Five things we learned about responding to cyber security incidents in 2018

2018 was another big year in cyber security: data breaches continued to dominate headlines, hundreds of millions of consumer records were compromised, and the reputations of big-name brands were called into question over their preparation for and response to incidents. Spurred on by this and increasing regulation, cyber security became a top concern for CEOs and moved its way further up the boardroom agenda, resulting in a commitment from many organisations to invest more in cyber security.

With our cyber incident response team’s busiest year on record, we continued to see incidents of all shapes and sizes in 2018, each requiring a tailored response to effectively limit the business impact. We responded to organisations targeted by motivated and increasingly brazen cyber criminals and state-sponsored threat actors, as well as data breaches caused solely by poor internal controls and inadvertent insiders.

Many of these have had wide reaching consequences for the organisations involved, including the costs of breaches soaring into the tens of millions of pounds, loss of trust with customers and investors, and total disruption of business operations for significant periods of time.

Here are five key lessons we learned about responding to cyber security breaches in 2018:

1. Attackers are continuing to take advantage of organisations yet to master the “hard basics” of cyber security

The majority of security incidents we handle could have been prevented, or the impacts significantly limited, if organisations had mastered the basics of cyber security; key weaknesses we see are in implementing the principle of least privilege and having tested backups in place. Fixing these hard basics continues to be a challenge requiring sustained time, investment and management buy in. To do this, it’s imperative that organisations move beyond just implementing good practice security controls and change their approach to cyber security. This may require investment in rebuilding technology infrastructure to make processes more securable, rather than just making incremental improvements to the infrastructure an organisation already has, but can bring high returns in the form of new business advantages and opportunities.

2. Organisations cannot always control when they will be breached, but they can control how they respond

Those organisations which have taken steps to prepare for security incidents are responding more rapidly and effectively; a key step is having documented and exercised response plans which engage a wide range of stakeholders from across the organisation.

Retaining external expertise to respond to incidents is also key, and is a widely sought after mechanism to manage data breach risks, but needs to be more than just a box-ticking exercise. Organisations should look for an incident response provider who is able to provide a rapid, effective and expert service when called upon, and who can work as a trusted partner rather than an arm's length third party. Also, look for a provider with some level of independence; the organisation securing your network may not be best to investigate or respond to a successful attack against it. Organisations who use their managed IT service provider (MSP) for incident response services should have a clear understanding of how conflicts of interest will be managed should an investigation expose poor IT management, contractual breaches, or where the MSP is identified as the the infection vector.

3. Time pressures for organisations to effectively respond to incidents are increasing while incidents become more complex

Organisations are becoming reliant on increasingly complex technology, data and interconnectivity. As a result, investigating security incidents is becoming more complicated, with more unknowns and greater risks to the organisations involved, all whilst the pressures for a rapid and effective response are increasing. 2018 has seen the introduction of GDPR in the EU (and other regulations around the world) mandating how organisations respond to cyber security incidents, resulting in further guidance from regulators regarding the timely disclosure of cyber security incidents to investors, and increasing public expectations as to how and when companies should respond to cyber security breaches.

4. Management and coordination of major incidents is a more significant challenge to organisations than technical analysis

Organisations are failing time and time again to successfully respond to and remediate major incidents, with intruders maintaining access and control gaps remaining open. This is often the result of a lack of strategy, and ineffective management and coordination. Even simple breaches can require significant coordination effort, especially given the complexities caused by diverse regulatory environments, tangled corporate structures, and interdepartmental politics as a result of the sensitive issues involved. A key example of this is in the planning and management of remediation efforts. At best, these can be transformational and lead to a successful step change to an organisation’s security posture, and at worst can be wholly tactical and ultimately ineffective.

Our cyber incident response and crisis management teams have worked hand in hand over the last year to manage and coordinate the response to significant incidents. Together, we have built highly integrated technical and strategic organisation-wide response efforts, including rapidly standing up new decision making structures and building effective multidisciplinary teams.

5. Outsourced service providers can be the key enabler, or the key barrier, to an effective incident response (and in some cases even the cause of the incident)

Many organisations have multiple service providers heavily integrated with their environment, responsible for managing large parts of their IT infrastructure and service delivery. We have seen response efforts to incidents hindered by service providers with a lack of specialist resource, an inability to make emergency changes to the environment, and a lack of network documentation available to inform response planning.

The capabilities of service providers to respond to incidents should be clearly understood, documented and tested, as well as the responsibilities for inter-organisational cooperation in the event of an incident. Appropriate SLAs should be built into contracts to ensure changes can be rapidly made in the event of an incident. Finally, service providers should be required to maintain up to date documentation on interconnectivity and the infrastructure they support, and make this quickly available to incident response teams should it be required.

We hope this has provided some useful insight into the lessons we learned from 2018, and how you can apply these to enhance your incident response planning in future. If you’d like to learn more about our incident response services, please get in contact with us below, or via email at [email protected].