The latest Eton Bridge Partners IT Leadership Roundtable focused on the frequently discussed topic of Cyber Security. That said the discussion wasn’t centred on prevention (exploring the nature of the threat landscape and how to counter it), but rather on the response (how to react to a breach in its immediate aftermath, and what impact this has on the longer term).
The session was facilitated by Philip Clayson, Technology Director of the telecom group TalkTalk, and brought together the personal viewpoints and experiences of a number of attendees representing a wide mix of company types and industry sectors.
The first topic up for debate: what defines an effective response in the days and weeks immediately following a cyber attack?
Entering the unknown
The moment a business detects a cyber breach, it moves from the realm of ‘unknown unknowns’ (to quote Donald Rumsfeld) to known unknowns. In other words a problem/exposure that had previously remained undetected has been discovered – but the root cause and effect are still to be identified and categorised.
The challenge of course is that while you’re working through the data and determining the scale of the breach, and what’s been compromised or taken, further damage is potentially being caused. Defining best practice therefore leads to the question: when should companies announce they’ve been hacked?
Obviously there are mandatory reporting requirements to the Information Commissioner’s Office etc. – which are set to increase with the imminent arrival of GDPR and a 72-hour window for detailing the loss of personal data. But what about making the announcement public, and the timing of going ‘live’? Should there be an immediate declaration, or should companies have the time needed to assess what’s been stolen to avoid scaring customers who could turn out to be unaffected?
To quote one attendee: “I think the challenge is that although it’s nice to base your response and timing on the impact caused by a breach, and the type of data lost, the truth is that at the time it’s happened you’re never sure what the impact is. It could take you an awfully long time to find this out, and in the meantime you run the risk of almost trashing the company’s reputation when the reality could be that only fifteen customers are impacted. It’s a real conundrum because it requires us to balance the rights of the individual versus the rights of the company to get to the bottom of what’s happened.”
Putting a breach into context
This was seen as a problem that grew in magnitude with the level of brand recognition: a high street retailer attracts more press attention than a firm of solicitors etc. There was however agreement on one constant: no business wants its CEO going public with the statement “we simply don’t know what’s happened”.
Equally, there were concerns that announcing an attack without detailing the solution could also attract further ne’er-do-wells. Stating that there is a hole in the perimeter should ideally only happen after it’s been found and secured. Which brought us back to the rights of customers and employees alike to have their privacy protected, even if in the end it’s only 15 people affected rather than 15,000.
Hence the importance of context, and shaping a response that’s in line with the overall impact of a breach to avoid causing widespread reputational damage for what could turn out to be a minor loss of data.
However, as one attendee explained: “What if I don’t know it’s only fifteen customers and it’s taken me six weeks to find out? What do you do in the meantime? My concern is that people won’t be following process, and instead they’ll be getting creative to find a solution, and creativity and that time is the last thing you need. No, for me the only option you have is to go with worst-case scenario and just live with the consequences.”
Damage limitation
But what are these consequences? What happens when a CEO goes public? The view from the table was that the biggest concern was public perception, and a loss of market confidence. It’s here that marketing and PR teams can certainly prove their worth. Recommendations for the types of activities that should be initiated as close to ‘ground zero’ as possible were:
- Putting in place capabilities for measuring customer perception of you as a brand
- Comparing this to your peer group and other companies of similar size
- Updating this measurement every two weeks, and keep it running for at least six months
- Actively engaging with customers, and offering complete transparency as to what’s going on and how it impacts them personally
- Giving each customer a sense of choice – allowing them to end contracts early etc. if they want to, and offering to pay for credit checks so they have visibility of any repercussions
- Offering rewards for their loyalty, from product/service freebies to credit notes for future purchases – positioned as a ‘thank you’ and an apology for the trouble and worry caused
These points were all seen as key to crafting a best practice response. Yet all attendees agreed that the most important factor behind any reaction was an actionable plan. Indeed, it was commented that in the event of a breach the first question the board should be asking is: “do you have a set procedure in place, and are you following it?”
A good plan also helps ensure governance is hard-wired into the response. It’s about working your way down the list of tasks that need to be completed, identifying who needs to perform what role, and ensuring they’re fully informed. Or as one attendee described a good plan: “It should be based on individual capabilities and responsibilities, factor in the culture and values you have as a business, and blend these together into a framework that makes it all work”.
As for why such a plan is often missing inside many companies, “too expensive”, or “too time consuming” were the responses. As was explained, a cyber attack reaction plan is ‘just another’ priority on a list of ever shifting strategic priorities. What doesn’t help either is that the drafting of such plans doesn’t contribute directly to an increase in business capability, which is where executives want to spend their budgets. As one attendee stated; “Many existing plans are a bit sketchy and of limited practical relevance. Clarity only comes when you’ve been hit, and once you’ve finished the clean-up and performed a lessons learned analysis”.
Thinking longer term
So much for the immediate responses to a cyber attack – what of the longer term impact? How can your responses be used to drive positive change throughout the business? Certainly technology transformation is important, and addressing any known areas of risk. To this can be added the governance piece, and ensuring current policies and procedures are enforced across the business (and supply chain/third parties wherever possible).
But there also exists a third pillar that demands similar attention: culture.
Indeed, prevailing mindsets can often hamper efforts to improve technology and governance. Particularly when long-serving employees are asked to ‘move away’ from older systems and applications that they’re familiar with (and therefore comfortable using despite the security risk).
In addition, there’s the fear that in a complex, interconnected technology landscape, making changes or turning older systems off will lead to key capabilities becoming ‘broken’. Convincing people otherwise can be difficult, and lead to investments being focused elsewhere. Which is why in a peculiar way a cyber attack can end up being a blessing in disguise, by ‘waking’ the business up to the need for change – and in building the impetus needed to see it through.
It’s the same with the physical behaviours of staff in office locations. In part this relates to the idea that you can’t ‘legislate for stupidity’, and that communicating security policies is one thing but actively enforcing them is another. For example, one attendee described how “our security team does frequent sweeps throughout the office. We’ll note computers not locked down or inappropriately secured and then do a naming and shaming of culprits. Importantly this includes executives, as we want to highlight the communal nature of the responsibility. It’s done in a challenging yet constructive way, but there’s also a serious side: three strikes can lead to a performance disciplinary”.
Another attendee explained that my team does a similar sweep on occasional evenings, looking to find items such as passwords written on sticky notes and placed on desks. We rip them up, then await calls to the helpdesk for a reset – which is where we’re able to push the educational piece”.
Measuring criticality
As for technology, a cyber attack will often kick-start a substantial piece of software transformation. Typically it will also lead to a rationalisation of the IT estate – and associated development methodologies. It’s here that you can address any instances where the development process lacks the necessary controls; where a proliferation of software, code, and databases has led to the lack of visibility that created the risk in the first place.
By reducing this technology sprawl the IT estate becomes easier to manage and control, better protected, and cheaper to run. It also makes IT’s job easier when it comes to identifying and isolating an attack. It also brings us back once again to ‘unknown unknowns’, and combatting the effects of ‘shadow IT’ on the business. To do this effectively requires governance and metrics, and for every piece of software in the business to be quantified according to a risk criteria:
- What’s it’s utility, and what value does it deliver?
- What is the cyber risk attached to it, including available support and maintenance requirements?
- What training risk is also in play, and what supporting knowledge can be called upon?
Adding the scores of these three together helps define the criticality of any given asset, its risk profile, and (therefore) its long-term prospects. From this, the CISO/CTO can make more informed decisions relating to roadmaps and future investments.
In summary…
As discussed on the day, the response of any business to a cyber attack is ultimately connected to its organisational maturity. That’s because measuring risk effectively, understanding where it exists and the actions needed to remediate it, requires established processes, comprehensive data availability, scenario planning, testing, and overall awareness at every level of the operation.
The immediate reaction to a breach is also defined by similar factors, and the tools, skills, and monitoring capabilities available that limit the time needed to understand what’s happening and where. Yet a breach will also bring with it a mandate for change, being an event that is seldom forgotten quickly. As with preparing for GDPR, the response can be used to uncover ‘unknown unknowns’, and systems/applications/data you never knew you had – to focus attention where it’s most needed, and to begin the process of reducing risk through decommissioning and deletion.
Yes, the immediate pain to employees, to customers, to the brand, and to the bottom line can be acute, but an effective response based on a well conceived and communicated plan can lead to the emergence of a stronger and healthier business well set for the future.
Should you wish to speak to Jean-Pierre more on this topic, please get in touch:
17.05.18
Related content
Keep in touch
We’d love to stay in touch, please register to receive topical insights and exclusive event invitations.