It’s easy to find information on how best to prevent cyberattacks, but what can SMEs do when the worst happens? Matheson’s inaugural conference on cybersecurity, ‘How to Prepare and Respond to A Data Security Incident’, saw a panel of experts give answers to that key question. Morgan Stokes reports.
Much of the omnipresent media discussion on cybersecurity focuses on prevention, but it may be better for business to treat cyberattacks as an inevitability. That’s the key takeaway from law firm Matheson’s first cybersecurity conference, ‘How to Prepare and Respond to a Data Security Incident.’
The panel was moderated by Sinead McSweeney, Vice President, Public Policy, EMEA, and Managing Director of Twitter Dublin, and featured insights from Inspector Brian Halligan of the Garda National Cyber Crime Bureau; William O’Brien, Director, Cyber Security, Forensics and eDiscovery, PwC; Deirdre Crowley, Partner, Data Protection, Privacy and Cyber Security, Matheson; and Michael Byrne, Partner in Litigation with a focus on Technical Disputes, including Cyber Breach Disputes, Matheson.
Presented as an online webinar with a Q&A chat, the event aimed to shine a light on what to do in the worst-case scenario.
Trouble is just a click away
Prevention is better than cure when it comes to security, and employers might take pride in how well their staff are trained. But measures around employee behaviour, like password changes and avoiding phishing emails, don’t always work in the real world, where staff are tired, busy or just having a bad day. In a certain environment, an observer might recall the joke about a physicist trying to cure a sick coop of chickens by telling the farmer to first put the entirely spherical bird into a vacuum.
Inspector Halligan is keen to emphasise that a breach can happen to anyone at any time: “Everyone is only one click, tap or swipe away from becoming a victim of a cybercrime”. McSweeney, who was at the helm of a response to a security breach at Twitter in 2018, agrees: ”It’s no longer a question of ‘if’... but really considering in depth and in a very real way what to do when it happens.”
The increase in cyberattacks comes from a combination of sheer scale and technical scope. McSweeney says that like many legitimate companies, con artists and scammers brought their businesses online due to lockdowns, and Microsoft’s 2020 Digital Defence Report shows a 35% increase in attacks for 2020. It is true, however, that attacks are getting more sophisticated. The same report notes that cybercriminals are now able to set up email accounts that mirror a company’s domain (the part after the @ in yourname@example.com) exactly, which makes phishing attacks look more convincing, and that malicious software is evolving faster than antivirus software can keep up.
Rapid reporting – a matter of law
All panellists were keen to stress the legal obligations of a victim of cybercrime to report the event in a timely manner, and with good reason – in July 2020, the Central Bank fined Bank of Ireland €1.6m for failure to report a cybersecurity breach. In fact, legal penalties can range from an unlimited fine to five years in prison.
If your organisation is hacked or otherwise compromised, you have 72 hours to report the event to An Garda Siochana and the DPC, including holidays and weekends.
According to the International Telecommunications Global Cybersecurity Report, considered an industry bible, Ireland’s legal mechanisms for dealing with breaches are among the best in Europe, and Halligan is keen to stress the Gardaí’s track record in dealing with cybercriminals. While the hysteria around cyberattacks makes for great headlines, we don’t always hear as much about the successes of cybercrime units around the globe. In October, the Gardaí were able to seize the servers of the criminals behind May’s HSE cyberattack.
Halligan notes that sharing information about cyberattacks is crucial to building a pattern that global law enforcement can follow to the perpetrators: “by engaging with us, the victim is making a significant contribution to our knowledge.”
McSweeney agrees: “No piece of information is too big or too small to report to the Gardaí.”
Halligan also cautions against paying any ransom demanded: these people are criminals, and there’s no guarantee your data will be retrieved. The inspector also points out that they’re used to dealing with busy businesses, and that the Gardaí understand the need to ensure business continuity
It’s never just you – keeping third parties in the loop
Not only does a business have an obligation to report a data breach to law enforcement, but they’re also required to inform anyone whose data may have been affected – and in the modern commerce ecosystem, that could be any number of suppliers, employees and contractors, as well as clients. Under GDPR, a victim of a cyberattack must inform anyone whose data may have been compromised ‘without undue delay’; the law doesn’t state an exact timeframe, but it’s clear that sooner is better than later.
Deirdre Crowley explains that all notifications must be “in plain language” and should lay out exactly what is being done to retrieve data and ameliorate the The increase in cyberattacks comes from a combination of sheer scale and technical scope. damage. If enough data is compromised that informing all parties individually is unrealistic, a note must be published somewhere that third parties will see it.
Deirdre Crowley explains that all notifications must be “in plain language” and should lay out exactly what is being done to retrieve data and ameliorate the The increase in cyberattacks comes from a combination of sheer scale and technical scope. damage. If enough data is compromised that informing all parties individually is unrealistic, a note must be published somewhere that third parties will see it.
In Retail News July/August 2020, we reported that the majority of attacks on food businesses come through third parties. Crowley acknowledges this, and suggests a zero-trust approach, giving vendors and clients no more data than absolutely necessary. She also says that with the ubiquity of these kind of attacks, third parties generally show some understanding – but there is a delicate suggestion that anyone in charge of informing clients should have some customer service experience.
In Retail News July/August 2020, we reported that the majority of attacks on food businesses come through third parties. Crowley acknowledges this, and suggests a zero-trust approach, giving vendors and clients no more data than absolutely necessary. She also says that with the ubiquity of these kind of attacks, third parties generally show some understanding – but there is a delicate suggestion that anyone in charge of informing clients should have some customer service experience.
Deploying the troops – getting good at wargames
There’s something of the general about William O’Brien, and he wastes little time in instructing attendees on how to develop strategy. A key component, he says, is “wargaming” – running through a simulation of an attack before it occurs.
We have written previously about how and why a holistic approach involving everyone from shop floor to C-suite is important for prevention, and O’Brien argues that it is no less important for preparedness. “Cybersecurity incidents aren’t just an IT issue,” he says. “Anyone working in the business has an obligation to protect brand and reputation”. Simulations should involve everything from reporting an initial attack internally, to IT employees locking down systems, to liaising with the Gardaí and third parties.
O’Brien breaks the process down to containment, investigation, recovery, and reporting. An IT team should be on hand to prevent any malicious software spreading further and to see what can be retrieved; a team should be in place to find out what happened; and designated individuals should report to Gardaí and clients. All roles should be clearly defined, so that there’s no confusion when something happens. Even if IT is outsourced, internal positions must be allocated.
Some solace through civil court action
Michael O’Brien raises a new and interesting possibility – the chance to take action through civil courts. It is, he says, possible to take out an injunction against ‘persons unknown’ (i.e. hackers) to prevent them from using your data. The practice is gifted to us by Harry Potter, of all things – Bloomsbury used one in 2003 when the contents of one of the books in the series were leaked.
O’Brien acknowledges that an injunction is no magic wand, and that hackers are criminals – “they’ll never comply” with a court injunction. But many other web companies that host illegal data on their systems are doing it unwittingly; they may have purchased it from a company they thought was legitimate for marketing purposes, for example. A court injunction can provide a mechanism to prevent others from using it and can also send a message to third parties that you’re serious about keeping them safe.
The takeaway
Digital security is an ecosystem – even if you’re certain your own organisation is as safe as possible, you can still be vulnerable to exposure from third parties. Training hard and having processes already in place can remove fear and allow you to spring into action as soon as possible. As O’Brien puts it, it’s “all about that preparation... training is a fundamental part of that. Getting senior leadership, IT, internal resources into a room and doing crisis planning” is essential to a meaningful recovery.
