How to Mitigate Against and Handle Security Breaches
In the last 12 months, the number of cybersecurity attacks has grown significantly. The potential ramifications of a cybersecurity breach to a business can be devastating, such as loss of customer confidence, damage to company reputation, theft of assets and extensive administrative costs in dealing with all affected stakeholders. However, there are a number of actions a business can take to reduce the likelihood of a cybersecurity breach and deal with the consequences where the company suffers an attack, writes Barry Connolly of Flynn O’Driscoll.
Risk assessment. Similar to any other risks that a business may face, when seeking to prevent cybersecurity breaches, the first step should include quantifying the risk. In the cybersecurity context, this will include identifying certain elements of a business’s system that are particularly exposed. This will range from the vulnerability of the company’s online web presence to the possibility of physical access (on-site) to a networked platform. Risk assessments should be carried out on a regular basis so that new threats can be identified and the business remains aware of current trends in cyber threats.
Software Security Measures. Having identified areas of risk, tailored security measures should be put in place to address these concerns. The company’s IT environment should include effective firewalls and antivirus software to deal with threats. It should also ensure that software used in the business is kept up-to-date with the latest security patches and updates.
On-Site Security Measures. The most effective software solutions will often be rendered useless where a breach of cybersecurity occurs through a breach of the company’s system from within. Sensitive computer systems should include effective access control restrictions, server rooms should be secured at all times and disposal of IT equipment should be handled securely by competent staff.
Service Providers. A cybersecurity breach in a third party, providing services to a business can be just as damaging as a breach in the business itself. Unfortunately, the business is likely to have even less control in this scenario; therefore, it is essential that all relevant contracts clearly delineate responsibility between the parties. On the occurrence of a cybersecurity breach, when time is critical, protracted negotiations on liability should always be avoided. Contracts with software providers should also be reviewed to ensure that maintenance services and bug patches apply to earlier versions of the software that may still be in use, and that any software updates are made available to the company on release.
Testing. One of the best ways to reduce the risk of a cybersecurity breach is to undergo testing, such as system penetration testing. Companies can avail of a range of tools from cybersecurity providers that will simulate an attempted system intrusion or a widespread DDoS (Distributed Denial of Service) attack.
Company Policies and Training. Putting in place effective policies to handle cybersecurity breaches is essential in mitigating the risk of a breach. This may include a specific cybersecurity policy, as part of a comprehensive IT policy. However, even the best policies are useless if staff are unaware of the content of policies or how they should operate in practice. Educating staff on potential threats and how to report them up the chain can be vital in the early detection and response to a cybersecurity breach.
Cyber Insurance. As the number of cybersecurity breaches has risen exponentially over recent years, a number of insurance products are now being made available to deal with the damage. Whilst the cybersecurity market is still relatively small, larger organisations are now beginning to take out such policies to mitigate risk. Cyber insurance policies often include a range of additional extras, such as access to technical experts that can assist a business in responding to a breach.
Handling Cybersecurity breaches
Where a cybersecurity breach has occurred, acting quickly (and efficiently) will be essential in minimising the damage.
Containment. One of the first responses on becoming aware of any cybersecurity breach is to contain the problem. Where it is possible that a third party has gained access to a system, such access should be blocked immediately. Where a breach involves the ongoing unauthorised disclosure of personal data, access to such data should be restricted. Whilst these actions will be obvious, it will be important to be aware of the disruptive effects this could have on the business. For example, shutting down core systems may also raise business continuity concerns. Therefore, it is important that backup systems are deployed where necessary to mitigate these effects. Finally, any immediate technical response, carried out by the business, should be comprehensively documented as it may need to be reported to the authorities at a later time.
Investigate. A full investigation should take place to assess the scale of the breach. In order to put in place appropriate remedial actions, it is important that the scale of any breach is not underestimated. It is also important that appropriate individuals are put in place to handle this investigation. In this respect, it is often beneficial to seek out external technical expertise, who may be more adept in identifying areas where the breach may have occurred. In parallel to any technical investigation, it is advisable that an external legal team carries out a similar investigation so that advice can be provided on the ramifications, whilst the business will still be protected under legal professional privilege, which may become relevant where future litigation may arise from the breach.
Notifications. Legal advisors will be able to advise on any reporting obligations that may come into effect on a cybersecurity breach. Where there has been unauthorised access to personal data, there may be notification requirements under data protection legislation. In Ireland, the Personal Data Security Breach Code of Practice would apply. Under this Code, the business, as a data controller, would be required to notify the Office of the Data Protection Commissioner (ODPC). At all times throughout this process, the business should be in continuous contact with the ODPC, who is likely to request detailed reports on the breach. These will be informed by the company’s response to the incident and any remedial action that is being considered. The ODPC will also be able to provide guidance on how data subjects should be contacted (if necessary). Furthermore, there may be sector-specific reporting obligations or procedures that need to be assessed (e.g. telecommunications operators or financial institutions). Finally, the business should consider all other third parties that may need to be notified (if not done so already); this may include the police, banks and insurers.
Public Reputation. Depending on the type of business, a cybersecurity breach can destroy a company’s credibility and therefore it is important that reputational fallout is minimised. Certain public relations professionals will have experience in dealing with this type of crisis management. Where applicable, the company should try to keep the public fully informed about the extent of the breach and remedial actions being taken. Drafting appropriate press releases, taking customer calls and providing updates via social media should be considered, so as to avoid the impression that the company is trying to conceal information.
Post-Crisis Actions. Once the immediate aftermath of a cybersecurity breach has been dealt with, the company should carry out a formal review of the incident and response in order to identify any areas, processes or procedures which may need to be updated. Any particular technological vulnerabilities (whether discovered through the breach or a subsequent investigation) should be addressed. Any contributory role of third parties should also be assessed. A breach caused by third parties may amount to a breach of certain provisions of their contract and any potential claims should be submitted in due time.
Through a raft of recent highly-publicised incidents, businesses are becoming more aware of the potential harm that can be caused by cybersecurity breaches. As discussed above, there are measures that a company can put in place to mitigate these risks. However, as the type of cybersecurity breaches can vary, it will be important that the company tailor accordingly any preparation for, or any response to, a cybersecurity breach.
Please be aware that all of the views expressed in this Blog are purely the personal views of the authors and commentators (including those working for AIB as members of the AIB website team or in any other capacity) and are based on their personal experiences and knowledge at the time of writing.
Some of the links above bring you to external websites. Your use of an external website is subject to the terms of that site.
Allied Irish Banks, p.l.c. is regulated by the Central Bank of Ireland. Copyright Allied Irish Banks, p.l.c. 1995.