The EU GDPR will be enforced from May 25th next year. GDPR mandates a wide variety of requirements on how data processors must manage customer and 3rd party data. Although it is not primarily focused on cybersecurity, it does contain vague requirements on security monitoring. This includes that data processors must establish a breach notification procedure, that include incident identification systems, and must be able to demonstrate that they have established an incident response plan.
Further, there is a requirement to be able to notify the supervisory authority of a data breach within 72 hours of becoming aware of a data breach or face a stiff financial penalty. This last requirement is of special interest beyond the impact on data processors. Because it means that for the first time, we will begin having reliable data on European breaches.
Historically, European companies have had no external requirement to be transparent about being affected by a breach. This has had the consequence that we have not had good data or an awareness of how well or badly European organizations are doing when it comes to preventing or responding to security breaches.
I am sure that if like myself, you have worked in forensics and incident response in Europe over the years, you are aware of far more breaches that are publicly disclosed. The only information available is when a breach is disclosed due to the press and law enforcement, or the impact is so great that it can’t be ignored. We also have some anonymized reports from some vendors and MSSP’s, but these are really no more than samples. While not without benefit, these also do not provide a reliable indicator, as the samples are not necessarily statistically representative This provides a false sense of how European organizations are faring compared to other regions and presents a skewed image of European security in general.
The true state of European security is an unknown and has been difficult to quantify. I have seen German articles for example that have claimed that German Security is better than the rest of the world because there are less known breaches. The absence of evidence is of course not evidence of absence. Something that has not been quantified cannot be said to be good or bad. More importantly, if you do not measure something, it cannot be improved.
It will be interesting to see whether GDPR will force European organizations to place more focus on Incident Detection and Response, and give us insight into the true state of European security.
Cyber criminals do not discriminate against anyone when it comes to their targets of choice. They go after whatever organization they consider to have a potential to yield substantial financial benefits, without taking into account that some of their exploits might even lead to international conflict or an environmental catastrophe of unimaginable scale.
Cyber attacks on critical infrastructures have become commonplace lately, threatening public health and safety, and deteriorating relations between countries. Having in mind how sophisticated and advanced these cyber threats are, it is no wonder that it is extremely difficult to detect and prevent all of them, so a proper cyber incident response plan that would help contain the damage and recover from an attack becomes a necessity.
Incident Response Solutions for Critical Infrastructure Sectors
Critical infrastructure is comprised of organizations from various sectors, including health care, energy, telecommunications, financial services, government, and transportation, among others. All businesses and institutions that are part of one of these sectors are potential targets for cyber criminals.
To improve their ability to mitigate cyber security threats more effectively, these organizations are advised to create a workflow-based incident response plan relying on automation and orchestration platform.
Benefits of a Workflow-Based Security Incident Response Plan
By utilizing an incident response platform that allows an orchestrated approach while automating certain routine and time-consuming tasks, organizations can greatly reduce reaction times of their cyber security teams, and start the recovery process as soon as possible.
A workflow-based platform, that incorporates a set of actions tailored to specific types of cyber attacks, allows security teams to go through all stages of an incident response quickly and effectively, by providing them with concrete steps that need to be taken based on the type and scope of an attack. Furthermore, based on the attack types, knowledge sharing articles could be associated with the incident for faster and more efficient resolving.
In addition to workflows, automation-and-orchestration incident response platforms can easily integrate with intelligence sharing platforms, allowing organizations to send and receive essential cyber security events information, improving their ability to prevent future attacks.
Cyber attacks on critical infrastructure are probably going to become even more common, so investing in an incident response platform with automation and orchestration capabilities would be of great help to organizations looking to enhance their cyber defenses moving forward. By doing that, they would also be contributing to efforts for preserving international peace and public safety.
This past summer, many cyber security experts expressed their concerns that certain Russian groups were involved in the hacking attack on the U.S. Democratic National Committee’s (DNC) computer network, leaking 20,000 emails from various Democratic Party officials. The DNC hack made the headlines around the globe, and for good reason.
No matter who the perpetrator was, one thing is clear: the hack of the DNC servers inflicted serious harm to both the Democratic Party as an institution, as well as many of its members, mainly related to the public image of the party and of various individuals.
However, it could have had further, more wide-ranging implications, including an impact on the upcoming U.S. presidential election, which is why it is very important to understand what could have been done to prevent it, and what kind of response and management process for the incident should have been chosen.
Was the Hack Avoidable?
Even though it’s difficult to confidently say whether the DNC hack could have been avoided, without knowing the confidential specifics of the incident, there are a lot of things that could have been done that would have probably protected the DNC’s computer server much better.
The consensus among leading analysts familiar with this incidents is that the DNC hack was most likely conducted through spear phishing, which is one of the most common methods for initiating a cyber attack.
With that in mind, one of the easiest ways to avoid falling victim to such a fraud is to train people within your organization on how to recognize and react to such threats. People should be familiarized with the spear phishing technique and how it works, making them more aware of the difference between legitimate emails and links and malicious ones, with the latter being the basis of all phishing scams.
What’s the Appropriate Response to These Types of Incidents?
Sometimes, no matter how well every person within an organization is trained and educated on cyber security threats, attacks on a company or an institution server or network occurs, and that is when you need to be able to react as fast and as efficiently as possible to prevent the loss of confidential information, and avoid a major blow to your organization’s reputation, and consequently, your bottom line.
To that end, having a cyber incident response plan in place is key to bringing cyber incidents under control and minimizing or completely avoiding the potential consequences of a breach.
According to statistics from a recent AT&T report, 62% of organizations admitted to being breached in 2015, but only 34% of organizations polled had an incident response plan. These statistics inevitably point to the need for increasing awareness of the fact that every organization is highly vulnerable to cyberattacks, and the necessity of devising a plan and having the right tools that would help them mitigate the impact of any breach and go about their business as soon as possible.