Limiting damage after a data breach

The costs of a data breach can be high, with Forbes calculating that cyber attacks are costing businesses around the world up to $500 billion a year.

And the hacks are likely to become even more expensive when new legislation comes into force in 2018. Under the European Commission’s General Data Protection Regulation (GDPR), companies that are hacked because of inadequate security measures will be liable to fines of an eye-popping €20 million or 4 per cent of annual worldwide turnover, whichever is greater.

However, the costs of a data breach don’t end there. Research has shown that an incident can seriously damage a company’s reputation and in cases such as Yahoo!’s high-profile hack, for example, this can have serious implications of its own.

A report from security firm FireEye reveals that around a third of people feel less loyal to a company that’s experienced a breach and six in ten say they would leave an organisation if their details were used by criminals.

Similarly, a poll by the Information Commissioner’s Office has found that a fifth of people would definitely stop using a company’s services after hearing news of a data breach. The stakes, in other words, are high.

Organisations aren’t prepared

Business data breach factsHowever, a surprising number of organisations fail to have a plan in place when it comes to communicating a cyber breach to the public and some get it badly wrong.

There’s particular mistrust, for example, when companies take too long to reveal a breach, particularly when, as so often, news of the breach is leaked.

“If you cover up, there’s a danger that the breach will be detected by other means, for example a pattern of bank fraud,” says Piers Wilson, head of product management at Huntsman Security. “And, like Yahoo!, where you’ve had a breach and not disclosed it, when it’s revealed there’s more embarrassment and loss of face.”

Under the planned GDPR legislation, organisations will be required to notify the authorities within 72 hours of an event. But while this means that really long delays will effectively become impossible, companies won’t necessarily be forced to alert customers immediately. And it’s often not a good idea to go public too soon, as this can jeopardise the clean-up operation.

“A lot of companies think they need to let employees know first. They think they’re being transparent, but if one of the employees leaks the information, that could hurt remediation,” says Vitor Souza, vice president of global communications for FireEye.

“One company needed to do a password reset over the weekend. Two days prior, the company e-mailed all employees to tell them. One person was not happy at work and remediation failed because the attackers were tipped off. They got out of the network, so the team couldn’t complete remediation.”

Disclosing too soon can also make a problem seem much more significant than it ultimately turns out to be. When one large company in Japan was breached, for example, cultural reasons meant it was eager to go public with the news.

“The issue was that they didn’t have any plan, so it was the communications team taking the lead,” says Mr Souza. “The board goes on TV to apologise and says potentially nine million records were stolen. But it turned out that what actually took place was an intrusion not a breach, so in fact no data was taken.”

Getting board buy-in

As all these examples show, cyber security is an issue that needs to be at the heart of decision-making so the C-suite isn’t caught on the hop. Too often chief security officers complain the board lacks awareness of cyber security, with FireEye’s survey indicating nearly eight in ten want to see changes to boardroom structure that would give it more prominence.

Research from PwC revealed that only 28 per cent of UK boards are involved in setting security strategy, despite the fact that nearly eight in ten organisations experienced downtime caused by security incidents last year, costing an average of £2.6 million.

“Cyber security is far more than just building security controls – it’s about changing your organisation to be securable,” says PwC UK cyber security partner Richard Horne. “That requires all aspects of a business to be engaged, to make tough decisions at board level and embed consideration of cyber-security risk in all decision-making processes.”

Most cyber breaches are caused by phishing attacks, with current and former employees representing the top insider risk and source of incidents. Increasingly, though, current service providers, consultants or contractors are causing threats, so these companies are having to up their game.

“Any small company that has customers’ financial records is going to be potentially at risk,” says Mr Wilson. “Organisations that are small in themselves, but form part of the supply chain are vulnerable – it’s potentially easier to find a target.”

What you need to know

The Centre for the Protection of National Infrastructure provides security advice to businesses and organisations across the UK and has a 20-point checklist of best practice.

It starts with an audit of authorised and non-authorised hardware and software, and works through the various assets that may need to be protected, from application software to wireless LANs (local area networks).

It covers creating administrative controls to manage access and continuous monitoring to detect breaches when they occur, as they inevitably will.

“Today, it’s clear that your speed of remediation is what’s really important. Everyone is breached, whether they know it or not,” says Kevin Bocek, chief security strategist at Venafi. “It’s about actively taking proactive measures to mop up the store every night. Good cyber-security programmes are constantly sweeping out – that’s really the measure now of cyber-security effectiveness.”

Mr Souza says it’s vital to put together a team from the start charged with handling a breach, including legal, technical and communications staff. And, he says, they should work together on a regular basis as too often the team only comes together when a breach actually happens.

“The best organisations are those that at least twice a year have a table-top exercise,” he says. “It not only prepares you for the problems you might face, it also builds trust.”

Ultimately, embedding cyber security in organisational culture means expressing the threat in terms that are easy for the various stakeholders to grasp.

“If you’re a chief security officer, then obviously your view of the cyber risk is going to be how much data you lose and the cost of fines. The chief executive is often more concerned about the reputation of the company and the market view of that, which is the share price,” says Mr Wilson.

“One of the difficulties a few years ago was getting the board’s attention. Now we’ve got the board’s attention, chief executives are losing their jobs and the security team has suddenly got the opportunity to talk to the board.”