Early on it was noted that the topic of yesterday's SC Roundtable sponsored by Venafi, 'Recovering from a breach' can mean a lot of things. “Do we mean recovering from a data breach or do we mean successfully recovering from a breach; do we mean recovery or instant response,” asked Sarb Sembhi, director at Storm Guidance?
In a wide ranging discussion, the event covered the causes, the people issues, recovery planning, priorities in response, regulatory reporting and PR communication of a breach, as well as tech issues such as those covered by sponsor Venafi, a provider of encryption key management solutions, which assesses key and certificate trust, fixing or blocking those that are untrusted.
Preparation, said Sembhi, is paramount to recovering from the breach: “If you get all the preparation right, the recovery is much simpler. You can only have an effective recovery if you've prepared.” This involves a fire-drill like idea of who is going to do what and how, when the worst happens. In the case of a breach, a rigorous, but flexible incident response plan will be key. There's nothing worse, said Sembhi, than “when you have your internal lawyers; external lawyers; internal PR; external PR and all those other teams working to their own set of procedures. This is level one of recovering from a breach says Sembhi.
Sarb Sembhi, director at Storm Guidance
Level 2 starts with knowing where your assets are and knowing what to do or not to do with your data and your permissions.
Level 3, said Sembhi are, “the things that I think are very very basic.” Such basic things include having a thorough list of people to call in the event of a breach; using awareness training to reduce the likelihood; a response plan that accommodates what the individuals in your team can and cannot do and having a working command structure so people don't get caught up blaming others and spend their time fixing the problem.
Recovery should be a foregone conclusion. People need to focus on the successful recovery that makes sure key systems are down for as short a time as possible and that as little business is lost as possible - and reputations remain intact.
But again, the problem for so many CISOs is getting the board onside, those for whom their risk approach can mean that they often see cyber-security as too expensive and far too arcane to factor into their plans, or even a cost risk worth paying.
Tony Collings, chairman at the ECA group, recounted his all too familiar experience of being ignored by the boards of companies he was hired to help. “I've come across this many times” said Collings, “we are asked to come in and do due diligence on large organisations (where) you will always find some large vulnerabilities.”
Tony Collings, chairman at the ECA group (left) and Thomas Naylor, director, Enablement Ltd
When he's taken these kinds of problem to the board, “they call for the head of risk and the finance director”, who so often say “pay the fine if and when it happens because it's cheaper. They forget that this increases vulnerability and damages their business reputation”, not to mention their share price.
This is reportedly not uncommon for the large majority of breaches, smaller than those that make the headlines but nevertheless significant. Going back to one of Sembhi's points, some recent research by insurance companies showed this to be exactly the case with significant numbers of breaches going unreported or even unnoticed.
Collings pressed the point: “There are thousands and thousands that don't get out into the press. The things we have to worry about in this country is critical infrastructure.” If somebody can perform the kind of things the men in this room were capable of to, say, a flood barrier - that could cause real damage."
Martyn Croft, the CIO of the Salvation Army and the founder of the charity security forum, an organisation that deals with the unique problems of cyber-security in the non-profit and charity sector, has similar issues. He asked whether “anybody got any good ideas about how you attract the attention of the board?” when the profit motive was not a factor.
Martyn Croft, the CIO of the Salvation Army
“You have to go in with stories”, Thomas Naylor, director of Enablement Ltd responded. “The essential issue is the lack of understanding, if one can give stories in plain english to the board about how (a breach) can happen, how easily it can happen and put it in the bigger context of a corporate disaster.”
There is, of course, the issue of blindness, willing or otherwise, at board level to these kinds of breaches. Surinder Lall, director of information security at media company Viacom chimed in saying your ability to protect against, or respond to a breach, “largely depends on the board you've got and how much detail they can entertain.” Often, said Lall, “they quickly glaze over and say ‘well, what does that mean to us?'”
Cyber-security is arcane to many, but what about when the really just don't want to know? Sembhi thinks an organisation's maturity is at the centre of breach response…...
Collings agreed: “The issue of maturity and responsibility at board level is key.” He mentioned that several times he had brought security concerns to board members who “didn't want to know”.
Lall thinks there's an element of willing blindness or at least an attempt at “plausible deniability” on the part of many board members: “sometimes it's better not to know from their perspective.”
While no one at the table saw whistelblowing as an option, one suggestion was going straight to the shareholders, the people who the board report directly to as an option, in terms of making the consequences of action or inaction plain.
“This is why risk registers are so important” said Tim Lansdale, head of payment security at Worldpay, “you absolutely need that member of the board to be signed off”, in order to take responsibility.
So much of security expenditure is compliance. With new EU data protection legislation coming in, with even bigger fines being ratcheted up and the reporting regime becoming more rigorous.
Richard Millar, senior compliance manager at Bank of America, Merrill Lynch described this as his bread and butter. First, said Miller: “You have to know what those regulations are and then you have to interpret the wording in them”. Given the organisation's international footprint, handling different territories and sections, something they're asking themselves at Merrill Lynch is, “what's the benchmark within the industry in that region?”
Richard Millar, senior compliance manager at Bank of America, Merrill Lynch
With regulation constantly shifting, “you're no longer just a technology department, you're a legal team.” said Lall, emphasising the need to be aware of the legal consequences of differerent courses of action.
With regards to the actual reporting of breaches, which will soon be compulsary, Sembhi said: “Whatever categories you use, you need to make sure you don't convey those same categories outside of your organisation.” If you label a breach of customer data of low importance within your organisation as its perhaps only five customers, make sure the same language and reporting is not used when communicating with customers: “There's nothing worse than saying something is of negligible importance. When it becomes you (as a customer) it's personal and that hurts.” Angela Merkel, for example, didn't seem to care much about American spying until those American spies tapped her phone.
Reporting breaches to regulators will require a different set of disciplines from communicating to customers and the public/media. To which the table offered their opinion. Naylor said simply, “drop the descriptives, only use them when you need to”, simply say what happened. Broderick Perelli Harris, director of professional services at Venafi, echoed that sentiment: “They're very blunt instruments. If you stick to the facts it's usually a lot better.”
Broderick Perelli Harris, director of professional services at Venafi
Sometimes, said Perelli-Harris, “Breaches aren't internal, which is even more challenging.” He cited cases where the originator of security certificates used by a company was no longer known, often created by former staff, and no one knew who was responsible for most of its keys. He emphasised how eliminating stolen keys and certificates was needed to avoid ongoing vulnerability to Heartbleed.
Perelli-Harris noted how: “Externalisation of assets is a real problem. There's a real interesting future with the on-demand infrastructure, a lot of this stuff will be automated and how we respond to these events is going to be driven automatically.” Sony, for example, had thousands of addresses that they didn't actually own, let alone know the location of.
There seemed to a resounding agreement on this point. Organisations' data is becoming more and more diffuse and organisations are not picking up the slack.
Surinder Lall, director of information security at media company Viacom
Lall added: “You've also got that point about third party vendors, when they've got a breach do we know what they're going to do?” A lot of people are migrating services to the cloud, the question becomes how do we integrate that into our incident response plan?
Puzzling though it may be, it needs to be factored in. “The incident processes are not limited to your organisation.” said Lall, “It's wherever your data is; your assets are everywhere, they've been entrusted to you to protect, regardless of where it is, you are still responsible.”
There was also a broad agreement that the breach will have to be the responsibility of not only, ultimately the board, and as previously the CISOs too, but now the legal department, human resources and PR as well. To Sembhi, improvement in the area of breach response will come when we “get a better understanding of how to define things.” The incoming data protection act will help, forcing the industry to better understand how to deal with breaches, especially with fines being ratcheted up. It will force boards to listen to cyber-security concerns, but CISOs still have a duty to explain in plain language (where techno-speak is not understood), what is needed and why - and the boards need to sign off appropriate authority to deal with isssues such as breaches.
Tim Lansdale, head of payment security at Worldpay
As expected, the discussion came back around to planning and the need to stick to and practice your plan, dealing with unthought of practicalities such as people being locked out of buildings, lack of car parking to deliver back up servers, people being away and no replacements appointed, and the need for an alternative communication network for the response team if your network is compromised. However another perhaps, contrary note came up too. As rigorous and as well defined as we want our incident response plans to be, flexibility has to be factored in too; the chance of things not going to plan. Lansdale put it best at the Roundtable's closing: “keep the plan flexible, I can guarantee you're going to go off script within about an hour.”