When your worst scenario comes true

Security breaches can wield considerable influence over your company's financial stability, operational efficiency, and public image. Even a minor lapse can escalate into a cyber security incident with far-reaching consequences for your organization's functioning as a whole. To mitigate potential harm, it's prudent to proactively prepare, enabling you to identify and respond to any breaches promptly. This proactive approach will, in turn, mitigate the financial and operational repercussions that a breach may inflict upon your enterprise.

?

What can the board do?

Make sure that your organization has a plan

A significant number of organizations lack a predefined course of action for responding to security breaches or substantial incidents stemming from such breaches. Ensure that your organization has a well-documented strategy in place to address security breaches and major incidents.

?

Understand the role you play in the management of security breaches

Particularly in the midst of extensive incidents, the decision-making abilities of both individuals and organizations can significantly falter. Hence, it's crucial for everyone to comprehend their respective roles and their organization's operational procedures in advance.

The board should establish clear guidelines for when they anticipate being notified of a security breach.

? When should the board receive notification of the breach?

? What level of severity must the breach attain before it surpasses the reporting threshold?

?

Participate in exercises

The most effective approach to assess an organization's procedures and responsibilities is to engage in the simulation of cyber security incidents. If an individual's responsibilities entail their involvement in handling real incidents, it is imperative for them also to hone these competencies. Collaborating in drills with your staff can serve to illuminate any issues associated with, for instance, your decision-making procedures. You can conceptualize such drills as scenarios simulating a crisis, where you have complete control over the timing and consequences. Gaining insights from these scenarios proves immensely beneficial. Through these exercises, you can apply and reinforce your acquired knowledge without exposing your organization to an actual crisis that could jeopardize its operations.

?

Promote a “no-blame” culture

The aim of conducting a post-security breach analysis is to reduce the probability of future breaches occurring and mitigate their impact. The key emphasis lies in maintaining honesty and objectivity when assessing the incident. This approach is feasible within an organizational culture that refrains from assigning blame. It's essential for your board to recognize that many regulations, such as the EU's General Data Protection Regulation, attribute responsibility for security breaches to the organization rather than individual employees. Consequently, as the governing body, the board bears ultimate responsibility for all cybersecurity deviations within the organization.

?

What can your organization do?

Find out what a security breach looks like

One frequently underestimated concern involves the capacity to define the parameters of a security breach. This involves the key aspects:

·????? The initial detection of an event or anomaly: How does one identify when an event or deviation first comes to attention?

·????? The transition point from an event or anomaly to a recognized security breach: When does an event or deviation escalate to the level where it is officially categorized as a security breach?

·????? The threshold at which this breach becomes a significantly severe incident, necessitating a departure from the standard operating procedures: At what juncture does this breach reach a level of seriousness that warrants a departure from the regular operational processes?

?

HOW ARE EVENTS DETECTED?

When we talk about monitoring, we are referring to the practice of observing data or logs gathered from your networks or systems with the goal of identifying any anomalies that might suggest malicious activities are occurring. Even if you currently lack monitoring mechanisms, it remains crucial to gather system and log data, as these can be valuable for investigating anomalies and developing enhanced security measures.

?

WHEN DOES AN EVENT BECOME A SECURITY BREACH?

This isn't always a straightforward matter. An organization might make an effort to amass as much information as possible when assessing an "event," but often lacks a comprehensive understanding of the situation at hand. Investigating and responding to an event can frequently entail additional expenses. In cases of severe events, it can even have repercussions on the organization's reputation and productivity. Therefore, it's crucial for your organization to establish in advance who holds the authority to make decisions regarding the response to an event and the threshold values that guide these decisions.

Furthermore, you need to devise plans for mitigating the impact on your partners or customers in the event of a breach in your organization's cybersecurity. When should you inform them? What steps can you take to minimize any harm that may befall them?

You should also consider how your organization will react if a service provider you rely on experiences a breach in their cybersecurity. Your organization may have limited influence over how your service provider responds to the security breach. So, what independent measures can your organization take to minimize potential repercussions?

?

WHAT IS A SECURITY BREACH?

A security breach pertains to the compromise of a system or service's security. Typically, it encompasses one of the following scenarios:

·????? An intrusion or an attempted intrusion into a system and/or its data.

·????? The unauthorized utilization of a system designed for data processing or storage.

·????? Any alterations made to a system's firmware, software, or devices without the consent of the system's owner.

·????? Deliberate actions aimed at disrupting and/or impeding the normal functioning of a service.

?

Utilize the information that you already have

The data you gather about the threats you encounter and your technical infrastructure can be incredibly valuable in two significant ways:

·????? They offer insights into the repercussions of a breach. For instance, if an intruder succeeds in infiltrating a device, what other segments of your system might be vulnerable? Could the intruder reach vital aspects of your organization?

?

·????? They assist in shaping the required protocols. For example, if an attacker has managed to breach a particular network, can that network be isolated? If isolation is feasible, what impact will it have on the functioning of your organization?

?

Implement preventive measures

It is essential to put in place strategies aimed at minimizing the potential harm inflicted by an attack. Such strategies encompass:

·????? Preventing any intruders who manage to breach your organization's network from advancing further.

·????? Proactively reducing the potential consequences of an attack, such as creating data backups to mitigate the impact of ransomware.

Similar to other preventive measures, these strategies should prioritize the safeguarding of your organization's most critical areas.

?

Formulate a plan for managing any security breaches and cybersecurity incidents caused by these

Beyond your technical solutions, your plan should encompass the following aspects: people and processes, including media management and communication with customers and stakeholders.

This includes:

• Submitting reports to the National Cyber Security Centre.
• Reporting to regulatory bodies.
• Reporting cybercrimes to the police.

It can be advantageous to formulate dedicated plans for the most frequently encountered types of deviations. This ensures that everyone is well-informed about the prescribed actions your organization should take. Don't overlook the importance of regular practice!

?

?

Past experiences

A commonly overlooked practice among many organizations is conducting security breach assessments once the breach has been resolved. However, the breach you've encountered can yield valuable insights into your organization's cybersecurity. For instance:

1. Assessing the threat to your organization:

• Who was behind the attack, and was it a targeted assault?
• Did the attack unfold as you had anticipated?
• Did the attack concentrate on the areas you had foreseen?

?

1. Evaluating the efficacy of your protective measures:

• What were the outcomes of your protective measures?
• What vulnerabilities or areas did these measures not safeguard?
• Is there room for enhancement in the effectiveness of these measures?

1. Assessing the effectiveness of the response measures employed:

• In hindsight, what actions could have been taken differently?
• Did the measures implemented effectively mitigate the impact of the attack?
• Were there any unintended consequences or impediments caused by these measures?

?

?