Rising to the Challenge: Mastering Data Breach Response Amid Ransomware

Corporate ransomware threats have increased in frequency and severity in recent years. Accordingly, ransomware attacks are changing too. Ransomware attacks have evolved from making data inaccessible by encrypting files and systems, to exfiltrating data and creating “double extortion” risks, to applying pressure by making the exfiltration and compromise publicly known (i.e., triple extortion).

Increasingly, organisations are adopting the mindset that data breaches are an inevitable reality. This posture is sensible, but it requires dedicated and ongoing work to maintain standards and readiness for the eventual breach response. These efforts need to happen while multinational organisations simultaneously face a matrix of intersecting regulatory requirements.

To place these developments in context, and to offer recommendations to organisations facing operational and technical challenges in responding to data breaches, FTI Consulting’s Sonia Cheng and David Dunn participated in a panel discussion as part of the International Association of Privacy Professionals (IAPP) Data Protection Congress 2023.

Adapting to change: Rapidly evolving threat and regulation landscape

The panel remarked that truisms about which industries are highest risk are no longer valid. For example, while health care and financial services have typically been seen as particularly vulnerable targets, now, “organisations in every industry face significant cybersecurity threats.”  Nor can organisations simply set aside threats outside their own perimeters. Suppliers, customers and other third parties can introduce data risks.

Meanwhile jurisdictions worldwide have developed unique standards and expectations surrounding how organisations respond to data breaches.  Moreover, regulators in different regions often have varying thresholds for what counts as a data breach.

High-profile breaches have resulted in legal action against organisations and senior individuals for overstating cybersecurity preparedness and failing to disclose known risks. This underscores the increasing scrutiny over how organisations manage and protect the data they store. Repeated violations and/or breaches caused by negligence may result in class action lawsuits and other reputational and operational consequences that imperil business continuity.

Like organisations, regulators are fighting to stay abreast of the latest threats and ransomware trends. However, in an era of regulatory fragmentation, organisations cannot trust that following regulatory guidance alone will be enough to effectively tackle emerging cyber threats.

Steering clear of hidden cyber hazards: A strategic approach to data breach response

An organisation’s success during data breach response is invariably contingent on preparation undertaken while not in a crisis. Knowing exactly who to call, how to access logs, who is responsible for what, and how to begin preparing the breach report, can be conducted swiftly and calmly if the processes are codified and followed faithfully.

The panellists recommended that because data breaches are an organisation-wide problem, business units across an entire organisation should be represented in breach preparation. Table-top exercises are beneficial, but their impact is diluted if they only involve the information security team. Individuals outside of information security will have responsibilities during a breach, and these roles should be identified and practiced in advance.

Common missteps in subpar breach response were also discussed. These included trying to rebuild systems too quickly in the aftermath of a data breach, failing to rapidly involve outside counsel and lack of attention to the wellbeing of the security teams making extraordinary efforts to rectify the breach. One panellist recommended the importance of appointing a single point person to coordinate accountability and quality control throughout the response process.

Future proofing: Steps toward best-in-class data breach preparedness  

Particularly when new security products come to market promising next-generation technologies and transformative results, “getting the basics right” is often, and to the detriment of best practice, overlooked. It sounds simple to say that organisations must implement foundational levels of protection over the most common threat vectors such as email, yet even these fundamentals can be missed, especially during times of rapid growth or M&A activity. Likewise, information governance exercises that clearly outline how data and information is structured within the organisation and data minimisation programmes are critical foundational pillars.

The reality today is that organisations responding to a data breach cannot simply report the incident and close off the conversation. Increasingly, regulators expect organisations to present detailed summaries of business continuity plans and broader cybersecurity posture as part of the initial breach response – typically within 48 hours of the breach being diagnosed, although this varies from jurisdiction to jurisdiction.

This means that as well as thorough up-front preparation and table-top exercises, organisations must involve each key internal team and stakeholder that will be needed in the event of a breach. Preparatory conversations between legal, information security, privacy and communications teams are essential to ensure a consistent narrative through internal and public-facing conversations. A clear reporting structure from the information security team to the boardroom ensures cybersecurity concerns are adequately represented at the highest level of the organisation.

Part of this effort involves personnel, of course. Although no organisation can hope to prevent every data breach in perpetuity, vigilance in the workforce and a broad knowledge of cybersecurity best practices can help defend against established threats such as business email compromise and impersonation attacks.

In summary: An ounce of prevention is worth a pound in breach response –preparedness is proportionate to your performance

The steps to deliver best-in-class data breach response is a matter of focusing on the fundamentals and cautioning against overreliance on technology alone (i.e., there is no silver-bullet). Additionally, organisations should conduct regular work to map the organisation’s network perimeter, ensure baseline cybersecurity controls are in place and well managed and maintain continuous dialogue and exercises that engage staff in the collective mission to ward against evolving cybersecurity threats. It’s critical to establish a robust chain of command that ensures clear roles and responsibilities from tactical response through to executive and board strategy decisions. However, mapping these responsibilities and processes to a complex and evolving regulatory environment is a challenging task and will continue to test senior leaders in the months and years ahead. 
 

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.