As firms face increased and sophisticated cyberattacks, ensuring you know what to do in the face of an attack is paramount.
The stats are startling: The Hiscox 2022 Cyber Readiness Report disclosed that 48% of companies reported a cyberattack in the past 12 months, up from 43% last year. One in 5 companies attacked say their solvency was threatened, an increase of 24% from last year.
Al Marcella, PhD, CISA, CISM
President Business Automation Consultants, LLC
The financial impacts are profound. In 2023, the average cost of a data breach reached a record high of $4.45 million, according to IBM’s Cost of a Data Breach Report 2023. A cyberattack of even a small magnitude will have an impact on your firm’s ability to continue uninterrupted business operations.
The risk to the firm because of a breach goes beyond the loss or manipulation of client data, or the exposure of personally identifiable information. There is the potential for additional financial loss and legal penalties. Unfortunately, for many firms, it is not a matter of if, but when a data breach will occur. Even organizations maintaining well-secured IT environments become victims.
“Time is not on your side when you have a breach,” says Elvin C. Tyler, Vice President, Internal Audit & Finance Transformation at Lumentum.
Before discussing what to do when a data breach occurs, it is important to first recognize the basic differences between a data breach, data leak and a data hack.
A data breach is simply an incident that exposes confidential, sensitive or protected data to an unauthorized person. While data breaches can be the result of a system or human error, many data breaches are the direct result of cyberattacks, where a criminal (threat actor) gains unlawful access to sensitive information technology data (e.g., personally identifiable information, account numbers, client files, accounting records, etc.) and applications (e.g., payroll, accounts receivable, strategic planning, etc.).
Risks associated with these include:
Weak or stolen passwords
System vulnerabilities
Third-party breaches
Physical theft or loss of sensitive devices
Physical attacks
Old, unpatched security vulnerabilities
Human error
Misuse of privileged access
A data leak typically refers to the accidental or intentional disclosure of sensitive or confidential information from a system, application, or a database. It can occur due to various reasons, such as misconfiguration, human error or system vulnerabilities. Unlike a data breach, a data leak may not involve malicious intent or unauthorized access. It often occurs due to oversight or mistakes in handling data.
A data hack is the result of malicious behavior carried out by a hacker or a group of threat actors, internal or external, misusing devices like computers, smartphones, tablets and networks, which most often result in the:
Damage, modification or corruption of computer hardware and/or systems.
Gathering of information on users.
Stealing of sensitive, protected data and confidential documents.
Disruption of data-related activities (e.g., internet, critical infrastructure, etc.).
Risks associated with these include:
Malware or ransomware attacks
Phishing or social engineering attacks
SQL injection code exploits
Distributed denial-of-service (DDoS) attacks
Man-in-the-middle attacks
Outdated systems
Compromised credentials
6 STEPS TO PROTECT YOUR DIGITAL ASSETS
Faced with the possibility that your IT environment may have been breached and your firm’s essential digital assets have been compromised, manipulated or exposed, what moves do you take to address this cyber incident and work toward mitigating future compromises to the firm’s IT environment?
Move #1: Take immediate steps to contain the breach, collect digital evidence to identify the breach and implement longer-term procedures to mitigate the possibility of future attacks.
The first step is to identify the source and extent of the breach so that you can immediately address it, says Tyler. “If you do not have them in place, I would strongly encourage companies implement intrusion detection and/or prevention systems. These systems can automatically log the breach for you. Using the logs, you can track down the source of the breach and see which files were accessed and more importantly what actions were taken by the threat actor.”
Tyler also suggests saving an image or copy of the affected server(s) at the time of the breach as legal counsel may need it in the event of a future lawsuit.
“In 2023, the average cost of a data breach reached a record high of $4.45 million.”
Once the breach is contained, Amar Badrinarayan, Vice President of Technology Risk Management at Mastercard, says the first step is to assemble experts to understand the source and scope. “Then the team should quickly move towards addressing the gaps in security to stop the bleeding. This could be taking the systems that have been compromised offline to stop any additional loss, patching the vulnerabilities, and updating the credentials and passwords. As the team progresses through the investigation, it is very important that none of the evidence is destroyed,” Badrinarayan says.
Badrinarayan says to demonstrate that the breach has been contained, clearly describe the following:
Source of the breach.
Data or information that was compromised.
Whether any of the stolen information has been used.
Steps that were taken to mitigate the breach.
Actions that were taken to protect affected businesses and individuals.
A primary contact’s information for follow-up questions.
Move #2: Perform a post-breach assessment, verifying (as much as humanly/technically possible) that the threat actor(s) have “left the system.”
As important as identifying the breach and containing further loss/exposure is, determining that the threat actor(s) have left your system is essential.
Tyler suggests the following:
Containment: Make sure you not only isolate the compromised systems, but also ensure you prevent destroying any evidence that can help investigate the breach.
Eradication: It’s vital you eliminate the cause of the breach. “For example, if the breach occurred because of the willful and intentional misconduct by one of your employees, then you should disable all accounts provisioned to that employee,” says Tyler.
Recovery: Getting back to normal as soon as possible is top of mind for staff. After eradication is complete, the IT team will likely install patches, have staff change passwords, etc.
Move #3: Identify and contact those individuals who may be affected because of the breach of your IT systems.
Though it can be uncomfortable, after a breach that places the firm’s data at risk, notifications are paramount.
“Generally, anyone whose personally identifiable information or protected health information (as defined by statute) has been compromised must be notified of the incident,” says Jeffrey Schultz, Partner and Chair of the Data Innovation, Security, and Privacy Practice at Armstrong Teasdale LLP. He notes that some companies who are vendors for other companies or individuals may also have contractual obligations to notify their clients of the incident.
“As important as identifying the breach and containing further loss/exposure is, determining that the threat actor(s) have left your system is essential.”
Schultz says most statutes and contracts will outline the timelines for notification. “Every state has a statute that requires notification of certain affected individuals if personally identifiable information (as defined in each state’s statute) has been compromised,” he says. “At the federal level, HIPAA and other sector or industry-specific laws may also impose obligations on companies to notify affected individuals in the event of a data breach. Finally, companies should be mindful of their contracts with vendors and constituents, which routinely include a variety of data security and breach notice obligations.”
Move #4: Investigate the cost/benefits of appropriate indemnification acquiring cyber insurance.
While no organization can eliminate the risk of a data leak or a threat actor(s) penetrating, hacking or breaching the firm’s IT systems and broader IT environment, reducing that risk via nontechnical methods should always be considered as part of a firmwide risk management/mitigation plan.
According to an October 2022 memorandum from the National Association of Insurance Commissioners, approximately $6.5 billion in cyber insurance direct written premiums were recorded in 2021, a 61% increase over the prior year.
“The need for and type of cyber-risk insurance can vary depending on the size and type of business,” says Brian Rugg, Vice President, at Think Big Go Local. “If we were limited to only one coverage type, we would choose third-party liability coverage.”
“While cyber insurance provides a level of protection and contributes to reducing the risks associated with a data breach, well-designed, implemented, and tested business resiliency plans will allow the firm to continue uninterrupted, essential business operations.”
Cyber insurance is not a one-size-fits-all product. The following should be considered before purchasing a cyber insurance policy:
Is cyber insurance truly necessary for the firm to maintain ongoing business resiliency?
Are well-formulated, regularly tested internal controls in place that will contribute to the mitigation of cyber risk should the firm decide not to acquire cyber insurance?
What specific risks does the cyber insurance policy address?
Is the policy under review the right policy for the firm?
How much risk is management willing to accept?
Does the cyber insurance policy contribute to meeting management’s risk threshold?
Move #5: Design, implement and regularly test business resiliency plans to assist in protecting the firm’s digital assets.
While cyber insurance provides a level of protection and contributes to reducing the risks associated with a data breach, well-designed, implemented and tested business resiliency plans will allow the firm to continue uninterrupted, essential business operations.
In brief, business resiliency plans consist of:
Incident Management Plans
Business Continuity Plans
Disaster Recovery Plans
Having all three plans up-to-date and in place will provide the firm with greater flexibility, to respond to the actions of a threat actor and to assist in the timely, controlled and organized recovery from a breach.
Furthermore, Badrinarayan says revise and update your procedures for incident management and breach containment. “It is important that the lessons learned are captured for future reference.”
Move #6: Be proactive.
Tyler says it’s best to prepare for a data breach before it happens. “Seems simple, but tragically few organizations do.” To that end, he suggests conducting a risk assessment to identify vulnerabilities within your firm. From there, you can develop mitigation plans to address any weaknesses.
John Kitchen, Global Professional Service Manager at Sumo Logic, says user training is also key. This can include “testing” employees by sending fake phishing emails to see who falls for it.
Badrinarayan echoes this sentiment. “Educate and empower your employees. Security is everybody’s responsibility in the firm,” he says.
As data-rich environments, law firms are prime targets for cybercriminals, making cyber insurance a critical investment. Jeremy King, Partner at Olshan Frome Wolosky and Chair of the firm’s Insurance Coverage Law Practice, walks us through what to look for when choosing or changing your cyber insurance coverage and how policies have changed to accommodate cloud servers and remote work. Download this episode of Legal Management Talk wherever you get your podcasts, or watch on YouTube.
About the Author
Al Marcella, PhD, CISA, CISM, is President of Business Automation Consultants, LLC, an international IT consultancy firm, which he founded in 1984. Marcella is an internationally recognized public speaker, researcher, IT consultant and workshop and seminar leader with 40 years of experience in IT audit, risk management, IT security and assessing internal controls. He’s authored numerous articles and 28 books on various IT, audit and security-related subjects.