Business leaders need to get proactive about incident response strategies, the head of a major data-breach investigations team has warned in the wake of a massive data breach that exposed the biometric data of nearly 28 million people.
That breach, in which fingerprint images and administrator passwords were accidentally made available online by identity-solutions company Suprema, presages the potential dangers of the government’s proposed facial-recognition database – and highlights the risks inherent in consolidating massive amounts of sensitive data in one place.
“The cyber world tells us that almost anything sensitive is going to find its way around the door,” Bryan Sartin, Executive Director of Global Security Services with Verizon, told Information Age.
“In a B2B and B2C world, the number of hands this data ends up in is so high that it’s likely that it’s going to leak out inadvertently or accidentally.”
Time to act
Sartin’s team of more than 100 cybersecurity investigators pores over more than 400 data breaches around the world every year, extracting insight about penetration methods and victims’ responses.
Their conclusions, summarised in the newly released Verizon Incident Preparedness Report 2019 (VIPR), provide an eye-opening view of the challenges that cybersecurity responders face when dealing with the flood of breaches that continue to plague industry.
Intruders typically compromised their targets within minutes, the report found, and had started extracting data within anywhere from a few minutes to a few days.
By contrast, their victims typically took months to discover a breach and many days to contain it once it had been found.
The time between those two metrics reflects the period when cybercriminals enjoy free rein within a victim organisation’s network – and shutting them down quickly is a critical goal of the incident response plan.
Bryan Sartin, Verizon Executive Director of Global Security Services. Photo: Supplied
Yet those plans, Sartin says, have often been difficult to embrace for companies with “overlapping Byzantine compliance frameworks” to internalise: security leaders struggle to explain cyber risk in business terms.
“Leaders are waking up in a world where cyber risk has more of a traditional seat at the table with more traditional forms of risk” such as contract and brand risk, he explains.
“Those conversations have taken a very different tack to what security leaders are used to – and it has caught them off guard.
“They are being expected to carry those conversations in a competent way – and to explain in business terms what is going on.”
Six steps to respond
VIPR outlines a six-step process for incident response: planning and preparation, detection and validation, containment and eradication, collection and analysis, remediation and recovery, and assessment and adjustment.
These draw on 10 key elements ranging from the creation of feedback loops and collection of metrics, to developing methods for incident classification and defining stakeholder roles and responsibilities.
Those responsibilities are a key indicator of the maturity of an enterprise’s risk management, Sartin says, with mature organisations engaging with staff all the way across the business.
Most don’t fare too well the first time around, but incident response is a cyclical process of continuous improvement – and, as the report highlights, regular breach simulations and self-evaluation.
“Usually the first time an enterprise goes through a breach situation that involves executives, they fare pretty poorly,” he explains. “They think the whole thing is to be handled almost entirely by security people.”
Executives tend to fare better the second time around, he adds – noting that cybersecurity risk tends to resonate far more loudly when leaders understand that the breach of sensitive data can create massive damage to a brand.
With data loss and theft of information increasing by nearly 79 per cent last year, the risk of losing customers after a breach has never been higher: a recent Gemalto report found that 70 per cent of Australians said they would look elsewhere if sensitive information was stolen.
Preventing this sort of loss is a key goal of cybersecurity planning, which is why it’s critical to win executives over about the importance of an effective incident response.
“Ultimately, when you slice through the FUD, it is about balancing legal and reputational risk, and evaluating cyber risk at the enterprise level,” Sartin says.
“The future is all about how well you can create a real, data-driven journey map that speaks in the parlance of the CEOs, CFOs and board audiences.”