by Ross Dyer
Data breach stories make the news so often these days that no IT security leader can pretend to be unaware of the threat out there. If anything, the situation is getting worse, not better, with attacks becoming more sophisticated and harder to spot. If nothing else, news that TalkTalk lost 7% of its broadband customers in Q4 should focus minds on the issue at hand.
If you don’t prepare now for a potential data breach, if and when one finally hits it could have a far more serious impact on the company.
Heads in the sand
We all know about targeted attacks by now. Specifically crafted to infect corporate networks without alerting traditional defences, they frequently catch out businesses across the globe. Many don’t realise they’ve been hit until weeks or even months later. In fact, our research from last November found that 31 out of 251 European companies which had suffered a successful cyber attack didn’t know if any data had been stolen.
It’s not just financially motivated cybercriminals and nation state actors that firms have to worry about. In our 2016 predictions report, The Fine Line, Trend Micro argued that over the coming year we’re likely to see more hacktivists getting involved. They’ve see the potential damage that can be inflicted on a high profile targets and will increasingly look to add destructive data breaches to their arsenal, we predict.
Nearly three-quarters (70%) of the companies we polled last year claimed attacks are increasing. It’s clear then that CISOs must operate on the understanding that they have already been breached, or will be soon. TalkTalk’s case is a great cautionary tale. The firm was seemingly breached via an SQL injection vulnerability – one of the most common web vulnerabilities around and one which is usually pretty easy to fix. But there was also criticism of its handling of the aftermath. There were confusing messages given to the media, which damaged the reputation of the ISP. And a hardline stance on account termination fees angered many customers.
We heard recently from market watcher Kantar Worldpanel that TalkTalk had not only lost a significant percentage of broadband customers in Q4 as a result, but that only 1.4% of new joiners claimed they signed up because of the firm’s ‘reliability’ – apparently far lower than the industry average. And this on top of the £35m it has already admitted it had to pay to cover incident response, external consulting and increasing call volumes as a result of the incident. It shows that the average cost of a breach as estimated by PwC of £1.46-£3.14m is still on the conservative side.
To minimise the risk of a similar outcome organisations must get better at breach planning. What does this mean? It means planning under the assumption that your organisation will eventually be breached, and working to ensure your response is as swift and effective as possible. It’s about moving from a “stop and block” at the perimeter mentality to detecting and responding to an incident ASAP.
A good breach plan should include the following:
Red Team exercises: internal or external teams tasked with testing breach detection and response times
Staff training: to better spot spear phishing emails and unusual network activity which could indicate an incursion
Cross-organisation co-operation: get key stakeholders from IT, legal, PR, HR etc to plan together so each department knows exactly what to do to present a united front in the event of a breach
Brief key spokespeople: so your messaging is sound and unified
Data security policies: should be developed and regularly communicated/updated to all staff
Cyber fire drills: these will show you how good your response planning has been
Law enforcement: build relationships with key officers so you have a direct line into them when the worst happens
In our November research, six British organisations made it onto the list of the worst 40 reported attacks – including the two most serious incidents. Start planning now to make sure any breach is contained as soon as possible with minimal impact.