Cybercrime is stretching companies’ defenses and becoming incredibly personal. According to statistics from the US Federal Bureau of Investigations (FBI), over the four-year period January 2013 to December 2016 business e-mail compromise cost companies US$5.3bn. Email phishing is at an all-time high, with increasing incidences of ransomware in email attachments, while the number of cyber-related fraud incidents and losses continues to increase at an alarming rate.
Why are there so many challenges in fighting cybercrime? Cybercriminals have modernised their techniques, to take advantage of the gap between the adoption of digital technology and the implementation of effective security controls. Most people still don’t question the “from” line in the emails they receive, day in and day out. Unfortunately, without deploying the right tools there is no reason to trust the “from” line.
There are information security challenges, as the majority of fraud incidences go unreported. In many companies, information isn’t shared appropriately from organisation to organisation to allow them to quickly connect the dots and improve response. Prosecuting criminals across borders is also challenging. There is a need for more legal structures and global cooperation, as well as resources to support the investigations and convict the bad actors. The sheer volume and sophistication of cybercrime makes it difficult for government agencies to keep up.
Preparing an incidence response plan
Today’s fraud landscape should put all of us on alert, but in a February 2017 study by IBM Resilient, only 25% of respondents believed that their organisation had a high level of cyber-resilience while 71% said that their organisation was not prepared for the recovery and remediation process after a cyberattack.
These statistics, reflecting the readiness of companies, need to change if we are going to successfully combat the cybersecurity threats facing our global economy. Companies can no longer ignore these threats, but must plan for a cybersecurity event and develop well- thought-out and tested incident response plans.
Too many organisations view cybersecurity exclusively as a technology risk to identify, manage and mitigate. Businesses need to change their strategy and plan for intrusions, rather than being caught unprepared. In today’s fast-evolving threat landscape, where security attacks can compromise systems in a matter of minutes, it is essential that all lines of defence come together with a coordinated approach.
Managing cybersecurity risk needs to become a top-down management directive and a part of an organisation’s culture. Governance routines need to include risk management, information security and business continuity partners with regular reporting to a company’s board of directors. Information security partners need to share cybersecurity information with business continuity and disaster recovery teams as often as required, and the teams need to come together to manage risk. Internal audit also needs to help in the identification of vulnerabilities and be a part of continuous efforts to confirm that risks are minimised.
Tabletop exercises involving participants from disciplines across the organisation are a valuable practice to help identify risks and develop incident response plans. One of the side benefits of tabletop exercises is spreading the security knowledge deeper throughout the organisation. Since you can’t prepare for every type of threat, each risk needs to be prioritised by impact (level of severity and financial exposure) and likelihood of occurrence, so that the most impactful threats can be addressed first.
The goals of each fraud threat response plan need to be clearly defined. Clear roles, responsibilities and levels of decision-making authority need to be defined for each team member. Each plan should include appropriate measures for the remediation of any identified weaknesses in information systems and associated controls.
Putting the incident response plan into action
As soon as a breach is discovered, a well-developed and tested incident response team should be activated. The information security and business continuity teams need to be engaged, as well as the social media and public relations teams. These groups should have plans in place to minimise damage to the company’s reputation, have the cybersecurity strategies and business continuity plan actions to restore confidence in the company as quickly as possible, as well as to contain the security event. Providing a strong response to a security incident gives you an opportunity to re-establish trust in the company and strengthen client relationships.
In the case of a breach, because much of the data that must be collected is time-sensitive and cannot be reproduced, it is essential to collect and preserve evidence promptly. A few items to consider: time stamps for critical files; current logins; process lists; network connection; and memory dumps. Subject matter experts can help address the needs of each company so that time is not wasted preserving artifacts that are not relevant. When the fraud incident has ended, firms need to continue monitoring to make sure the containment was successful and the threat has been eliminated before returning to regular operations.
The new 72-hour incident response rule included in the New York Cybersecurity rules that took effect from March 1 emulates the new European Union (EU) regulations requiring companies to notify clients of a confirmed fraud incident. In the security field, many professionals believe that this 72-hour response will become the foundation for a future, broader implementation of fraud notification requirements across the globe.
What are the common mistakes?
Carefully thought-out plans must be tested to include external and internal communications and information sharing. What is the message for communicating the fraud incident? How are you going to deliver the message internally as well as externally? Have you estimated how many calls or emails you are going to receive? Who is going to service those calls? Have you evaluated cyber insurance to determine specific coverage in advance of an incident, and do you have the resources to pay for the outage?
In other words, you need to forecast the demand, plan the customer response and reserve the manpower and infrastructure to execute. Good incident response plans mock up a breach scenario to simulate the pressures of a real data breach; identify roles, responsibilities and internal/external communications that need to occur; and operationalise the plan to identify gaps and build muscle memory. Also, response plans need to be updated each time you test your procedures to address gaps.
In summary, a top-down management directive needs to be established within your organisation with regularly scheduled security updates to your board of directors. Your information security professionals must be linked with their business partners and bridge the traditional gaps between disciplines to establish a collaborative team. These teams can’t operate in isolation to combat the cybersecurity threats in today’s environment.
Companies need to test their plans and ensure they have appropriate resources to respond. Winning the battle against the cybersecurity threats facing our global economy will require firms to stay updated as to the current fraud schemes, implement effective security controls and be prepared.