Dealing with a Cyber Attack: Who’s in Charge?

This is a two-part series on the roles involved in managing and responding to security incidents. Read part two: Winning the Cyber-Security Race: An Agile Response to Incident Management

What are criminal organizations and hostile foreign governments doing with cyber-jacked personal information from massive data breaches? In recent weeks, the news has been filled with speculation. One article estimated that cyber-attackers make more than 1,400 times return on their efforts in planting ransomware, and in a June interview with Charlie Rose[1], David Sanger, national security correspondent for the New York Times, argued that for hostile foreign governments, cyber-espionage is a cheaper and more effective way to disrupt enemies than a nuclear program. And there are still the ubiquitous risks of straightforward identity theft and financial fraud—and the not-so-straightforward risks of medical identity theft.

But despite the many dangers of data breach, from a business standpoint, the most immediate threat in most security incidents is failure to comply with regulatory requirements. The vast majority of security incidents don’t turn into data breaches, and not all breaches result in theft or other damages. (The latest Verizon data breach report[2] showed confirmed data loss in less than 3 percent of the almost 80,000 incidents reported.) But failure to report or meet other regulatory requirements can result in stiff penalties regardless. Therefore, incident response processes should be organized not only to address data security but also how best to determine whether an incident is a notifiable breach.

First Responders

It’s obvious that the security team has responsibilities for responding and containing a cyber-attack. But despite all the news about ransomware and cyber-espionage, cyber-attacks are increasingly targeting the personal data of employees and customers. So despite the focus on technology, the truth is that multiple people need to be “in charge” in parallel, each owning a key piece of the incident response. As the experts in federal and data breach notification requirements, the privacy officer, the risk officer, and the compliance and legal teams must play key roles in determining whether an incident is a data breach. Whether the organization has cyber liability insurance or not, there is the need to manage enterprise risk. With the 24-hour news feed around breaches, they are increasingly becoming complex exercises in customer communications, so the marketing and PR teams must also be involved. Each of these functional teams need to be included in the evaluation process early enough to gather the information they need, assess risks in their area of expertise, and prepare to respond to a potential breach.

Good Judgment Is Not Enough

Since one computer first talked to another, the IT department has been the acknowledged front line in the battle for data security, tasked with protecting networks and data centers against malicious hacking, malware, and data exposure. Today, information security is typically a specialized group within the IT organization. Every day they are seeing security events such as hits on their firewall. Typically the same person who tracked the events decides whether an event is actually a security incident needing further investigation. In a large organization, one security specialist may examine perhaps dozens of incidents a month and figure out whether to escalate to an incident response team.

The problem with this process is that the decision to escalate should depend not only on the data that may have been compromised but also on the relevant federal and state regulations, questions that the data security specialist can’t answer alone. If you're the security person, how do you know when and what information to pass on to the person who is responsible for compliance? According to Doug Pollack, ID Experts Chief Marketing and Strategy Officer, “The CISOs we talk to say ‘They [the info security specialists] just use their judgement.’ But compliance is as involved and specialized a field as information security. How can a data security specialist also be expected to know what is reportable according to all the federal and state regulations?”

Closing Ranks on Compliance

It takes a combination of specialties to handle a data security incident in a way that fully protects the organization. Assessing whether a data breach has occurred or not requires both data security and compliance expertise. Unfortunately, in most businesses, the information security, privacy, compliance and other organizations don't work together fluidly to respond to an incident, leaving the organization vulnerable on the compliance front. A highly effective organization will define parallel paths for incident response very early in the discovery process. This not only enables accurate assessment of the incident from both the information security, compliance, and risk standpoints, it also positions each functional team to provide effective response and risk management throughout the entire lifecycle of the incident, whether or not it is determined to be a breach.

There are some immediate actions that the privacy and IT organizations can take together to close the compliance gap. Since the information security team is, by definition, the first responder to a data security event, the first step is to change their policies and operating procedures so that every incident is assessed not only from the security side but also from the compliance viewpoint. There should be:

• A policy to notify the privacy/compliance team as soon as an event is suspected to be an incident, so that they can begin a parallel evaluation into the pertinent compliance requirements.
• A procedure for promptly and visibly notifying the compliance team and other potential stakeholders. (There must be no risk of a notification getting lost in someone’s email inbox).
• A vehicle for documenting and handing off all of the information needed for the compliance evaluation: What data was touched, how much, whose, etc.? (This will also save time in the compliance process if notification turns out to be necessary.)

Pollack cites the experience of Catamaran, a large public company that provides pharmacy benefits management services to healthcare organizations. When Catamaran implemented ID Experts' RADAR^® incident management software and trained its staff in risk-based incident response, the number of reported incidents went up because RADAR automates the process of evaluating incidents against the whole matrix of current state and federal regulations. He says, “Our experience shows that in many healthcare and other organizations, data security incidents are not assessed properly against state and federal regulations, as privacy incidents are. Information security experts can answer many of the important questions about an incident: Did it touch personal data, was the data encrypted, was it de-identified, etc.? But they’re not thinking ‘Somebody has to do a regulatory assessment to determine whether it's a breach or not.’ The IT security person can’t be expected to know whether an incident qualifies as a breach under federal and state laws. In a lot of organizations there is a disconnect in making the incident to compliance connection.” (Click here to listen to the webinar, Bringing Incident Response & Breach Management Out of the Dark Ages, where this is discussed in more detail.)

Unfortunately, the focus on thriller-worthy cyber-security threats can distract from the day-to-day, yet critical needs of compliance and risk management. It can also divert funding and organizational clout from foundational privacy and security hygiene, and many organizations are beginning to integrate privacy/compliance and information security to ensure better collaboration and a focus on more than just technology. Security blogger Matt Kelly recently compared this more integrated approach to preparing for a heart attack: “You can go through life equipped with tools to reduce that risk, such as a defibrillator, and it will indeed help when the time comes. Or you can improve your process of being healthy: eating right and exercising. Neither one of those procedures will assure that you never have a heart attack—but they will help you immensely in staying alive should a heart attack come to pass.[3]

So you can and should improve your incident evaluation procedure right now to make sure compliance is considered in parallel with data security. The long-term solution is to change organizational structure, processes, and culture to address the whole risk picture. We’ll address that in the next article, where we’ll look at how forward-thinking organizations are combining the security, compliance, privacy and risk management roles in an integrated defense against data security threats.