Dr Guy Bunker, SVP of Products at Clearswift discusses the increasing trend amongst cyber criminals to hold data to ransom and what you should do if your organisation becomes a victim
You know something’s gone wrong when you make Equifax’s handling of their data breach look good. In what has arguably topped the list of the worst cyber-attacks of 2017, Uber is now facing global scrutiny for a data-breach it’s concealed for the past year. The attack saw hackers steal the personal information of 57 million drivers and passengers, with Uber subsequently paying the hackers $100,000 to ‘delete’ the information and keep the breach quite.
Whilst it’s still unconfirmed as to the kind of cyber-attack Uber suffered, the breach serves as yet another reminder of the increasing trend amongst cyber criminals to hold data to ransom, whether through ransomware or other means. For organisations that become the victim of this type of attack there are procedures to follow and a number of key things that should be done (and keeping it a secret for a year is not one of them).
According to a report from Osterman Research, in 2016, ransomware attacks increased at a rate of several hundred percent per quarter. Over half (51%) of the organisations surveyed revealed they had suffered between 1 and 5 ransomware attacks. With such a high volume of attacks, it’s not a matter of ‘if’, but ‘when’ you get hit, and preparing for the worst could mean the difference between your business surviving or not.
The cyber-breach action plan
The first place to start is by treating cyber security in the same way as you would any other business risk, preparing for a data ransom scenario as you would the destruction or theft of physical assets and putting in place a cyber-breach action plan. This should initially include the mobilisation of a senior team of board level executives, as well as communications and IT heads, who will lead the response to the attack.
With the first responders in place, your organisation will need policies for how to respond to the attack. The first response priority should be to ‘not respond’. Do not engage with the hackers, or provide payment of any kind. These individuals are criminals and as we’ve seen with Uber, there is no guarantee that they will delete the data or you will get the data back. If it’s ransomware, there’s also no guarantee that you won’t be re-infected a week, month or year down the line.
As should now be plaintively obvious, disclosing a cover up is far worse than disclosing a data breach. Your first response should be to inform the authorities. In the UK, this will be the Information Commissioner’s Office. Clear communication should then begin with the staff, who need to be told who they should direct questions to if, for example, media request any information. In conjunction with this, all remaining board members should then be informed and then the shareholders.
Once all processes for internal communications have been completed, external communications can begin. All individuals and/or organisations that have been affected should then be informed of the attack. Communication to those affected is paramount to mitigating reputational damage and distrust amongst customers. Often the worst backlash around high-profile breaches centres on the organisations who have sat on the information for too long and not informed their customers. Much of the criticism that revolved, and still revolves, around the Yahoo data breach centres on the company waiting over a year to disclose the attacks. This affects the brand and often the revenue, long after the incident has occurred.
What’s more, if customers are unaware that their details have been compromised, it jeopardises their security. Under the GDPR, organisations will have 48 hours to communicate a data breach, or risk facing a fine totalling 4% of their annual turnover, so getting it wrong will soon come with even worse consequences.
Communication to the media should be the next step on your business recovery plan. Ensure you have all the facts and have decided upon what is going to be said and what should not said before engaging with the press. For example, overestimating the impact can be just as damaging as underestimating it.
You also need to ensure all information is consistent; conflicting information can result in damaging press coverage. Equifax recently announced that customers who enrolled in an identity theft protection scheme offered as part of its response to its data breach would waive their right to any legal action against the company. Equifax announced shortly after that it would be removing the clause in an FAQ. The amended statement cost them yet another round of bad press to add to their public relations nightmare.
As part of your communications plan, a spokesperson will need to be allocated so that all information is coming from one source and anyone else who is approached can send all enquiries to that individual. This helps mitigate the chance of conflicting information being communicated from your organisation. This is often the CEO but could be a communications director or chief marketing officer for smaller attacks.
After the initial round of communication, it is important to maintain the communications flow, until the attack has been resolved. Regular updates should be sent to employees and stakeholders with the progress of the response. This could include information on the investigation, the introduction of company policies or the implementation of new technologies that will help prevent a repeat breach from occurring. Even after that, there will need to be continued reporting (for several years) to the company auditors and authorities to show that things have improved and there have been no more incidents.
In the current climate, organisations face increasing scrutiny over their cyber security practices. How an organisation handles a cyber-attack can mean the difference between sinking or swimming, especially as a major incident can leave a business reeling for years to come. However, handling it well shouldn’t just be seen as mitigating damage to your brand or your turnover but also as helping to protect your customers.