Thursday, 27 August 2015

Life is Short: Have an Incident Response Plan



Guest Blogger: Nick Prescot
Senior Information Security Manager at ZeroDayLab
Data breaches are the digital equivalent of car crashes – they happen every day and they are not getting reported because they are so common.  That’s because it’s not news anymore, it’s become part of daily life.  Yet many of the companies that process the data of people, businesses etc. across the world are still thinking it won’t happen to them because someone in the IT department has said that it’s secure, and that’s ok.  It’s mainly because when the IT person speaks, the language is not in the realm of saving money or making money, and that's the last thing that someone in finance wants to hear.

I find it quite a repetitive stance from companies that I engage with that data security is an IT department problem, including with the IT security manager within the IT department. However, there isn’t a department within a modern day business that doesn't use a system.  An incident is usually something to do with availability of a system, not a loss/breach of data and yet the 2 conduits are treated the same.

For nearly 10 years some institutions have taken a much more proactive approach, namely the payment card brands through PCI-DSS to ensure that their data (i.e. the data on the payment card) is secure and transacted in a secure manner.  Whatever your thoughts on PCI DSS, it is actually a good data security standard and demonstrates a good level of security for the processing of the data.  However, it’s nearly 10 years since its inception and payment card breaches are still happening a lot.
However, when it comes to personally identifiable information (PII) the same level of due care and attention is not given the same level of treatment; personal data can have a much bigger impact on people’s lives than the loss of payment data in the form of identity theft.  If you think about the Ashley Madison breach, yes it’s hilarious that politicians and civil servants have put their preferences on there, but what about people from countries where adultery/homosexuality can be a criminal offence?  What might be legal in one country in terms of storing and processing of data and the particulars around that data, will result in a criminal offence in another country.

The securing of that data isn’t just an IT problem, it’s a problem that is spread across every facet of the modern business.  Anything that is associated with the company’s domain name whether it be Twitter or the website needs to be part of the data security posture that any company employees.  What happened with payment data will happen with personal data with the advent of new EU regulation in 2015.  It’s not here yet but it makes the processing of data much more of a business issue in terms of fines and regulatory reporting.

Data security isn't an issue that’s going to go away soon, or something that can be magically solved with a new shiny box that sits on top of the server.  It goes deeper than that; it’s the data that you process about people, companies, markets etc.  The currency of this data isn’t necessarily tangible at first sight but in the wrong hands, this can have a negative impact. In article written by Edward Lucas for the Times this week (August 25th), he makes a very good point:
 ‘We need a wholesale and urgent cultural change in our attitude to online safety. The decisions we face are difficult, involving trade-offs between freedom and security, of the kind we already make in real-life matters, such as road safety and public health.’

The author of this article has put his point in a far more succinct manner than myself, but the key point is this; we live in a digital age and information is the tradable and valuable currency that makes a lot of money for the likes of Google etc. but in the wrong hands, makes lots of money for the hacker in the case of Ashley Madison, reputational harm for the end user.



The key aspect for underlining a business strategy to determine how much time, energy and effort is needed to spend on beefing up your security is to understand the value of your data – not from a PCI and/or a regulatory point of view but the perceived damage to your business.
All too often, companies are ‘woo-ed and coo-ed’ by vendors that promise a one-stop solution that prevents a certain problem from occurring.  It does to an extent but there is also a people and process angle to the security posture as well.  You need to have a person responsible and accountable for that new box, to make sure that the lights are on, that it’s kept up to date and patched. Then you need to have a process so that if the main person is on holiday or decides to move onto pastures new, the configurations of the box are the same.

Data breaches happen because there is a lack of technical and business security controls in place, or there is a culture of complacency because a breach hasn't yet happened.  I know from 1st hand experience of the culture placed within a business it has and hasn't been breached, and sadly the middle ground is not often seen (i.e. they haven’t been breached but are in the mode of thinking that they have been).



As the Ashley Madison website bizarrely states, ‘make a plan, have an affair’; and until companies such as these have a solid and robust plan to secure the data they are holding from a privacy and security perspective personal infidelities will continue to be disclosed in ways never meant to happen.

More about Nick...contact me

'Nick Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd. and is responsible for Governance, Risk and Compliance (GRC) and Incident Response (IR) consultancy and advisory services at ZeroDayLab.  Nick aims to assist companies whom are looking to improve the cyber resilience and posture in the ever ongoing battle against the emerging and continuing cyber threats.  By taking a detailed and holistic view of client's policy and governance infrastructure entwined with incorporating information assets within corporate risk registers, Nick is able to provide a clear strategy to client in order that their infosec operations and processes are aligned to industry practice.
Nick is also a seasoned incident response manager and when there is a security and/or availability incident, Nick is able to ensure that the incident is remediated as soon as possible and deploy the specialist response assets can remediate the incident. Nick also assists with the crisis management and media elements so that all parties are correctly informed as part of the resolution efforts.'

No comments:

Post a Comment