By Mary K. Pratt
Contributing writer, CSO |
The volume and velocity of data breaches are on the rise, and so are the costs.
Cybercrime is expected to cost the world $6 trillion in 2021, according to the Cyberwarfare in the C-Suite report from Cybersecurity Ventures. More staggering still is the expectation that global cybercrime costs will continue to grow, at a predicted 15% annually for the next five years, hitting $10.5 trillion by 2025. That’s up from $3 trillion in 2015.
Those costs are spread out among thousands of victims around the globe, yet individual organizations hit by a successful hack will face the potential for significant, compounding losses. A study on long-term data breach costs from consulting firm Infosys reported that 65% of consumers lose trust in a business in the event of a data breach, with 85% of them saying they don’t want to deal with those companies again.
A head-in-the-sand approach contributes to these figures. A 2021 study from ISACA, the IT governance association, found that only 32% of responding organizations felt highly prepared for an attack.
Preparation, however, pays dividends. Experts say that CISOs who take more rigorous steps in advance of an incident are not only better able to defend against and respond to attacks but also minimize associated costs.
Here are ten steps CISOs can take to help lower the cost of a future breach.
The complexity of IT systems enables organizations to vastly expand how and where they do business, but it also makes defending against attacks—and recovering in the event of a successful one—significantly more challenging. So get ahead of that, says Andreas Wuchner, a veteran CISO who is now a senior security leader of a global financial institution and co-founder of Cybovate, a consulting services company.
“The better you understand the landscape, what creates the biggest revenue for the organization, then the faster you can get back up and running and minimize the business impact,” Wuchner says. “You want to stop the bleeding and start making money right away.”
The recent Colonial Pipeline shutdown illustrated this point. While early speculation focused on whether the company’s operational technology (OT) systems had been compromised, CNN later reported multiple sources stating that the company “halted operations because its billing system was compromised…and they were concerned they wouldn’t be able to figure out how much to bill customers for fuel they received.”
Dealing with a breach is not a solo act; the security team will need help from lots of other professionals across a number of different disciplines. CISOs should know who they’ll need on stage with them well before the actual event, with agreements in place so everyone is ready for their roles when something happens. This ensures the organization responds quickly to limit actual and reputational damage and related costs, Wuchner says. It also ensures that needed experts will indeed be available at contracted costs rather than billing at emergency-rate premiums.
And it helps ensure that all critical skills are included in the response. Alex Holden, CISO at Hold Security LLC and a member of the ISACA Emerging Trends Working Group, says he has seen ransomware victims agree to pay the full amounts demanded by hackers because they didn’t have someone skilled in negotiation available to work with them—a misstep that added millions to the incident cost.
Similarly, CISOs should know in advance the limits of their skills and authority, and document in detail who is responsible for each step or action when a data breach happens.
“Everyone has to have a defined role; it’s not a time to argue over who will stabilize the patient,” says Siobhan MacDermott, global managing partner for risk and cyber strategy with Tata Consultancy Services.
People need to practice the response process to limit fear and panic when a real incident happens. “We have fire drills for good reason, but in cybersecurity we don’t practice enough, and when we do practice, we don’t do it great most of the time,” Holden says.
Organizations that regularly run through well-crafted tabletop exercises develop the muscle memory needed to handle the real deal quickly and respond strategically, avoiding delays and missteps that could mean more lost business, greater reputational harm, and higher hard costs.
After some of the earliest headline-making breaches, security professionals assumed that their colleagues at those hacked companies suffered career-ending events. That wasn’t the case, and with good reason. Those workers have valuable experience.
CISOs should look to hire a few such professionals to help them better prepare. “You want someone who has done the surgery before,” MacDermott says.
An increasing number of states and federal governments have implemented regulations that dictate how organizations should handle breaches, including how fast organizations must notify individuals that their information has been compromised, what if any services they need to offer those individuals and what circumstances require those actions.
The European Union’s General Data Protection Regulation (GDPR), for example, includes requirements for timely reporting of a data breach, and stipulates that an organization violating this law may be fined up to four percent of its annual revenue.
MacDermott says CISOs should work with others in enterprise leadership to understand in advance which laws apply to them, in what circumstances, and then prepare boilerplate language that will work in multiple scenarios.
“We see each breach getting taken as an individual event, when 80% [of the language] can be used over and over with only 20% needing to be modified for that particular event,” she explains.
That’s a lot of wasted time, and time equals money.
Hackers are increasingly using one hacked organization to attack others, so be prepared for such scenarios, says Tom Kellermann, head of cybersecurity strategy at VMware and global fellow for cyber policy at The Wilson Center. The Solarwinds hack is one of many recent illustrations.
Moreover, Kellermann expects companies to start suing those organizations used as hackers’ base stations. “This is the year you’ll see shareholder lawsuits and regulatory penalties” for such events, he predicts.
To guard against costly court battles, CISOs need to make sure they don’t end up in such situations and can move as quickly as possible if they do. Furthermore, CISOs need to be more diligent about watching for attacks that use legitimate organizations as launching pads, even when those organizations may not be thought of as formal supplier or partner relationships.
One of the most effective ways to counter costly hacks is to decrease the time that adversaries are on the network. CISOs can do that by investing in integrated network and endpoint detection, real-time telemetry and analytics capabilities, as well as threat detection and other leading security best practices, Kellermann says.
Detecting bad actors early helps neutralize their activities and limit—or even prevent—damage. That, of course, is important but it’s becoming increasingly critical to do so without the adversaries learning that they’ve been identified. Kellermann says some hackers, particularly those backed by hostile nation-states, turn punitive when deliberately thwarted.
“We need to be more clandestine in how we conduct incident response and threat hunting,” he says.
CISOs who want to respond quickly to a breach should also beef up their understanding of geopolitical news. As experts note, many bad actors are backed by nation-states and act on their direction, not only capitalizing on technical weaknesses that exist within organizations but also taking advantage of a business community that doesn’t always recognize they’re vulnerable to international tensions.
“When we’re talking about getting ahead of the breach, it’s important to understand the geopolitical landscape,” MacDermott says. “Think about what’s going on around the world, what’s happening between countries, and understand your position is in relationship to that. That’s generally something a chief risk officer thinks about, but it’s important for CISOs to think about it, too. You might be able to respond more quickly, have your partners ready, if you know you’re going to be a pawn in a geopolitical chess game.”
CISOs should lay out in advance the difficult choices that the boards and executive teams will have to make in the event of an attack, says Rob T. Lee, head of faculty and chief curriculum director at SANS. “It’s going to come down to whether you shoot the hostage or amputate an arm. There is no winning in a breach,” he says.
“So how will you limit the damage so it’s not a life-ending event for the organization?” he asks, adding that there won’t be time in the aftermath of a detected breach for hand-wringing, finger-pointing, and second-guessing.
“Minutes and hours matter, because within days there could be irreparable harm to the organization.”
More on hacks and breaches:
Copyright © 2021 IDG Communications, Inc.
Copyright © 2021 IDG Communications, Inc.
By Mary K. Pratt