teissTalk: Leading your breach response

teissTalk host Geoff White was joined by Deborah Haworth, Chief Information Security Officer, Penguin Random House; Tim Roberts, Managing Director, AlixPartners; Rafael Narezzi, CTO, CF Partners; Samantha Humphries, Head of Security Strategy, EMEA, Exabeam.

 

Views on news

Coca-Cola said it is now investigating the claim of a Russian hacker group that they have successfully breached the soft drink giant’s servers and stole gigabytes of data. Coca cola as a target was chosen in a poll on Telegram, where voters could nominate a victim that the criminals would then hack. If a brand realises that it’s been selected as the target of a breach, the first thing it needs to do is examine the context and decide whether there is a plausible reason why it’s been targeted – in Coca Cola’s case, it could’ve been the decision to close operations in Russia entirely.

 

When is it time to escalate your security response?

It may take a long time to find out that you’ve been breached with the time between the breach and detection being sometimes as long as a couple of years. As a first step, get all your relevant teams – comms, security, law, tech, compliance – together to offer options to the CEO regarding what actions they could take.

Even if adversaries don’t actually steal your data, from the point where they’ve entered your system, it is a breach. While they’re sitting in your system latently, they have the opportunity to find your juiciest bits of data and choose the best time for stealing it. It’s great to have tools to detect breaches but unless you have the right processes to follow it up, it’s just money down the drain. The SOC team detects dozens of incidents that are insignificant enough to remain in their own remit, while others need to be escalated thanks to their publicity, legal etc implications. Once you realise it’s a breach not just an incident, there needs to be a shift in the terminology you use, as well as the circle of stakeholders you involve.

 

If you are a tech company, your people will want to hear the news from “the horse’s mouth”, while in non-tech businesses, it should be HR or some other department responsible for communication that should inform staff in plain English. Post-breach, it’s a good idea to conduct an independent lessons-learnt exercise. (How did we deal with it? Did we follow our playbook? What was the root cause? Ho can we prevent it from happening again?) The best lessons come from those who were at the frontline of the breach.

 

The panel’s advice

If you have a cyber incident, it’s essential to get the optics right on it by showing that you do care by, for example, publishing a CEO video – but always make sure that their metacommunication is aligned with the message. Even at the stage when you don’t know too much regarding the incident, demonstrate that you’re on the ball. If you are sure no customer data could possibly be affected, for example, make a statement about it straight away.

 

Don’t be scared of saying there might be a breach rather than being idle while one is actually happening.

Never reduce your RCA (Root Cause Analysis) into a tick-the-box exercise. Create a no-blame debrief culture!

 

Watch it on-demand here.