Enhance cybersecurity awareness and survivability for DoD, industry partners, and academia in the face of the ever-increasing threat of cyber attacks. Cybersecurity (CS) includes managing risks related to the use, processing, storage, and transmission of information and the systems and processes used for those purposes, including analog and physical form. CS includes information availability, identification and authentication, confidentiality, integrity, and non-repudiation as well as the economic considerations with respect to selection of CS techniques, CS processes, and industry trends.
Corporate Response to Attacks
12/21/2017 at 9:39 am #12901
Given recent events where attacks on companies are being covered more and more in the press, it appears that the public and press expect immediate disclosure, response and resolution when there is a breach. Are corporations justified in taking time to truly understand the nature of a breach and to monitor such activity in order to learn something prior to disclosure and response or is the public justified in demanding immediate and urgent action? I initially thought the latter, however, in my early studies of cybersecurity, the complexities of this topic make me wonder if this is too much 1st level thinking and approach. Thoughts?
12/22/2017 at 2:06 pm #12933
Your question is a good one. It is a very valid concern. I can understand not wanting to go public with limited information before understanding the scope and consequences of a hack. My understanding, however, is that best practice dictates getting as far out in front a potentially harmful situation with any constituents who may be impacted or harmed by a hack. For example, if there is a possibility that client confidential information has been compromised, you want to be the first to inform, to manage concerns and options to remediate. This also goes along way in preserving good will, confidence and reputation, all of which have the potential to negatively impact your business.
12/23/2017 at 12:32 am #12936
Valid points. In today’s world that is vulnerable to cyber attacks and exposed to legal and reputational risks, corporations need to be ready to detect any unusual activity on their network – internal as well as external. Every anomaly needs to be detected, analyzed, and dispositioned before discarding. A holistic approach towards managing cybersecurity will include defining processes of sharing information with public including customers, regulators, and industry-peers. Of course, as jfrank mentions, corporations will want to be reserved about the information that can be shared when a cyber-attack is detected. However, at least a first level impact (e.g., online order booking system is down) should be disclosed with customers and regulators as soon as such attack is discovered. Additional information can be disclosed as facts come out as the forensic activities progress. If a data-breach is confirmed, then corporations may need time to establish the extent but jfrank is correct that impacted customers should be informed first before they find out the problem that their credit card is being used for some unknown purchase. That’s why it is imperative for corporations to install adequate detection systems so that they are well informed of their security posture on the internet.
12/23/2017 at 1:14 am #12937
The nature of cyber attacks makes it very difficult to fully understand the extent and actors of the attack clearly too.
If you look at the examples of Yahoo, Starhub, organizations under pressure by consumers to give response had to continuous revise and update the “facts of the breach” – which undermines consumer confidence
12/23/2017 at 3:48 pm #12946
Corporate organizations need to develop a holistic incident response policy because of the large number of cyber breaches that have made their way into the headlines recently. I do not think there is a cookie cutter reporting time frame that fit every situation. Delays in reporting based on expert opinion(s) may be acceptable in today’s cyber environment depending on the timing and nature of the attack. I think all organizations should create a policy that takes into consideration three primary risks.
• Business Operational Risk
• Legal and Litigation Risk
• Reputational Risk
Business operational risk impacts an organization in the form of lost revenue, inability to provide a service and other metrics. The other two risks are important to organizations based on their customer base and public opinion. If cyber incidents are not handled properly the organization’s customer base and investors may pursue legal actions, similar to the Yahoo situation. Yahoo’s reputation suffered after the data breach and resulted in the organization losing money in their deal with Verizon.
I think there are some things that can be done to help most organizations long-term.
1. Organizations need to have clearly defined reporting processes for malicious activity as well as insider threats.
2. Organizations need to have some form of governance that permit elevation of reporting within the organization if needed.
3. An overarching government organization may need to be established to identify acceptable reporting times for organizations depending on the threat. Some activity may need to be observed longer to obtain more information or develop signatures for future detection, depending on the timing and nature of the attack.
4. A government database that captures all attacks could be used to assist with predictive analytics to facilitate warning organizations, similar to severe weather warnings.
5. Organizations need to conduct internal penetration testing and vulnerability assessments.
12/24/2017 at 11:31 am #12954
hi peacoc, great answer.
12/24/2017 at 3:07 pm #12950
As was observed, the public desire for a company’s immediate disclosure of data breach stems from the exponential impact the delay might have on the individuals, who would not otherwise be able to act to protect their personal data against further compromises. However, it can also be argued that target companies might benefit from delaying disclosure to better protect their strategic systems, and therefore their customers, in the future. Both arguments have to be assessed on a case-by-case basis.
I am more worried about companies not disclosing breaches at all. A 2016 Wall Street Journal article addresses the issue of data breach disclosure, or undisclosure, in general. One CFO in the article argues that many data breaches don’t get reported to the SEC because they do not satisfy the reporting guideline of being “material,” or not significant enough to influence an investor’s decision to buy a company’s stock. Alternately, some argue that executives choose not to disclose at all (especially if a breach comes to light only long after the fact), to avoid criticism and attacks from investors and consumers unhappy that the disclosure was not executed in a timely and accurate way (T. Shumsky, “Corporate Judgment Call: When to Disclose You’ve Been Hacked,” Wall Street Journal, 16 September 2016, https://www.wsj.com/articles/corporate-judgment-call-when-to-disclose-youve-been-hacked-1474320689. Any thoughts about it?
12/25/2017 at 8:15 am #12964
Do you guys/gals think the GDPR change the way these breaches are presented to the public? Will it encourage litigation instead of allowing companies to analyze and disclose as they see fit?
12/25/2017 at 11:23 am #12965
I think that through the GDPR we will more often informed about breaches. It will help with awareness of the cyber threats. Awareness is only a small brick of that real cybersecurity framework that we have to invent, design, adopt and customize…
12/26/2017 at 5:38 am #12981
I have been following organizations’ responses to cyber attacks. The best practice perhaps is to disclose as soon as the organization becomes aware of an attack. However, as the organization investigates further, both the nature of attack and the potential number of impacted people might evolve. The organization might raise further concerns by frequently updating its original announcement as it uncovers new information. It’ll be great to see perspectives from this group as to how organizations should approach a disclosure? Do it right away even with half-baked information? Wait for a certain amount of time until they are somewhat sure that they have investigated most potential angles and understand the impact?
12/28/2017 at 12:11 am #13047
The tension clearly exists between the need to justifiably idenitfy the existence and scope of an attack and the potential that a greater delay than necessary (or a failure to provide notification at all) could lead to a greater reputational loss and potential legal ramifications as well. Yahoo faced tremendous criticism for its’ slow failure to provide notification as did Equifax. As pointed out in earlier posts a response and mitigation plan as well as a plan allowing for a thorough evaluation of the extent of the breach and a way to elevate the level of concern and reaction within the organization seem justified, but the time that should be allowed for this analysis should be weighed against the likelihood (or certainty) that personal information was potentially exposed and could lead to greater damage for those whose individuals whose information was taken. I have read that there is a suggestion that a heightened responsibility attaches to those enities who store the personal information of individuals without their consent (like credit companies) to both take greater measures to secure the personal information in their control and to react more swiftly once it is determined that that information may have been exposed. The earlier post suggesting that the “letter of the law” may not require notification of an attack unless it is ‘material’ such that shareholder value is affected may find that reputational damage can do more to erode value if the breach is later fund to have been material after all. If you recall the planned sale of Yahoo subsequent to the damage from the public reaction to its delayed revelation of the extent of the breach decreased its sale price by hundreds of millions.
01/02/2018 at 2:41 pm #13198
As to corporate responsibility, their first and primary responsibility, by law, is to the share holders. I guess the second most prevalent mention would be to ownership. It is important to know that information transmitted on a corporate owned device belongs to the corporation and is no longer private property, and as such can be considered misuse of corporate assets and can be confiscated by court order at any time.
12/28/2017 at 9:57 am #13057
Relevant to this topic of Corporate Response …
A recent update we have been making to our 3rd party contracts is to change the language for when to notify us of breaches to 3rd party systems.
Before the language was “… Company Y must notify Company X within ZZ days of a breach.” To mitigate the time Company Y may take to publicize a data breach, or to decide that there was a breach, the language now is something like “… Company Y must notify Company X within ZZ days of a suspected breach”.
The idea is that this will allow us to be aware and prepare for any cyberattack that took place at a partner organization early. Otherwise, it may be months or years before the full impact of it is disclosed by the partner organization.
12/28/2017 at 12:40 pm #13058
I think the word “immediate” or “prompt” disclosure vary depending on the industry or company that was attacked. The preservation of data and understanding the scope of the breach are the primary objectives. As described above, there is a real reputational risk for companies when they disclose a breach. They can lose significant market share besides the costs to get their business back to normal. In addition, if a company is publicly traded, they are susceptible to thousands of shareholder lawsuits because of the breach rather than a much smaller number if it is a private held company. I say all this because I don’t believe a company has run afoul of their “immediate” disclosure requirements to the public if they develop a plan to control their PR and how to disseminate the flow of information. This does not exclude the company’s obligation to inform the requisite governing authorities or their insurance company however.
12/29/2017 at 11:50 am #13085
I think that a company that had PII information stolen from their care should immediately announce a breach. Details come later. This way a company can take the time it needs to do a thorough investigation of the details and scope of the breach. The issue here is that if the affected people know their data was at risk they have the option to take protective measures. Business does worry about reputation. The fact is that if you look at the target breach the business took a significant hit to the stock price and Yahoo! lost millions in value. But later Home depot was hacked the same way, yet the result was much less of an impact as we are seeing people get numbed to the big breaches
12/30/2017 at 9:19 am #13091
Great reading very substantial posts from some fellow participants. All of you made solid points. In my opinion, there are multiple issues involved here. Corporate response to Cyberattacks can be categorized into two groups. How corporations respond to an attack that has taken place and how they prepare to prevent an attack. In the first group, there are pros and cons of letting customers know immediately vs. after knowing the attack in more detail. For example, if an online media company like Yahoo lets its users know of an attack, they are more likely to take notice and change their credentials. However, even if they change their credentials and the malware is still sitting inside the organization’s network, it would be easy to re-capture the changed credentials as well. On the other hand, users can at least get an opportunity to remove their sensitive information such as their financial account credentials which they emailed to themselves or their spouses. They can also alert their banks and other financial organizations about the attack and change their credentials there, change credit card as a precaution, etc. From the organization’s standpoint, it is critically more important to accurately detect the attack as soon as possible and prevent/minimize the damage as they prepare to disclose the attack to their customers/users.
What is more important to understand is the situation gets worse from a lack of preparation and lack of using state of the art detection tools we have today. Very large organizations are financially motivated and legally allowed to let attacks happen, even though the situation is changing fast. To support my statement, let me cite Jose Pagliery and his article titled “Why credit hacks will keep happening” published on December 20, 2013, on CNN.
Pagliery said that after chip-enabled credit cards were used in England and France, frauds reduced by 34 and 35 percent respectively, in those countries. However, as chip-based credit card cost $1 to $2 per card, it becomes a financial issue rather than a security issue for credit card companies. Pagliery also quoted Anisha Sekar from Nerdwallet saying
“The problem is that banks and credit card companies have little motivation to change the current system, said Anisha Sekar, who reviews credit cards for finance site NerdWallet. Financial institutions earned $41.2 billion from credit card swipe fees last year, according to advisory firm Sonecon. Meanwhile, they lost just $5.33 billion to fraud, according to payment industry newsletter The Nilson Report.” (Pagliery, 2013)
As stated above today we have tools (i.e. Big Data) to collect massive internet traffic data from all network components and analyze them centrally to detect attacks. We also have tools to try to prevent attacks in our Content Delivery Networks (CDN) before they reach our data centers. Several Cloud companies such as Amazon.com routinely prevent attacks in their Clodfront CDN. With these central tools, we can have 24/7 monitoring, easy update of malware detection database centrally and so on. Several things become bottlenecks to become a more proactive organization regarding Cybersecurity. Some top-level executives do not have the right mindset of even awareness to realize the threat of Cybersecurity. CEOs who do, are demotivated sometimes seeing the cost of preparation and the cost of losing data, which Pagliery established in the above article.
This situation is changing, though. The many costs of Cyberattacks namely business operational, reputational and legal are steadily increasing with time. Finance is the sole driving factor when it comes to motivation of the CEOs and the board. As the cost rises, so will be the preparedness, awareness, and use of state of the art tools.
Pagliery, J. (2013, December 20). Why credit hacks will keep happening. Retrieved from http://money.cnn.com/2013/12/20/technology/security/target-credit-hack/index.html
12/31/2017 at 10:17 am #13101
As was clearly and well detailed by peacoc1 and other commenters above, corporations which hold customer data under confidence also have a legal responsibility to protect private information and must be held accountable for any breaches. Although it is commonly understood that a cybersecurity breach may occur at any moment to any organization, there must be conventions and laws that detail the acceptable delay to provide short-term insights (i.e.: 72 hours) to ALL of an organisations’ customer base. Clear and concise lighthouse information should be communicated from the organization to the customers to:
1) Alert them of the suspected breach scenario (without creating panic);
2) Provide them the opportunity to make an immediate, personal decision to take measures to mitigate or avoid (or not) potential damages caused by the leaked information;
3) Offer guidance, initial support and counselling on a suitable course of action.
This standpoint inherently shares varying levels of responsibility between organisations and its customers. Nonetheless, it should be a clear legal requirement that all organisations in the possession of private, customer information must proactively prepare for various breach scenarios and understand the type and level of communication they must provide accordingly in each of these circumstances.
An organization which unilaterally decides to wait weeks, months or even years (i.e.: Yahoo! breaches) before providing breach insights to its customers, often for the sake of their own reputation or fear of litigation, is simply not acceptable. Reaping benefits associated to web-based services does come at a cost for organisations and individuals and should incur a sufficient level of accountability and responsibility for each.
01/02/2018 at 8:47 am #13171
I would like to know what all of your percepetion towards cybersecurity insurance is ,does it augment and support the best practices or is there still apprehnsion with regards to the same?Working in the insurance industry I see its impact but it would be great to hear from all of you on the same.
01/02/2018 at 8:28 pm #13215
That is a great question and there are lots of great answers. I think it depends on the type of organization who has experienced the hack. In case of Equifax, the organization had to reveal the attack and the number of customers / customer data that was hacked. Trying to hide the numbers or release information in piecemeal can be detrimental to all parties involved.
01/02/2018 at 11:26 pm #13226
The regulatory landscape is evolving as we speak, re: financial institutions.
Very likely a faster disclosure will be required, than otherwise.
It is interesting to observe how such fast disclosures will change the behavior of the actors involved in the attack – will they be affected? will they curtail their activities? will they be motivated by some sort of promise of fame to get as many reports as possible about their actions? etc.
01/02/2018 at 11:31 pm #13210
I go back and forth on this issue but in the end I come to the same personal conclusion.
I agree that corporations need to know the level of risk/damage, etc. to fully inform the public of the actual/verified threat; however, I see no valid reason that notice of an attack could not be made with further investigation ongoing..
In my field we saw similar responses regarding product contamination, especially after the 2009 various incidents were many deaths occurred as a result of food pathogen contamination.. Delays in notifying the public resulted in greater threat to the consumer while the investigation was ongoing.
Prior to the Food Modernization Act; usually it was the CDC that was identifying illness trends and completing Traceback investigations to identify the source of the contaminations. This left the product at the consumer level where damages continued.
With cyber, the initial impact is not know until a thorough investigation is completed; however, this leaves the consumer damages to continue until they are able to identify the source and contain the problem. The consumer is unaware of the problem; therefore unable to take measures to protect themselves from further damages.
You must be logged in to reply to this topic.