SC Congress: Responding to a breach
Sarb Sembhi, Thomas Naylor, Thomas Whipp and Matt Holland joined forces at SC Congress to teach a willing audience how to respond to a breach.
Matt Holland of Education First on breach response.
Now, after knocking on the boardroom door for years, boards are finally waking up to the cyber-threats that surround them. Not wanting the kind of headlines that TalkTalk, Target and HSBC have inspired over the last couple of years, companies are thinking about how they might react in such a situation.
So, joining the SC Congress to talk about breach response were four IT professionals who deal with these kind of question every day.
"The key thing I think about is not responding to breaches but effectively responding to breaches" said Sarb Sembhi, CTO at the Noord Group and a consultant for most of his career, "many organisations do their best and unfortunately they haven't considered what effective is for them - the key thing is you understand what you mean for that organisation."
No organisation has the same goals, assets or needs, so a rigorous examination of what exactly its capabilities and requirements are in the case of a breach is necessary.
“Every company will have a different set of data assets” said Thomas Naylor, director of enablement.tech: personal data, IP data, financial data and so on. Companies need to figure out what their assets are and “to consider the type of attack that [they] can suffer”.
But “It's not just responding when something goes wrong” continued Sembhi, all the stages of a response to a breach must be looked at before it even happens.
Matt Holland, global head of information security at Education First, echoed Sembhi's comments. Most of breach response is preliminary, Holland told the SC Congress.
“Make sure you've pre-assembled the right people” too. The breach is no longer just the domain of the CISO or the IT department. Human resources, management and communications all need to be mobilised to properly deal with the situation. “Professional communication skills”, for instance can make the difference between a good or catastrophic outcome to a breach.
You should never, said Naylor “have a technical person talking to the press, the chances of them making themselves understood are not great".
There is an authority component here too, said Thomas Whipp CISO for Charles Taylor, noting that those dealing with the issue have to have the authority to get things done. Breach response “is all about roles and responsibilities”. What matters here are the “behaviours and instinctive reactions of those who are dealing with it.” When it all goes pear-shaped, there needs to be someone around to make decisions and delegate responsibilities.
It really is very similar to any corporate disaster plan, in fact, said Whipp, “there really is no difference.”
We should look to the airlines for an example of best practice here, said Naylor. Every single airline takes into account the possibility of a crash. In such a case, every single airline has a robust plan to respond to the catastrophe on a practicle and communications level: “one could learn from that process and ensure that one's communication plan is approaching that level of practice, that level of understanding."
We can learn not just another company's breaches but our own too, "once you've had a breach make sure you replay it" said Holland. Education First has lots of autonomous branches - one thing that's helped Holland in his job is to replay a breach that happened to branch A, on branch B and then see how that branch reacts.