Cyber crime is growing both in frequency and sophistication. From leaked customer payment details to the theft of intellectual property, chances are that one day your organisation will be the target of an attack.
Responding effectively to a cyber security incident, however, isn’t always the norm. Organisations differ greatly in their preparedness for an attack. Without an adequate plan, businesses face greater disruption or loss if they’re hacked.
What are the options? In this two-part series, PwC’s cyber security partner Andrew Gordon offers his thoughts on what constitutes best practice in dealing with the many facets of a cyber attack.
The rapid, broadscale shift toward a fully interconnected digital world has brought with it countless benefits, but also many new dangers. Those same, wide-open communications channels that bring businesses into the living rooms of customers pave a similarly easy path to corporate doorsteps for attackers to exploit.
The full extent of the prevailing threats burst convincingly into the public consciousness following recent high-profile incidents, salient among which was the Stuxnet worm in 2010. A highly sophisticated computer virus, it was designed to sabotage Iran’s nuclear program.
While interesting on a technical level, what Stuxnet really hammered home was that both the motivation and the money to carry out cyber espionage at the highest level was available in spades and that the potential for such activity to result in damage was very real.
Since then, details about incidents – ranging from state-sponsored hacking and wiretapping, to financially-motivated attacks emanating from criminal organisations, to political hacktivism – have been regularly publicised. It comes as no surprise, therefore, that cyber security has rocketed up the priority list of many organisations to be considered the greatest threat to business growth by Australian CEOs and a key threat by 61% of CEOS worldwide. In PwC’s latest Global Economic Crime Survey, 34% of organisations say they think they’ll be affected by cyber crime in the next two years.
Fortune favours the prepared
Hopefully, the first time you sit down to think about what to do in case of a security incident won’t be the day you discover that it’s happened. Preparing a comprehensive incident response plan well in advance is absolutely key, but what should that include?
First, know thyself
Prior to establishing your plan, you will need to define your risk profile. Would an attack be more likely to be motivated by financial gain or ideology? Ask the question, ‘What would an attacker want? What are our crown jewels?’
The answer will depend heavily on the nature of your organisation’s activities. For large retailers and commoditised industries, that’s probably the customer or payments database. For some organisations, attackers can extend to environmental hacktivists looking to inflict as much damage and embarrassment as they can.
Comprehensively determining your risk profile, however, can easily stretch resources and expertise to the limit, so it’s common for this task to be outsourced to an external IT security consultancy that can provide an objective high-level risk assessment.
How to create an incident response plan
Your incident response plan will be what enables your organisation to respond effectively and cohesively to an IT security attack. Done right, the plan ought to:
- reduce stress and panic – and any rash decisions that might otherwise result – by providing clear, step-by-step instructions to minimise uncertainty;
- ensure an efficient use of company resources by defining roles and responsibilities;
- minimise data loss by outlining the technical response; and,
- mitigate damage to reputation or brand by defining a disclosure methodology.
For your incident response plan to be effective, it will need to be detailed, highly considered and, most importantly, rehearsed. It will need to contain the following elements:
- A formal definition for what constitutes a ‘crisis’
Is it or isn’t it? Have an unambiguous definition in place so that you know exactly when the plan needs to come into effect. This is about as important as having the plan itself.
- A named response team
Put together a multi-disciplinary team of specific, named individuals best able to deal with a security incident. This should include roles, responsibilities and emergency contact details. The team will need to include both those that have the necessary executive power and those with technological expertise.
Likely to find representation on a response team are IT security, the network security team, desktop, server fleet – the whole host of IT disciplines. In addition, business representation for those cases where customers are affected, regulatory liaison, corporate affairs to lead any discussions about brand and the media, and the CIO in order to be able to make snap financial decisions like shutting down systems or rapidly engaging external help.
- A disclosure plan
While news of certain, highly visible breaches (like a defaced website) is likely to be public knowledge immediately, in subtler situations knowing who to tell, what to tell them and when to do it is particularly important, especially in cases where a threat is detected early, while it’s still ongoing and before damage occurs. Having the threat actor still present and unaware they are being monitored is ideal for tracking and gathering evidence.
Corporate affairs will need to be made aware early of any incidents that require statements to the media and other organisations.
- A plan for gathering evidence
In order to eventually prosecute an attacker, evidence will need to be presented to a court. That evidence will need to have been collected and preserved so as to be admissible in court, so it’s wise to invoke some legal counsel in determining your forensics strategy.
- A communications plan
With hackers potentially still having access to your system, communicating through that compromised system risks the attacker eavesdropping and staying one step ahead of your response effort. Therefore, having a plan for ‘out-of-band’ communication, e.g. a completely separate email system that can be activated at a moment’s notice, is imperative.
With your incident response plan established, communicated and rehearsed, dealing with a breach when it occurs should be a much more orderly affair.
What happens once a threat is actually detected? The next article in this series will look at how to invoke your response plan in order to effectively minimise damage.