The COVID19 pandemic has resulted in an increased amount of vulnerabilities for some organisations which has led to them experiencing cybersecurity related incidents.
According to a Trend Micro report which was published previous year in the month of August. Nearly 73 per cent of organisations in India expect to experience a data breach that impacts customer data in the next 12 months. The Indian organisations ranked the top three negative consequences of an attack as lost IP, critical infrastructure damage/disruption, and cost of outside consultants and experts, a media report added.
In order to understand how organisations can be better prepared and deal with data breaches W.Media spoke to Pawan Chawla, CISO & DPO, Future Generali India Life Insurance.
There is no straight process to deal with data breaches, primarily because of the complexity of breaches which are taking place these days across the globe. An organisation can adopt the learnings from the organisations that have been breached and define a strategy to stay protected for the worse.
“Let’s also accept, you can’t afford to be unprepared for a data breach’s aftermath. Even organisations with the strictest data security and IT policies could easily go the way of recent victims,” said Pawan Chawla, CISO & DPO, Future Generali India Life Insurance.
He further explained that it’s up to the organisation to control the situation and protect the organisation in the wake of a data breach’s potentially devastating hold on reputation. The following five steps [PC|E|V(1] [a2] can help organisations to successfully stop information from being stolen, mitigate further damage, and restore operations as quickly as possible.
It is important to set the incident response plan into motion immediately after learning about a suspected data breach.
Cyber Crisis Management Plan (CCMP)
The Cyber Crisis Management Plan (CCMP) will help the organisations to get to know of a data breach in various ways which include, the breach is discovered internally (via review of intrusion detection system logs, event logs, alerting systems, system anomalies, or antivirus scan malware alerts), through social media post, generally hackers post information about the breach, law enforcement organisations discover the breach and a customer complaint to the organisation, they used their card before it began racking up fraudulent charges.
“A CCMP is a documented, written plan with 5 (Identification, Prevention, Detection, Response and Decision making) distinct phases that helps IT and Information security teams recognise and deal with a cybersecurity incident like a data breach or cyber-attack. Properly creating and managing an CCMP involves regular updates and training,” said Chawla.
He further explained that a well-executed CCMP can minimise breach impact, reduce fines, decrease negative press, and help you get back to business more quickly. In an ideal world, you should already have a CCMP prepared and employees who are part of the Cyber Crisis Management Team (CCMT) are trained to quickly deal with a data breach situation.
Preserve Evidence
When you become aware of a possible breach, it’s understandable that you want to fix it immediately. However, without taking the proper steps and involving the right people, you could unintentionally destroy valuable data which may be required for forensic investigation to determine how and when the breach occurred, and what to recommend in order to properly secure the network against the current attack or similar future attacks.
“It is important to note, when you discover a breach, remember, don’t panic, don’t let your failure to not panic lead you to hasty actions, don’t wipe and re-install your systems (yet), do follow your CCMP,” Chawla added.
Limit the Breach
The first priority should be to isolate the affected system(s) to prevent further damage until the forensic investigator walks you through the more complex and long-term containment.
It is important to disconnect the infected system from the Internet by pulling the network cable from the firewall/router to stop the bleeding of data.
“Document the entire incident. Document how you learned of the suspected breach, the date and time you were notified, how you were notified, what you were told in the notification, all actions you take between now and the end of the incident, date and time you disconnected systems in the card data environment from the Internet, disabled remote access, changed credentials/passwords, and all other system hardening or remediation steps taken,” said Chawla.
He further added that it is also important to disable the remote access capability and wireless access points and change all account passwords and disable non-critical accounts. Document old passwords for later analysis. Change access control credentials (usernames and passwords) and implement highly complex passwords: 12+ characters that include upper and lower case, numbers, and special characters.
Segregate internet facing hardware devices from other business critical devices and relocate these devices to a separate network subnet and keep them powered on to preserve volatile data. Quarantine instead of deleting (removing) identified malware found by your antivirus scanner for later analysis and evidence.
“Preserve firewall settings, firewall logs, system logs, and security logs (take screenshots if necessary) and restrict Internet traffic to only business critical servers and ports outside of the internet facing environment. Consider hiring an expert experienced in managing data breaches, they will help in avoiding pitfalls that could damage your brand,” added Chawla.
Cyber Crisis Management Team
“It is important to assemble the CCMT and initiate the defined process in CCMP. A data breach is a crisis that must be managed through teamwork. Assemble your cyber crisis management team immediately,” said Chawla.
He further pointed out that a CCMT team generally includes a senior management team that will assess the need for declaring a crisis and act as a command and control body throughout the recovery process. Appoint Third-party Forensic Investigation agency in demand with the incident / crisis.
A Damage Assessment Team is critical to gather information on the extent of damage or disruption to facilities, IT infrastructure systems, and the expected turnaround time. The team is responsible for assessing the extent of damage to the facility and to initiate and coordinate the salvage operations.
An IT Recovery/ Restoration team is responsible for restoring the critical applications, data and networks through appropriate steps including restoration from backup, using disaster site and any other suitable measure to restore the business functionality.
Each team brings a unique side to the table with a specific responsibility to manage the crisis.
Investigate, fix systems and Implement breach protection services
Investigate, fix systems and Implement breach protection services the hardest part of an incident is investigating and fixing everything that has broken. After the cause of the breach has been identified and exterminated, ensure all systems have been hardened, patched, replaced, and tested before you consider re-introducing the previously compromised systems back into your production environment.
“A key part of a successful breach response is what you learned from the breach. After the dust has settled, assemble CCMT once again to review the events in preparation for the next attack. Incorporate the lessons learned and ask, How can we improve the process next time? And then revise CCMP,” added Chawla.
If you don’t have a Cyber Crisis Management Plan, making one should be a top priority. Ensure to align it with Cert-In CCMP guidelines. Then practice and review your plan annually. Without annual tabletop and simulation training, the members of CCMT will panic in the face of a data breach.
Suffering a data breach is one of the most stressful situations an organisation can withstand, but it doesn’t have to be the end of your business. Greet it with a solid and practiced incident response plan to avoid significant brand damage,” Chawla concluded.