Incident Response in the Technology Sector: Preparing for the Inevitable

Click here to listen to this article via the BreachRx Blogcast

In the fast-paced technology sector where innovation knows no bounds, breakthroughs are made daily, information flows ceaselessly, and advanced technologies like artificial intelligence, robotics, the metaverse, and quantum computing promise to reshape the world. Yet, in this ever-evolving landscape, the impact of cyber attacks grows higher and increasingly weighs down the pace of advancement that companies can achieve. Cyber threats have evolved over the last decade from nuisance to hacktivism and theft, to now capable of crippling even the most advanced technology companies.

As technology continues its relentless march forward, the vulnerability of the tech sector becomes increasingly pronounced. While technology companies are at the forefront of innovation, they are traditionally laggards when it comes to adopting strict security measures in their new products. The bipolar nature of insecure innovation feeds the arms race between attackers and defenders. This paradox is at the heart of the need for incident response readiness in this dynamic industry.

Technology companies are ultimately prime targets for threat actors seeking to steal money, disrupt operations, and seize valuable customer information and intellectual property. Teams should be proficient in 1) managing a variety of attack scenarios, 2) involving all business units, and 3) swiftly mobilizing to minimize potential repercussions. The continuing success these attackers have against companies of all sizes and sophistication underscores the imperative for technology sector organizations to adopt proactive strategies to prepare for the inevitable compromise.

The High Stakes of Incident Response in Technology

Technology companies face outsized risk of impacts from breaches that result in operational disruptions because in many cases technology companies are supporting the operations of other businesses across all industries and geographies. Visibility of downstream users to attacks which halt services, introduce fraud, or compromise environments erode customer trust of technology companies and the customers of those technology companies, a very negative second-order effect. Even with cyber insurance, tech firms frequently find themselves shouldering heavy out-of-pocket expenses due to policy restrictions and coverage limits.

A recent technology sector breach exemplifies the risk of these impacts. In December 2020, the world was shocked by the news of a massive cyberattack that compromised the networks of thousands of organizations, including government agencies and Fortune 500 companies. The attack was traced back to a Russian threat group, and it was carried out through a supply chain attack on SolarWinds, a widely used IT management and monitoring software company. The attackers infiltrated SolarWinds’ network and injected malicious code into a software update. The compromised software was distributed to thousands of SolarWinds customers, allowing the attacker to gain access to the networks of any organization that installed the compromised update.

The SolarWinds breach was one of the most sophisticated and damaging cyberattacks in history. It is estimated that over 18,000 organizations were affected, including the US government, Microsoft, Intel, and many other corporations. The attackers were able to steal sensitive data, including intellectual property, financial information, and government secrets. The SolarWinds breach had a significant impact on the company itself, starting with its stock price plummeting over 36% in one week and substantial damage to its reputation. The company lost millions of dollars in revenue as customers abandoned the platform. Regulators and governments globally weighed in on the breach, and the company continues to face extreme audits of its operations. SolarWinds also faced a number of lawsuits from customers who were affected by the breach.

With 767 publicly-reported breaches so far in 2023, a nearly three breach a day pace, companies globally are under the gun and should expect the need to handle an incident. And with technology companies’ vast digital footprint and access to cutting-edge computing resources, attacks on the tech sector in particular are continuously escalating in sophistication, frequency, and impact.

Financial Burdens from Incidents & Data Breaches

Cyber attacks continue to pose existential risks to tech firms, not only in terms of operational impacts but also financial losses, damaged reputation, and loss of customer trust. The result: average-size incidents cost technology sector organizations over $4.6 million each with the average for companies in the United States averaging double that, per this year’s Ponemon Cost of a Data Breach report.

And with Cybersecurity Ventures’ research demonstrating that the cost of cybercrime is on track to reach $8 trillion in 2023 and surge to $10.5 trillion by 2025, with sustained growth beyond that timeframe, the tech sector is only looking at a future of even more incidents. Verizon’s 2023 data breach investigations report, the DBIR, noted that there are nearly 6 breaches a day in the sector, with 82% of breaches including human elements like misuse, mistakes, stolen credentials, and successful phishing. Beyond the increasing frequency, cyber insurer Coalition reports that in the first half of 2023, ransomware severity reached a “historic high” with average ransoms of $1.62M, a 47% increase over the previous six months and a 74% increase over the past year. The pace of compromise is not slowing down.

Large-scale data breaches can result in class-action lawsuits, fines, and settlements, amounting to hundreds of millions, or even billions of dollars. The long-term financial effects include a significant drop in stock value, which takes weeks or even months to recover, affecting not only the company but its entire supply chain. The fallout often extends to legal and regulatory battles, further increasing financial burdens. Further, while these multimillion-dollar losses clearly have a substantial impact on smaller companies, attackers also tailor their attacks to significantly disrupt larger enterprises to the maximum extent possible.

Notably, per Harvard Business Review research, firms dealing with data breaches often face audit fees 13.5% more than those unaffected by such incidents. Moreover, financial burdens can cascade down to affect customers and investors, constraining a company’s ability to maintain its competitive standing. 60% of breached organizations raised their prices. They lagged the NASDAQ by 8.6% after one year and up to 11.9% after two years. 

In the past few years, breached companies have dealt with credit rating downgrades, influencing a company’s capacity to secure financing and its borrowing costs. Moody’s and other firms evaluate companies’ cybersecurity practices when determining credit ratings. For instance, Moody’s announced it may reduce MGM’s credit rating due to its breach this year, and it has historically reduced credit ratings in similar situations, such as in 2019 in response to Equifax’s very public data breach.

Customers, who expect tech companies to safeguard their personal information, are quick to abandon businesses that fail to meet these expectations. A breach of customer trust can lead to substantial business losses. Per the aforementioned Ponemon report, with customer personal information compromised in over half of all data breaches and anonymized customer data compromised in over a quarter of incidents as well over the last year, customers are demanding better security. Lawmakers are increasingly stepping in to back up their constituents.

Regulatory Complexity in Technology Sector Breaches

The labyrinth technology regulatory environment has become increasingly complex and intricate, presenting technology companies with a formidable challenge in their quest for legal compliance. Beyond the relentless pace of innovation, these organizations now grapple with a multitude of global, federal, and state regulations that govern data privacy and cybersecurity. This regulatory complexity mirrors the growing emphasis on safeguarding sensitive data and fortifying cybersecurity measures, making it crucial for tech firms to stay abreast of this evolving landscape.

At the global level, regulations such as the General Data Protection Regulation (GDPR) have set a precedent for data privacy standards. The ripple effect of GDPR’s implementation can be felt far beyond European borders, as it serves as a benchmark for many countries and states crafting their own data protection laws. This global convergence toward stricter data privacy standards places tech companies under a universal obligation to maintain meticulous control over personal and sensitive data, irrespective of their geographical operations.

On the domestic front in the United States, the regulatory environment for technology firms is marked by a patchwork of regulations at the state level. States like California, Colorado, Delaware, Texas, Utah, and Virginia have enacted their own data protection laws, each with its unique set of requirements and compliance obligations. This fragmented landscape imposes a burdensome challenge on technology companies, as they must navigate varying compliance standards when operating in multiple states. It is no longer sufficient for tech firms to adopt a one-size-fits-all approach to compliance; instead, they must meticulously tailor their strategies to meet the specific demands of each jurisdiction.

The enforcement of such regulations is no longer confined to fines and penalties; it extends to holding executives and board members personally accountable for cybersecurity. Regulators increasingly believe that top-level leadership should shoulder the responsibility of ensuring that security and data protection are paramount within their organizations. As a result, the Federal Trade Commission (FTC) and other regulatory bodies are issuing directives that make CEOs personally liable for the cybersecurity posture of their companies. And most recently, the SEC enacted guidance requiring all public companies to report cyber incidents in four days, with personal liability for executives and whistleblower risks key elements for security leaders to consider.

The shift in regulatory approach forces tech industry leaders to recognize that their personal accountability is now integral to regulatory compliance. This necessitates changing the game from current practice of paper plans and annual tabletops by embracing technological innovation, a disruptive strategy that the technology sector is all too familiar with, to achieve true incident response readiness.

A Meaningful Approach to Proactive Incident Response Planning

Given the combination of ever more sophisticated attacks, growing impacts from breaches, and the risk of regulatory fines on organizations and their executives, technology companies can no longer afford to rely on traditional, reactive incident response strategies. A modernized, proactive approach is essential to effectively mitigate the risks associated with cyber incidents. 

Proactive incident response planning requires technology companies to:

• Invest in and allocate resources to cybersecurity defenses aligned to threats specific to the company, the geographies it’s in, and the sector
• Engage in frequent cybersecurity simulations and exercises to ensure an effective response to these expected threats, minimize response times, and reduce the risk of human error
• Leverage technologies purpose-built for coordinating and executing data breach response, streamlines incident management, and safeguards legal privilege
• Establish robust reporting and notification processes for reporting and notifying contract and regulatory stakeholders about data breaches within tight deadlines

In other words, to be effective, technology firms must embrace a proactive and comprehensive incident response strategy that goes beyond current practices. 

Staying ahead of the curve requires the implementation of specialized incident notification and data breach response automation tailored to handle a wide range of potential threats and associated legal obligations. Automation not only expedites response times but also minimizes the risk of human error, diversifies response plans to encompass various attack scenarios, ensures no crucial steps are overlooked, automates drills, and ensures compliance with relevant regulations while preserving legal privilege. The ideal automation solution should be scalable and easily adaptable to suit the unique requirements of each organization, irrespective of its size.

The advantages of deploying such a system can be quantified directly. Metrics such as the average cost of data breaches, the average time taken to detect and contain a breach, and the response duration for fulfilling legal and regulatory mandates, including reduced expenditures on external legal counsel, serve as tangible evidence of the effectiveness of such an investment. Despite the challenges related to understanding cybersecurity issues and reporting frequency, senior security leadership must play a strategic role in defining the business needs to make their approach successful.

In the larger context, the technology sector grapples with a mounting cybersecurity menace. The growing frequency and financial implications of these attacks underscore the necessity for robust proactive measures, encompassing the adoption of automated incident response and data breach notification systems, along with routine cyber drills targeting likely attack scenarios. With this proactive stance, technology companies can not only mitigate the financial, regulatory, and operational repercussions of such incidents but also protect the privacy and security of their clientele. Ultimately, it’s about effectively managing the situation when an incident or breach occurs, rather than unrealistically trying to prevent the inevitable.