating it quickly. This means you can “win the game at the triage level,” before it becomes a full-blown breach.
“I think the best defense is to take what is important to you as a business, whatever data or intellectual property that is, and isolate that—put it in a vault and protect it. So you basically shift defense in depth from protecting everything to protecting what matters to you,” he explained. “Especially if they’ve been compromised before, a lot of people go out and just buy everything and expect it to work like magic. What they need to do is buy a couple of key technologies, build them up around the strategy, and then integrate the daylights out of them.”
The overall security approach should also incorporate efforts to guard the most valuable components unilaterally. Carder recommends taking as much control as possible over system access and buckling down on some of the risk posed by the actors you already know are in the system: the staff and any partners who are granted access.
“There was a study that came out that found, if you used all the technology in the world, 46% of compromises are still based on employee behavior. So no matter what, you’ve got a 50-50 shot at any point in time,” Carder explained. While serving as director of security informatics at the Mayo Clinic, he was responsible for designing the hospital’s incident response infrastructure and establishing its first-ever cyber threat intelligence and response organization. In an industry like health care, he said, the number-one obstacle is changing behavior and culture. But when faced with such sensitive data and the reputation and regulation implications of failing to protect it, forcing that change is clearly essential.
Today, companies in any industry need to implement such strict requirements to adhere to best practices. “Don’t trust your end-user,” he advised. “Don’t put the burden of change on your employee. Changing behavior is tough. The more you can take out of their hands, the better off you will all be.”
Establishing rigorous internal security procedures and then investing in tools like identity and access management—which should force users to go through levels of trust to access different segments of sensitive data—presents “the closest thing we have to a silver bullet,” Carder said.
You can’t be prepared enough, because the biggest pieces are trying to prepare for the unknown.
“We can have the most advanced plan in the world, but if we don’t know if it’s going to work or we haven’t tested it, we’re really leaving a lot to figure out during a time of crisis,” Grillo said. “You can’t be prepared enough, because the biggest pieces are trying to prepare for the unknown.”
He believes the key to preparation is having a repeatable strategy that companies can follow whenever an incident arises, regardless of the vector of attack. Then, focus on preparation and testing, and make sure roles and escalation procedures are well understood by everyone involved. “The companies that encompass that overall approach are the ones that are more successful,” he said. “You can miss any of those steps and it can derail the response to a breach or an incident in no time at all.”
Indeed, designing extremely detailed, threat-specific plans is often a fruitless and resource-intensive exercise. According to Mullen, basic plans available on the internet will meet your needs, and these short ones are actually better as they instill flexibility. “If you over-plan and try to anticipate every attack pattern that might happen, you’re not going to get it right anyway and you’ll waste a bunch of resources,” he said. “Rather than do that, have the appropriate team of people identified as the response team and have them get on a few conference calls and practice.”
Grillo and his team often facilitate that practice for clients through tabletop drills, which help refine the response process and make sure relevant resources have been identified and are widely understood. He also works with companies to develop “playbooks” to aid in the process and centrally collate resources, much like you might have for a fire or flood.
“Whether it is law firms or forensics investigators or even law enforcement, the last thing you want to do is be rifling through a contact list trying to engage parties from the outside in the middle of a crisis,” he said. “So, in a lot of instances, we help companies run through tabletop exercises not only to make sure that the stakeholders are involved, but equally important, to make sure that everyone knows their role and knows how and when to escalate.”
Once those roles have been established, the individuals responsible for managing incident response need the authority to execute when the time comes or even the best breach response will come to a screeching halt. “If you have a team and you did not actually give them power to do anything, it’s not a team,” Mullen said.
At the very least, he said, they must be empowered to spend the deductible money to get the ball rolling until higher-ups can be reached. “If you get a $10 million policy with a $100,000 deductible and call me on a Friday night, I can tell within 20 minutes that you need forensics in there tonight or you’re going to have a bigger problem, and they will need a $50,000 retainer to get started,” he said. “If you can’t get that done and have to wait until Monday—or God forbid it is a holiday weekend, so you wait until Tuesday—how does that look to regulators and plaintiffs’ attorneys?”
[Regulators] are going to absolutely hammer a company that comes through with a lackadaisical attitude.
“When you’re in the heat of the moment, make sure somebody is responsible for going back and diagnosing both what the root cause of the incident was and, frankly, how the incident was handled,” Dennis said. “You need to commit to doing that so you don’t wind up high-fiving once you’re through and never realize you probably should not have been there in the first place.”
Grillo also believes that gathering relevant stakeholders for a thorough review is a key step to improve the response plan and mature the company’s security program. “As much as we want to get back to normal business operations and get past the compromise, having that lessons-learned session is critical,” he said. “We want to document what went well and what didn’t go so well, then weave that back into the incident response plan so we get better for next time.”
Taking this step also helps ensure that everyone involved, including the C-suite or board, truly understands the implications of poorly managing cyberrisk, and remembers that lesson for future resource allocation discussions. “It’s not going to be a day that highlights everyone’s career successes, but the right thing to do is make it an opportunity for people to learn and to see the impacts of these issues,” Dennis said. “And then, any time you go back and revisit it, they will also remember why they need to take security seriously.”
Establishing and refining a cybersecurity strategy, and demonstrating it through serious, regular internal effort, will not only strengthen a company’s defenses against malicious actors, but can also help mitigate the damage if and when those actors manage to get in.
“As regulators get more experienced, they are starting to appreciate the differences between the people who responded appropriately and the people who either did not respond at all or handled it terribly,” Mullen said. “What they see with a bad investigation or bad event handling is a company that never took data security seriously in the first place. With a company that handled it well, they might still take them through the investigation process and fine them if applicable, but they are going to absolutely hammer a company that comes through with a lackadaisical attitude.”