Best practices for prevention and immediate response to a breach
Preparing for a cyber attack involves a broad set of stakeholders within a business, and it is becoming commonplace to have experienced investigation lawyers on hand to ensure that clients recover business operations as quickly as possible, while sustaining the least amount of legal, reputational, financial, and operational damage, writes Mark Goudie.
Effective incident response planning begins with robust preparation and strategic thinking. While a large part of the responsibility for incident prevention lies with the client and their technical teams, businesses need to be thinking more broadly about who else from the organisation needs to be across the initial response.
In the age of regulation organisations should ensure that experienced legal counsel is available when a data breach is first detected. This is a crucial step towards proactively building the incident response processes ahead of an incident and establishing roles necessary for responding to it.
A key role for a legal team is initially determining whether an incident involves compromise of company systems or data and the implication of any legal or regulatory guidance such as the Notifiable Data Breach Scheme in Australia. The penalties for organisations that do not report a breach from the Australian Information Commissioner are up to $340,000 for individuals and $1.7 million for organisations.
A longstanding challenge in this area is translating cyber security defences into language that demonstrates how an organisation is meeting regulatory expectations and legal requirements.
The industry response to this challenge has traditionally been checklists as a way for the legal or compliance personnel to translate requirements into legible terms, and for IT professionals to then translate technology into something others can understand upon review. However, this alone is not sufficient without the below listed steps which complete an effective response strategy.
Gaining complete situational visibility
Clients and counsel must work together to ensure comprehensive visibility into the client’s electronic environment. Advanced tools like machine learning and antivirus platforms can provide continuous coverage of the environment, enabling responders to develop a timely, comprehensive, and complete narrative about the incident.
While discussions about comprehensive visibility of an organisations network often focus on technical solutions, an experienced investigation lawyer can complement efforts to improve situational visibility across the organisation.
A legal team should coordinate with clients to proactively establish effective decision-making processes to support information flow from the technical team into the decision-making structure.
During an incident, clients want and in many cases are legally required for investigations to move quickly and offer insights about what mitigation strategies will be most effective. This need can be addressed by the 1-10-60 rule, where organisations should strive to detect malicious intrusions in a minute (or less), understand the context and scope of the intrusion in 10 minutes, and initiate remediation activities in less than an hour.
It is imperative that organisations can effectively remediate data breaches before attackers can progress and gain further access into a network. A thorough investigation with clear roles and responsibilities is key to enable faster, more complete remediation.
Having a strong pre- and post-breach strategy in place
Data breaches are inevitable and waiting for a breach to occur before designing an incident response plan is a bad idea that will ultimately cost more money due to an ineffective response.
Both technical experts and legal counsel have roles to play in helping clients identify the weaknesses and strengths of the response plan.
Technical discoveries during a response can inform both better preventative measures and proactive hunting for potential adversary activity within the client’s environment. All parties involved in response can advise development of post-breach reports that help shape future behavior. A legal team can provide essential insights to help the client prevent potential legal and reputational damage.
Mark Goudie is a services director, Asia Pacific, at CrowdStrike.