Four best practices in responding to a security breach
You need to tell your customers you’ve been hacked. Now what? Patrik Heuri, general manager of Above Security Europe (and ex-global head of information security risk at HSBC), explores.
From Tesco’s cyberheist to the attacks carried out over Swift’s system, it’s clear the financial industry is a gold mine for cybercriminals – there’s been a 40% increase in cybercrimes targeting the financial sector over the past year despite improved risk management.
In response to the industry’s heightened security climate, chief information security officers (CISOs) and information security executives have become an integral part of board-level decisions, including mergers and acquisitions, business model changes and product development, as each has an impact on IT security and how the security operations centre handles risk.
In terms of complexity and size, cyberattacks are constantly growing. It’s essential for CISOs and information security executives from financial institutions to learn from other high-profile organisations who’ve fallen victim to a cyberattack and suffered brand damaging breaches in how they should and should not craft their crisis management plan.
Breaches have become inevitable. Critical mistakes will not only damage your brand in the eyes of your customers, but also disengage your employees and reduce the trust of leadership. By implementing the practices below, you can respond to breaches swiftly and suitably while preserving brand equity.
- Keep affected users in the loop
If your financial organization suffered a breach, you wouldn’t want to hear about it on the news before a message came directly to your inbox. CEOs and company spokespeople should work to inform clients, employees and shareholders of security issues as soon as they occur. Of course, the process is not always straightforward, or even possible: the 2016 Verizon Data Breach Investigations Report found that law enforcement agents tend to discover breaches before IT security teams are even aware malware has circumvented security and has exfiltrated personally identifiable customer data or personally identifiable information (PII).
To keep affected parties informed, forming a crisis committee can help organizations plan first steps, timelines and protective measures in advance. When an attack hits, such planning can smooth the response and reaction process – and avoid situations involving delayed responses, incorrect information and lacking actionable steps for customers.
- Communicate transparently – and with a forward-thinking eye
When you search for the gold standard in how to respond to a breach, one of the most critical components of a response plan is to communicate clearly about the breach and have a plan to mitigate the damage. Focus on reclaiming and reporting the information your customers care about most. Rather than listing tedious technical details about the information compromised in the breach, highlight the steps you take to fix the problem and focus on earning back trust. To aid this effort, a trained forensic investigator should be available either externally or within your incidence response team to recover critical system artifacts and other potential evidence and ensure that the chain of evidence is intact to understand exactly how the attack circumvented your security, what information was stolen or compromised, and ultimately how extensive the breach may be.
- Know your industry (and its major threats)
According to surveys conducted by IT security media outlets, approximately 66% of customers said they would not do business with an organisation that had been breached. We saw this with Target, Home Depot and other large retailers in the US who were victims of breaches; but what happens when it’s a small or medium-sized business (SMB)? SMBs are an enticing target to cybercriminals; the smaller the organisation is, the more important it is to understand the organisation’s strengths and weaknesses from a security posture. Customers have become less likely to forgive companies who don’t protect their data and are particularly unforgiving when it comes to small businesses.
IT security leaders should understand the principal threats in their industries. Ransomware often targets healthcare organisations; retailers consistently deal with malware attempting to exfiltrate customers’ PII, such as credit card data. The financial industry deals with the largest number and most diverse types of attacks.
Fortunately, adversity breeds the next generation of ideas and solutions. Financial industry leaders are joining forces to create a knowledge base of threats, zero-day exploits, and capabilities to track attack trends including malware strains and indicators of compromise (IOCs). The Financial Services Information Sharing and Analysis Centre (FSISAC) was formed in 1999 by banking industry professionals to collaborate on cyberdefense strategies, and similar organisations have gained momentum in terms of participation over the past several years. Additionally, FSISAC now provides incentives for smaller financial institutions, such as credit unions, to assemble resources and protect against threats for the entire industry.
- Be the example your customers are looking for
In the wake of a security breach, true leadership skills shine. Addressing customers, employees and networks honestly, while sharing strategies and highlighting lessons learned from similar situations can inspire hope and build a foundation on which customers can move forward. After all, security attacks and breaches are now part of life: thousands took place in the last year, and the total amount is growing at a 38%. By helping customers and stakeholders overcome breaches and put responsible security practices in place, financial institutions need can protect their customers and put them at ease if their personal information is compromised.