A cyber breach can be a harrowing ordeal, especially if you are unsure what to do in response. However, being proactive and prepared will make an enormous difference in your response and help reduce the impact of consequent financial and reputational damage. A future-proof cyber incident response covers patching and restoring compromised systems, but also spans the forensics of your environment, remediation of identified risks, and addressing legal obligations.
In this piece, we have teamed up with Hall & Wilcox lawyers to help you learn the intricacies and best practices for a cyber incident response scenario you may find yourself in.
Know Your Legal Obligations
An organisation that collects, uses, discloses and holds personal information, as defined in the Privacy Act 1988 (Cth) (Privacy Act) should do everything it can to safeguard that personal information. Safeguarding personal information includes having the best data security systems to protect personal information as well as understanding and complying with the legal framework that regulates the collection, use, disclosure and management of personal information.
A failure to understand and comply with the relevant legal framework means that an organisation faces greater potential exposure to having the personal information it holds accessed unlawfully by cybercriminals. This could expose the organisation to significant reputational harm and the loss of the trust of customers and clients and direct financial loss to the organisation.
A failure to comply with the law will also expose the organisation to complaints, legal action and penalties for failing to comply, and may leave the organisation with little or no legal defence if personal information is unlawfully accessed and stolen.
Prepare for a Data Breach – Data Breach Response Plan
The best defence is to prevent a breach from occurring at all and for this reason (as already required by the Privacy Act) organisations must ensure there are adequate security measures in place to protect personal information. However, in a world in which data breaches are increasingly common and appear inevitable, organisations can prepare a data breach response plan, identify personnel responsible for implementing the plan and ensure personnel (including contractors) are aware of the plan.
At a high level, a data breach response plan should:
– set out ways to:
- contain the breach (e.g. shutting down websites, disabling access etc); and
- identify the scope and effect of the breach (e.g. what information, and who, has been affected; how are individuals affected; what was the source of the breach etc); and
- determine whether serious harm has occurred or is likely to occur; and
- determine if a notification obligation exists and if so, prepare and provide a Notification Statement and comply with other notification obligations;
– identify ways in which to prevent future breaches, for example, reviewing their privacy and security governance arrangements to appropriately foster a security awareness culture throughout their organization.
An organization should also provide for the training of personnel on their obligations concerning handling data breaches and general security obligations and the responsibilities each employee has in assisting the organisation to comply with those obligations.
Response Team
The data breach response plan should provide for a Response Team to conduct the initial investigation into the identified or suspected data breach by gathering any necessary information and making initial recommendations. The Response Team should consider the following preliminary questions, to ascertain the nature and extent of the breach or suspected data breach:
- What personal information does the breach or suspected breach involve?
- What was the cause of the breach or suspected breach?
- What is the extent of the breach or suspected breach?
- What are the harms (to affected individuals) that could potentially be caused by the breach or suspected breach?
- How can the breach or suspected breach be contained?
To protect legal privilege about the investigation, the Response Team should instruct legal advisors to advise on the matter and ensure that all external consultants, such as IT incident responders and forensic IT analysts are engaged by those legal advisors.
The Response Team will also consider whether there is a need to develop a communications or media strategy to manage public expectations and media interest.
Stop the Bleeding
When a data breach is discovered, there is no time to dwell on what would have happened if security protocols had differed, although a review of what went wrong will be important once you have responded to the emergency (step 4 of the data breach response plan).
The organisation should have its data breach plan in place and be ready to respond promptly while maximising its ability to protect the confidentiality of its investigation. Otherwise, the financial and reputational damages can snowball, as cybercriminals get more time to mine data, install backdoors, inject malware, and in some cases release ransomware onto your network – completely exhausting your organisation’s ability to operate.
Containment must happen fast. The consideration here revolves around the Response Team working with capable cybersecurity and legal advisors expert in privacy law. These partners will help identify the root cause of the incident – assessing activity logs and providing remediation strategies promptly.
When in doubt, always work with professionals.
Download a copy of CTRL and Hall & Wilcox’s guide to Manage a Cyber Incident by filling out the form below. In the report, you will find the criteria of legal and notification obligations in face of a cyber breach, and key action steps for a safe recovery back to business-as-usual.
Develop a Strong Baseline
Protecting against a cyber incident is a full-time job. Only a strong baseline through continuous education, monitoring and threat detection can help you focus on growing the organisation.
Organisations may start with action items such as toughening endpoints, login credentials, and security Q&As; in parallel with implementing staff education on privacy law compliance, and nurturing cyber awareness to prevent similar issues in the future. Remember, staff, are your first line of defence against cyber threats.
CTRL Group believe in utilising a 24×7-based monitoring tool is the most effective measure an organisation can take in stopping future attacks. By doing so, you extend your cyber capabilities by having non-stop surveillance over your assets, and someone to track all activities and rapidly respond to suspicious events.
Find your allies. Staying safe in the world of cyber can be a rough journey.