Managing a cyber attack webchat: 10 things we learned
This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.
This article was first published on Olswang's Changing Business Hub on the Guardian.com. It is authored by Michael Berliner and Adam Davidi.
Cyber attacks pose a significant threat to a company’s value and often attract intense media scrutiny. Personal data can be compromised, services are disruptedand sometimes highly embarrassing correspondence is released. In light of recent breaches, security professionals play an even more important role in keep their customers’ and their colleagues’ data safe and secure.
If attacks are so tremendously damaging, why do they seem to be increasingly common? Are the hackers winning their game of cat and mouse against law enforcement and the information security industry? Can companies do more to defend themselves – both to prevent attacks and to mitigate damage during and after the event?
The panel:
Dave Boxall, head of information security, Guardian News & Media
Dave Boxall has over 20 years experience in practicing information security. Having learnt the ropes initially in the defence sector he has since applied his skills in gaming, banking, financial services and most recently the media sector. He’s found that each environment has it’s own specific challenges but a lot of issues and their associated solutions are common. Now in his fourth year at the Guardian, Dave manages cyber security incidents on a daily basis.
Ashley Hurst, partner, Olswang
Ashley is a partner at international technology, media and telecoms law firm Olswang. He is a commercial litigator with a particular specialism in media and internet disputes. In addition to his experience on complex commercial disputes, Ashley is also the first port of call for numerous technology and media companies in crisis situations, including data security breaches where his expertise in reputation management, project management, and data privacy combine to form a unique offering to clients.
Siân John, chief strategist for EMEA, Symantec
Siân is responsible for leading the articulation around Symantec’s overall technology strategy. She has a particular focus on cyber- and information security and communicates this to all major stakeholder groups including customers, partners, press, industry analysts and internal sales, technology sales and marketing teams.
Ross McKean, partner, Olswang
Ross is a partner at international technology, media and telecoms law firm Olswang and leads the firm’s data protection practice. He has a broad experience of data protection and privacy matters including audits, compliance assessments, remediation projects, ad hoc and transactional advice.
Mark Raeburn, CEO, Context Information Security Ltd
Mark is the CEO of Context Information Security, one of the UK’s largest technical security consultancy companies with an expanding network in Germany and Australia. He has led the company’s growth since its inception in 1998. His current principle focus is on exploring the challenges of detecting and preventing malware, particularly within the corporate environment, and helping businesses understand the new and growing threats – and how to respond.
10 things we learned:
Cyber attacks are on the rise
Mark Raeburn, CEO, Context Information Security Ltd
Cyber attacks are commonplace in this age, and being compromised is no longer a rare event, so effective PR management and an effective remediation plan going forward are all that should be required.
Preparation, preparation, preparation
Siân John, chief strategist for EMEA, Symantec
It’s easier to respond and recover to an attack if you’ve prepared and planned for what will happen. This includes business leaders, PR, corporate communications and legal. Often practices focus on the technical aspects but it’s often the business aspects that have the biggest impact.
Less really is more
Ross McKean, partner, Olswang
Collect and store less data. That’s the easiest way to reduce risk (and) store data smartly – embrace innovation like tokenisation of payment cards. Encrypt!
We must understand our data
Siân John, chief strategist for EMEA, Symantec
Protecting data is the biggest challenge we’re facing today. We’re all storing more and more with massive increases in data.
However, we’re not taking the time understand what our data is, or how sensitive. Many companies say it’s too hard, but if an attacker gets in your network they’ll be motivated to find it.
Common sense rules
Ashley Hurst, partner, Olswang
In my experience, people get too bogged down in what an internal policy document or flow chart says rather than applying basic common sense. For example, a lot of time can be wasted debating whether a “crisis” or a “data breach” has occurred which triggers the response plan.
Diverse storage is not necessarily the answer
Dave Boxall, head of information security, Guardian News & Media
Diverse storage would on the face of it seem sensible but I would argue the common attack point isn’t the data store but the logic that retrieves the data which would allow diversely stored data to be retrieved as a single dataset.
Minimise risk through training
Ross McKean, partner, Olswang
Most breaches are caused by human error or malice; not technology – so training and raising awareness are crucial to minimising risk.
Don’t get your PR wrong
Ashley Hurst, partner, Olswang
Some interesting comments so far on the PR elements of security breach. This I think is where most mistakes are made, either because companies jump the gun before they have the facts (eg “medical data has not been lost”), because there is confusion as to what the facts are, because they don’t say anything at all, or because what they do say, they say to the wrong audience (eg they ignore social media). The key is to be co-ordinated and have a “master of the facts”, someone who has the time to read all the documents and communicate with the lawyers, investigators, PR people etc and make sure they all work together from one central narrative.
Organisations need an effective bring your device (BYOD) policy
Mark Raeburn, CEO, Context Information Security Ltd
Having an effective BYOD policy will be the first step. Robust access control and monitoring is also necessary. Being able to identify and classify data and ensure that there is strong controls in place to prevent cross contamination will also help mitigate part of the risk.
A BYOD policy is an acceptance of a risk, hopefully the risk have been suitably measured and controls put in place.
Think about the security risks of the internet of things (IoT) before installing
Siân John, chief strategist for EMEA, Symantec
I don’t think the IoT is a different problem to anything else. The danger with it is that like every other technological evolution we are installing it first and then thinking about how to secure it afterwards.
As Ross said about SMEs the opportunity is there to bake good process and security in from the beginning. That’s a similar situation to IoT. However, security is never a driver behind the development of a market or business so it usually only comes to play once the market has matured, making security more difficult.
