CISOs fear becoming the next Travelex
Poll of security professionals by the organisers of the Infosecurity Europe trade fair highlights huge gaps in incident response capabilities
If their IT systems were compromised in a cyber security incident, 46.7% of security professionals would not know it had happened, compared to 31.5% who claim they would discover it immediately, and 14.3% within a month, according to an online survey conducted by the organisers of the annual Infosecurity Europe event.
The poll, which was of a self-selecting sample of followers on social media, attracted almost 7,000 responses, and explored topics around incident response and reporting, the importance of which has been highlighted in the first few weeks of 2020 by Travelex’s highly criticised handling of a ransomware attack.
Maxine Holt, research director at Ovum, said the survey’s headline finding reflected a widespread issue – that it was quite usual to discover a breach long after it had occurred.
“Uncovering breaches is not easy, but proactive threat hunting is an approach increasingly being used by organisations,” she said.
“Regularly scanning environments to look for anomalies and unexpected activity is useful, but it can be difficult to deal with the number of resulting alerts. Ultimately, effective cyber hygiene involves having layers of security to prevent, detect and respond to incidents and breaches.”
Many have argued that Travelex’s response to the ransomware incident that began at the start of January and from which it is only now recovering (or so it claims) has been poor, and judging by some of the survey results, it was clear that for many CISOs, Travelex may have been a “there but for the grace of God go I” moment.
Infosecurity Europe asked its community what they felt was the key priority when dealing with the fall-out of a cyber attack. It found that getting back to business as usual was top for 42.4%, followed by customer communications and PR for 23.6%, engaging law enforcement for 19.4% and ensuring compliance for 14.6%.
As previously explored by Computer Weekly, a lack of transparency and customer, partner and media engagement following a breach has probably been Travelex’s biggest failing. Ovum’s Holt said: “PR can make or break a breach. Arguably, British Airways did a decent job, whereas Equifax did not.
“Ultimately, the ‘six Ps’ mantra should be at the forefront of organisations’ minds – proper preparation and planning prevents poor performance. Being ready for a cyber attack, security incident or data breach in general means the organisation has a much better chance of emerging from it in a reasonable state.”
Becky Pinkard, CISO at challenger retail bank Aldermore, added: “Good incident response requires attention across all areas – from public relations management to deep technical expertise, and everything in between. However, companies largely fail for two reasons: they lack any documented incident response plan, and if they do have a plan, they have not stress-tested it.”
Nicole Mills, senior exhibition director at Infosecurity Group, said: “Working to prevent breaches will always be imperative, but the cyber security industry is increasingly recognising that this is not always possible, and that how organisations respond to, and recover from, a breach is incredibly important.
“The results of our poll indicate that improvements need to be made in areas including breach detection, the thorough preparation and rehearsal of response plans, and the discovery and classification of information assets.
“They also highlight that while having a clear strategy to restore ‘business as usual’ as quickly as possible, immediate and transparent communication with customers – and also partners, suppliers and regulators – is necessary to preserve trust and protect the brand’s reputation. This means PR departments should be part of the incident response team.”
Read more about Travelex
- Foreign exchange services remain disrupted three weeks after Travelex received a $6m ransom demand from cyber gangsters.
- The key lesson to take from the Travelex breach is that an effective response to a breach is a critical business function and no longer the sole province of the IT department.
- With Travelex’s IT still in disarray and banks and travellers left without access to funds more than a week after it was hit by a ransomware attack, we ask what others can learn from the foreign exchange services company’s response to the incident.
The survey also revealed a lack of insight or understanding of risk concerning information assets. Just under 45% of respondents said they had little understanding, 30.7% some, and only 24.7% a comprehensive understanding.
Bev Allen, head of information security assurance and CISO at financial services firm Quilter, said: “Many companies don’t know what or where all their information assets are. They may think they do, but if they’re wrong, this leaves them vulnerable to breaches.
“Consistent knowledge of your assets takes effort. You need tools and systems to record what you have, you need people to follow appropriate processes, and you need to search to find out what you don’t know about and where it is. This search must be done regularly.”
Steve Trippier, CISO at Anglian Water, said the knowledge gap around information assets was largely down to a lack of education around why proper asset management is important, which he said often fell behind other priorities for IT teams.
But this might be changing, he added. “As more companies introduce automated vulnerability discovery and management, the need for effective asset management will become very obvious, especially as cyber teams highlight vulnerabilities on assets that the organisation forgot it even had.”