STOCKYE STUDIO - stock.adobe.com
Obsession with cyber breach notification fuelling costly mistakes
The race to meet security breach notification deadlines is leading to staff burnout, destroyed evidence and a culture of blame, warns a Trend Micro risk and security strategist
Regulations such as the General Data Protection Regulation (GDPR) and the Australian Prudential Regulation Authority’s (Apra’s) CPS 230 standard have led organisations to become “really obsessed” with the 72-hour notification window following a data breach, according to Shannon Murphy, global security and risk strategist at Trend Micro.
However, this focus means many are still making common and costly mistakes when dealing with incidents.
Murphy said the lack of a formal incident response plan increases the stress on those handling such events, and consequently, “people are burning out”. This high-pressure environment can lead to two other critical risks.
The first is evidence being damaged, destroyed or otherwise invalidated by panicked attempts to restore services as quickly as possible. The second is the human tendency to start a blame game, which can also lead to evidence being deliberately concealed or destroyed.
Having a suitable incident response plan can mitigate all of these issues, said Murphy.
She recommended having a designated observer whose sole job is to account for everything that is done in response to the breach – from both a technical and human perspective – over at least the first three days.
Key technical aspects include strategies for log preservation, such as storing logs away from the operational network, as well as establishing out-of-band communications as the breach may have compromised tools such as Slack and Teams. The absence of a plan for such situations is likely to result in decentralised – and likely informal – communications.
Long-term resilience
While knowing how to deal with a breach is important, Murphy sees a growing interest in achieving long-term resilience. An analogy would be working to prevent fires from occurring, as well as planning ways to put them out.
Although technologies like extended detection and response (XDR) remain important, proactive risk awareness is attracting increased attention.
The first step is identifying the organisation’s “crown jewels” – the most operationally and reputationally important systems and data. This requires a comprehensive discovery and inventory process to identify all IT assets, not just physical items such as servers and PCs, but also intangibles including software and identities. Once an organisation knows what it has, it should check all assets for misconfigurations and remediate them in order of priority to reduce the attack surface.
This means organisations should pressure suppliers to release patches promptly for any discovered vulnerabilities. While it is still up to organisations to apply those patches, Murphy said suppliers including Trend Micro can provide customers with virtual patches to offer protection in the interim.
Finally, she advised organisations to validate and test the measures they have taken, for example, by engaging a red team to test defences.
Murphy said Trend Micro’s red teams succeed in 99% of their first engagements with new clients, but this falls to 30% in the second. By the end of the process, the success rate is less than 1%, she added, highlighting the effectiveness of iterative testing.
Although organisations have enough compute power to perform continuous security validation and build digital twins of their IT environments, there is “still a tonne of value in a human red team engagement”, she advised.
Read more about cyber security in APAC
- Pentera is expanding its APAC operations from its Singapore hub and leveraging AI to automate and enhance its attack emulation platform.
- Qantas is investigating significant data theft of personal information for up to six million customers after a third-party platform used by its call centre was compromised.
- Singapore non-profit organisation HomeTeamNS suffered a ransomware attack that affected some servers containing employee and member data, prompting an investigation and enhanced security measures.
- Gil Shwed, Check Point’s co-founder, discusses the company’s focus on AI-driven security and his commitment to remaining an independent force in the cyber security market.
Murphy warned that while it is often easier to deploy and update security controls in a cloud environment, developers and marketing departments are inclined to spin up new cloud systems without involving security teams, creating shadow IT risks. Fortunately, she added, there are open-source and commercial tools that can help keep track of the IT landscape.
Preparing for and responding to breaches is not solely a job for IT and security staff. Legal, communications, executive and other teams must be involved in the process, according to Murphy.
“You’ve got to practise your people skills and get buy-in from other parts of the organisation,” she said.
It is up to the organisation as a whole to decide between accepting the current level of risk and making changes, and realising that reduces the pressure on the security team, added Murphy.
The good news, she noted, is that boards and C-level executives are taking much more interest in cyber security than they did in the past.
“In some jurisdictions, they are open to personal penalties if a breach occurs, but another motivation is that the growing sophistication of cyber insurers means organisations will only be able to get cover if they are taking the right steps,” said Murphy. “That should lead to better behaviour.”
