Our region’s transformation from a last-century economy to one built on world-class research and education, health care and technology makes it a great place to live and work, but also puts us in the cross-hairs of those who want to steal that intellectual property and potentially our innovative edge.
External hackers, competitors, foreign actors, disgruntled insiders and even the “I didn’t know any better” employees pose a serious risk to businesses of all sizes. Fortunately, we have topnotch technical and legal capabilities in the Pittsburgh region, alleviating the need to seek assistance elsewhere when trouble strikes.
As someone who spends his days examining laptops, servers, log files and all manner of digital evidence, I am often asked by business owners and colleagues: how can we best prepare for a potential cyber-incident or breach and what types of incidents are you seeing most often? With the help of my cyber-breach coach and colleague Matthew Meade, Esq., at Buchanan Ingersoll & Rooney, below are a few of the best practices which all businesses should consider and the common threats and incidents that we regularly see.
I am often asked by business owners and colleagues: how can we best prepare for a potential cyber incident or breach?
When an incident occurs, what do we do first?
In a perfect world, the initial response is directed by an Incident Response (“IR”) plan or policy already in place by the company. This does not mean that every step in the process and every type of incident can be planned for in advance and identified in an encyclopedic-sized document. To the contrary, when IR plans are so large and complex, front-line staff typically can’t understand or implement them effectively. An IR plan is meant to be a guide, a “who’s who” and “where do we start” for handling the incident. When Matt Meade and I talked about this on TechVibe radio (https://pghtechfuse.com/podcasts/appian-brand-accelerator-bit-x-bit-hardware-cup-techvibe-radio/), Matt described it as a NFL playbook. You need the playbook and you need your IR team to practice the plays; not being prepared for a security incident can be just as disastrous as having no plays drawn up for the game. However, as Matt cautions, although there should be a plan on where to begin (“the play”), surprises will invariably occur, and you need people in the right positions to be able to respond appropriately and quickly.
What are the most common incidents you see?
Insider theft is the most common type of incident that we see. In approximately eight out of 10 cases, when we are asked to investigate whether a “trusted” or departing employee took something upon exit, they did. The important question here is “what type of incident is my company most likely to face?” The answer will depend often on the particular industry. Common threats and themes beyond the dominant denial of service-based attacks are: surprise, privilege misuse (insiders), crimeware (a large subset of which is ransomware, likely delivered via phishing emails) and web application attacks (the equivalent of kicking in the digital front door). A great resource for information is the Verizon Data Breach Investigations Report that is released every spring. We are participating in the report this year for the first time and highly recommend it for a better understanding of the current incident and breach landscape.
When an incident occurs, who needs to be notified and how?
First let’s clarify some commonly confused terms: an incident is a security event that may have compromised one of the information security CAI triad (confidentiality, availability or integrity) of an information asset. A breach is an incident that is a confirmed disclosure, not just a potential exposure, to a third party. Determining that an incident is a breach requires a careful legal and technical analysis of the definition of a breach under state and/or federal law. By way of example, there are 48 state breach laws that mandate what must be done when an organization has a breach. As Matt often points out in his role as a cyber-coach, those 48 state breach laws come into play based on the location of the affected person, not where the business physically or virtually operates. If you have information for someone in Florida, are you ready for a 30-day notification requirement? Some breach notification laws also have interesting language like requiring “reasonable security” – which of course isn’t defined, leaving plenty of room for potential disagreement, interpretation or litigation. This is an area where the attorney you have as part of your cyber-response team absolutely needs to be well versed in these requirements.
How can we best prepare to make sure our forensics and legal teams can be most efficient?
A few key areas include:
Have an IR plan in place and rehearse it ahead of time (referred to as “tabletop” exercises). If you don’t have one, find help and get one together.
Prepare an inventory of all company assets and systems. If you can’t provide your forensic team with a network map, data flows or similar details about the environment, you will add hours of valuable time getting up to speed and delay response time.
If the IR plan is in its early stages, contact information for internal stakeholders and key third parties is crucial. If you need administrative access to a system, even an externally hosted one, and you don’t have primary and backup points of contact, valuable time again may be lost.
Do not take too many technical response steps without first understanding the potential impact and need for them. For example, restoring a system from a system backup will often destroy the very data and evidence that is needed to investigate the incident. In general, the process is: assess, isolate, remediate and determine the lessons learned.
By Brett Creasy, bit-x-bit LLC and Matthew H. Meade, Esq., Buchanan, Ingersoll and Rooney