Know Your Breach Readiness, Incident Response Plan, and Regulatory Obligations?

From threats to the business to incident response plans and breach response best practices, hear BreachRx’s Matt Hartley speak on the Agent of Influence podcast.

Our own Matt Hartley was a guest recently on NetSPI’s amazing Agent of Influence podcast. Below is a partial transcript of Matt’s thoughts from the conversation. To hear everything he and host Nabil Hannan talked about, listen to their full conversation.

Agent of Influence podcast

On attackers and vulnerabilities

There are three categories of attackers that I like to think about: the first is criminal, the second is nation-state, and the third is hacktivist groups

From a criminal standpoint, I’d say that we still suffer greatly across the world from ransomware attacks. There’s no “one” in particular to point out, just that it seems even to this day that many organizations are really unprepared and have not gone through an exercise or tested themselves to be sure that they can survive a ransomware event.

Ransomware events are very impactful! As you know, and for those that maybe haven’t suffered through one, you could be looking at a total enterprise shutdown of your entire business. Obviously, that becomes more than just a technology problem, that becomes a business problem. If your business can’t succeed at building or manufacturing something or just generally making money and servicing your customers, you’re in deep trouble.

Nation-states are sort of always in the news lately. Obviously the SolarWinds attack has been top of mind for many people and I think it just points out the capabilities that nations have around the world to be able to really target organizations if they if they choose to. What I mean by that is that a dedicated well-resourced organization that has national level resources is going to be able to get into any network.

Don’t think you’re prepared for these sorts of attacks?

Learn more about how BreachRx can help!

Seeing the levels of sophistication of the SolarWinds attack just points that out and makes it more visible than it ever has been. I think there are a lot of attacks over the years that you could point to and I tend to go back to one of the earliest ones that was public which was Stuxnet. That’s another great example of the level of sophistication of these attacks and their potential impact.

What can you do really do to survive those: ultimately it takes you making sure that your employees are aware of them, such as that they have awareness of phishing attacks given they’re so common. In addition, practice with exercises across the business, from a ransomware standpoint and generally a security standpoint. That’s a key aspect that a lot of organizations tend to backburner because they’re so busy.

Validating your security enterprise and ensuring that nothing has changed over time that introduces weaknesses and vulnerabilities. And ensuring that your organization will be able to handle different types of events. Also make sure your backups actually work in case a ransomware event does occur.

On the recent Florida water utility attack

One definite lesson I think the security industry has learned over the last 20+ years is we’re not just talking about your general enterprise computing any more, you have to secure an organization holistically. That means you have to secure all aspects of it and there are areas like you mentioned that are these operational networks, the internet of things, that are vulnerable, like we saw in this Florida water utility attack.

Another good example of that would be a lot of companies build products and so their product development process needs to be secure. That means engineers need to have a secure mindset and really understand the types of vulnerabilities that are out there, so they don’t accidentally recreate a vulnerability that’s well known or do something that’s not a good best practice that ultimately creates a vulnerability in a product.

Operational technology examples are hugely scary, right? The number of systems that we’ve connected to the Internet for good or bad over the years, and obviously the pandemic in many ways accelerated that for a lot of businesses. Hopefully they practiced good security when that’s been done but given the speed, I suspect we’re looking at more of these types of events in the future.

Something that I’ve learned over the years and have recommended to many security leaders is start with or ensure that they’re spending time with that business continuity plan, meaning it’s a great place to go to really understand the most critical systems that your business has. It allows you to focus on those systems from a security standpoint, and the sort of adjacent advantages that you would get of maybe finding weaknesses in your general organizational process is great.

So with that BCDR plan, really understand the systems that are in there, understand how they’re secure. Understand and try to think like an adversary and understand how they might attack those systems. Then you can go and tabletop and practice if that system is compromised, what would happen, and then create a comprehensive plan to protect that system and that allows you to recover that system or that process.

On the difference between security & privacy incidents

The difference between the two starts with how they overlap in many ways. For example, most incidents that you can think of are probably both. For example, a nation-state attack like we talked about earlier that maybe exfiltrates data, that’s both, because data has been exfiltrated and has been potentially exposed. A ransomware attack could be both if that adversary also exfiltrated some of that data prior to encrypting systems or networks.

Some examples of security-only incidents, what comes to mind are denial of service attacks, where the data’s not really impacted per se.

Then there are lots of incidents that are privacy-only incidents. While some people argue some of these, one might be a lost laptop that had customer data on it, maybe it’s a security incident, probably more from the standpoint that security people have to deal with it. But if you think about it, that customer data being exposed is really the big impact. Another big frequent type of incident over the last few years with the rise of cloud computing is having a cloud vendor expose your data.

So if you pull that together there’s this Venn diagram of the two that overlaps. Interestingly, the number of privacy instances is actually quite a bit larger than the number of security incidents. At BreachRx, we’re trying to help companies understand the implications of all this and really help them plan for and recover from an incident.

On being better prepared for incidents

Readiness for an incident standpoint comes from not only some of the things that we’ve already talked about, but also from really understanding the obligations that your organization has, where there is a regulation, for example, that may apply in an incident. Many people don’t necessarily understand that if you have customer data that’s been exposed, then the regulations for where that customer lives apply, not where your company operates or where the data might be stored.

From that standpoint if you have customer data and your customers are in all 50 states in the United States, for example, then all 50 states’ privacy regulations apply to that particular incident. So understanding obligations like that and understanding, to whatever degree you can, where your data is becomes key.

Understanding the contractual obligations that you might have has also been a surprise to a lot of those we work with. Your contracts likely have stipulations in them about notification timelines, so if you have a third-party provider, maybe they’re one of your customers and if they’re big, especially like a big bank or a retail company or something like that, or highly regulated, and you have some of their data, then they’re going to want you to notify them as soon as possible or immediately. There’s very likely some language around that in your contracts.

Most companies don’t have any of that organized. It’s similar to what we talked about earlier where companies have an incident and they sort of cross their fingers and they pay a thousand dollars an hour to outside counsel and remediation firms in order to figure out what they should be doing and then go do it, and that costs a lot of money.

Just capturing some of that information in a response plan, that isn’t just a paper plan but is specific and actionable, and actually practicing that as we’ve discussed, those are all things that a company can do to prepare and really save themselves a lot of heartache, a lot of pain, and a lot of money.

On privacy regulations

There are so many regulations. I’ve learned over the past couple of years about I mean, I think the big ones that everybody knows about or in Europe there’s GDPR. And then here in the United States, one of the ones that has gotten a lot of attention in the last couple years as well is California’s laws that are known as CCPA.

there are so many privacy regulations

Ultimately there are many privacy regulations that define things like what you have to do when you have an incident, which government entity or entities you have to notify and by when, and various aspects like that. What’s surprising to many folks that we talk to is there’s laws all around the world that are already in place. China has a law. Singapore has a law. Brazil has a law they’ve passed recently. Canada’s on the cusp of the law.

The other thing that is a surprise to people is that in the United States every state has its own law. There is no federal law. From that standpoint, if you have data from US citizens or people that live in the US, then you’re looking potentially a lot of pain if you have an incident because those laws are kind of all over the place. Some are very complex and some are very simple and open to a lot of interpretation.

From that standpoint, you know, one of the things that we talk about is that data privacy should be top of mind. A lot of these regulations have time frames that are very, very fast after an incident. The “famous” GDPR 72-hour timeline is a great example – you have to notify their regulators after you are aware that you have had an incident within 72 hours. California’s modeled a lot of their law after that as well.

One of the interesting things that many governments are now doing is funding organizations through the fines that they levy. California’s recent update to their law did that. Their organization has the ability to fund itself through the fines that it issues. That creates a bit of a snowball effect and I expect that that’s going to be pretty painful for unprepared organizations.

The other thing I would add here is that a lot of these regulations stipulate maximum penalties that are pretty large. For example, GDPR has a 4% fine stipulation – they can take 4% of your global revenue as the top fine. And what’s interesting is a lot of other countries have adopted similar percentages.

So if someone has a horrific incident and it’s shown that they don’t remediate with best practices or treat it seriously, if you add up all these percentages, it’s looking like it’s going to total around 25% of your organization’s annual revenue that these different governments are going to take.

That would obviously put a lot of businesses under. And it’s a great example of why data privacy is something that is on a lot of leaderships’ minds right now.

On what to do if you have a breach

The first thing to think about is a bad response or poor response is going to lead to all the pain that I just talked about all, these fines and obviously the kind of brand damage and customer loss and shareholder lawsuits that we see with most breaches these days. So hopefully organizations have an incident response plan that they can use to help guide them.

With that, there’s a lot of factors that come into play. For example, if you have cyber insurance, a lot of those insurance organizations require some notification within a specific time frame in order to be able to make a claim. And the challenge with that is a lot of insurance organizations may want to dictate your response, so you have to think about and make decisions about when to notify them.

Similarly, when it comes to things like notifying your customers and notifying regulators, you really need your legal team involved and a lot of security teams haven’t necessarily practiced with that.

A lot of general counsel members in organizations haven’t necessarily been exposed to a lot of security incidents either. So pulling in your inside council or your legal team and really working together with them to understand the implications of the incident is really important. Especially because a lot of these end up in court, and so you want to be able to set up some legal privilege around the actions that you’re taking as part of an incident.

Once you get those sorts of prerequisites done, then it ultimately comes down to how much you’ve prepared ahead of time. If you’ve done that, then ultimately there’s kind of two tracks that run in parallel.

First, the security track, where the forensics occurs. Hopefully you have the visibility through your security infrastructure into the larger enterprise to really understand what type of attack it was and how to go and see if other events occurred. For example, if you’ve had a phishing incident you should go and check perhaps everyone else to see if they’ve also had the same or similar phishing emails. That’s a simple example but a pretty common one that a lot of organizations run through.

In parallel you have this privacy and regulatory set of processes that start. The way we talk about it at BreachRx is you have a shot clock. And you may have more than one shot clock for all these different regulations and for all these contractual obligations that you may have and so ensuring that you’re able to respond to those appropriately and then ultimately understanding who to notify.

If it’s a big enough breach, you may have to make a public statement and then start pulling everything together in order to potentially deal with things like litigation and investigations from a regulator or a shareholder lawsuit.

On privacy, security, and BreachRx

I would say privacy is a fascinating area that, like security, actually has roots way back into early computing and as with everything it, it tends to have had kind of a up and down cycle in terms of focus. Over the last few years as we’ve had this continuous explosion of data and more and more people online, privacy is sort of finding its own again.

When it comes to our focus at BreachRx, we’re really trying to help companies deal with incidents in general and understand the aspects of that incident from a privacy and a security standpoint. Privacy lately is being driven a lot by regulation and because of that there’s this sort of larger focus from a legal standpoint, where maybe just a few years ago when you had a security incident you wouldn’t necessarily be thinking about that.

Preparation is key to a successful response.

Learn how the BreachRx platform can help you reduce your risk of business impacts when an incident does occur.

Recent Posts

Categories