{{item.title}}
The rapid, broadscale shift toward a fully interconnected digital world has brought with it countless benefits, but also many new dangers. Those same, wide-open communications channels that bring businesses into the living rooms of customers pave a similarly easy path to corporate doorsteps for attackers to exploit.
The full extent of the prevailing threats burst convincingly into the public consciousness following recent high-profile incidents, salient among which was the Stuxnet worm in 2010. A highly sophisticated computer virus, it was designed to sabotage Iran’s nuclear program.
While interesting on a technical level, what Stuxnet really hammered home was that both the motivation and the money to carry out cyber espionage at the highest level was available in spades and that the potential for such activity to result in damage was very real.
Since then, details about incidents – ranging from state-sponsored hacking and wiretapping, to financially-motivated attacks emanating from criminal organisations, to political hacktivism – have been regularly publicised. It comes as no surprise, therefore, that cyber security has rocketed up the priority list of many organisations to be considered the greatest threat to business growth by Australian CEOs and a key threat by 61% of CEOS worldwide. In PwC’s latest Global Economic Crime Survey, 34% of organisations say they think they’ll be affected by cyber crime in the next two years.
Hopefully, the first time you sit down to think about what to do in case of a security incident won’t be the day you discover that it’s happened. Preparing a comprehensive incident response plan well in advance is absolutely key, but what should that include?
Prior to establishing your plan, you will need to define your risk profile. Would an attack be more likely to be motivated by financial gain or ideology? Ask the question, ‘What would an attacker want? What are our crown jewels?’
The answer will depend heavily on the nature of your organisation’s activities. For large retailers and commoditised industries, that’s probably the customer or payments database. For some organisations, attackers can extend to environmental hacktivists looking to inflict as much damage and embarrassment as they can.
Comprehensively determining your risk profile, however, can easily stretch resources and expertise to the limit, so it’s common for this task to be outsourced to an external IT security consultancy that can provide an objective high-level risk assessment.
Your incident response plan will be what enables your organisation to respond effectively and cohesively to an IT security attack. Done right, the plan ought to:
For your incident response plan to be effective, it will need to be detailed, highly considered and, most importantly, rehearsed. It will need to contain the following elements:
Is it or isn’t it? Have an unambiguous definition in place so that you know exactly when the plan needs to come into effect. This is about as important as having the plan itself.
Put together a multi-disciplinary team of specific, named individuals best able to deal with a security incident. This should include roles, responsibilities and emergency contact details. The team will need to include both those that have the necessary executive power and those with technological expertise.
Likely to find representation on a response team are IT security, the network security team, desktop, server fleet – the whole host of IT disciplines. In addition, business representation for those cases where customers are affected, regulatory liaison, corporate affairs to lead any discussions about brand and the media, and the CIO in order to be able to make snap financial decisions like shutting down systems or rapidly engaging external help.
While news of certain, highly visible breaches (like a defaced website) is likely to be public knowledge immediately, in subtler situations knowing who to tell, what to tell them and when to do it is particularly important, especially in cases where a threat is detected early, while it’s still ongoing and before damage occurs. Having the threat actor still present and unaware they are being monitored is ideal for tracking and gathering evidence.
Corporate affairs will need to be made aware early of any incidents that require statements to the media and other organisations.
In order to eventually prosecute an attacker, evidence will need to be presented to a court. That evidence will need to have been collected and preserved so as to be admissible in court, so it’s wise to invoke some legal counsel in determining your forensics strategy.
With hackers potentially still having access to your system, communicating through that compromised system risks the attacker eavesdropping and staying one step ahead of your response effort. Therefore, having a plan for ‘out-of-band’ communication, e.g. a completely separate email system that can be activated at a moment’s notice, is imperative.
With your incident response plan established, communicated and rehearsed, dealing with a breach when it occurs should be a much more orderly affair.
What happens once a threat is actually detected? The next article in this series will look at how to invoke your response plan in order to effectively minimise damage.
Get the latest in your inbox weekly. Sign up for the Digital Pulse newsletter.
Sign Up
References
© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. Liability limited by a scheme approved under Professional Standards Legislation.