I was delighted to collaborate with Camille Beshara of Larson Skinner PLLC on a presentation about security incident and breach notification preparedness for the legal session during CMLS 2019. While there is guidance available on creating a plan to respond to such incidents, I thought that there would be some benefit for attendees if I explained how these plans don’t always work as expected in the “real world” and discussed some additional considerations that stem from that.
A Typical Plan
First, here’s a summary of some of the typical steps one might find in an incident response plan:
- Assemble your security incident response team, including IT, HR, legal, and communications resources. Isolate the affected systems. Inform law enforcement and your insurance provider (if you have relevant insurance).
- Collect information, using a local forensics expert as needed:
- Date, time, duration, and location of breach
- How the breach was discovered, by whom
- Method of intrusion, including path into, though, and out of the network
- Compromised data or systems
- Whether data was deleted, modified, viewed
- Whether any physical assets are missing
- Affected individuals (note their state of residence)
- Records and fields, encrypted or not
- Determine your notification obligations. Consult a qualified attorney to review the information you collected to determine based on the patchwork of state breach notification laws who needs to be notified and how, including state agencies and credit reporting companies. Log inquiries and responses.
- This includes reviewing the implications of the breach, taking steps to address further risks, and improving your plan based on your experience.
The Complications
Physical Records. Not every state breach notification law covers physical records but, when they do, the typical response plan is complicated by some realities of the investigation stage. Consider the following questions: How do you know who accessed the files and when? How do you know what was viewed, modified, or removed? How do you know who is affected and ow to contact them? If you have older files, do you have current contact information and, if not, how does that affect your notification method? If you think physical records may have been accessed by an unauthorized individual, the lack of information needed with respect to notification and recovery can be daunting. This is the reason, when I am with a client assessing information security proactively, I recommend taking special care to trace the security of the physical path that sensitive and confidential information takes through the organization: from acquisition through retention/destruction, and often recommend taking steps to improve physical security. Creating the appropriate processes, policies, and physical infrastructure is important.
Printers. There are devices containing sensitive information in many offices that rarely get a second glance in terms of security – printers, scanners, and fax machines (they still exist!). Many of these devices have firmware that needs to be updated, passwords that need to be set and managed, and hard drives full of sensitive information retained from documents that have passed through the device, usually with little in place to protect them. Many consumer-grade and low-end business printers do not use encryption for transit or storage of information, or retention-period functions. So, using free tools like PRET, it is not difficult for anyone with access to the network containing a printer to access what is on its hard drive. Is your network designed so only people who should have access to the printer can do so? Should everyone who can physically and electronically access printers containing sensitive information have access to the most sensitive paper and electronic contents? When would you know about a breach? How would you know what information was accessed? Like physical records, these devices present quite the security challenge.
Ransomware + Data Exfiltration.
Ransomware is malware (malicious software) that encrypts the files on your network or otherwise blocks access to them. It’s called ransomware because you may be prompted to pay a ransom to regain access to the files. Most security professionals advise clients to not pay the ransom because often the hacker will not unencrypt or allow access to the files as a result. Some companies respond to ransomware by quickly wiping the affected computers, restoring the computers’ operating systems, and restoring files from backup. That’s considered a success by many. But what if the ransomware was not the entire problem … what if it was just a cover for data exfiltration – where a hacker copied sensitive information from computers on the network? Let’s consider what should happen when there is any unauthorized access to your network or computers. Where is your Business Resumption Plan for Computer Incident Response, including the contact information for the response team, law enforcement, incident response and forensics experts, and your insurance company that you need to initiate your response? If the answer to any of these is “on a computer” you may want to consider what happens if you can’t access those computers because they have ransomware, or because you shouldn’t use the computer before forensics experts finish their investigation. That’s not the time to realize you needed to have stored the information somewhere else or had a printout of all the above-mentioned information available.
A “Regular” Hack
If you suspect your company’s computers have been hacked, this is when the incident response plan described above becomes valuable – and it’s important to have trained employees on your plan. But there are some critical tips which you will want employees to remember. If you think there might be a security breach:
- Do NOT access, log into, update or otherwise alter a computer or network device that may have been affected
- Do NOT turn off, reboot, or restart the computer or device
- Do NOT investigate on your own
- DO call your pre-identified local forensic experts, etc. per your incident plan.
- DO unplug the network cable
- DO turn off your wireless router (if the affected computer is connected wirelessly)
A Note on Cyber Insurance
There is a lot of variation in cyber insurance policies, so it’s a good idea to read the policy carefully and get an attorney involved if you’re not very sure you understand all the terminology, the coverages, and exclusions. Some carriers have “failure to maintain”, “negligence”, “failure to follow” or similar exclusions that allows them to not pay out on a policy if you haven’t maintained certain security standards of practice. Not assessing and managing security risks, not having security policies, not having documentation of regular staff training on those policies, and a wide variety of other conditions may allow your carrier to deny your claim. Even if your company follows the practices laid out in the insurance policy, many policies do not cover the specific procedures and technical controls that are can reduce the risk of a breach occurring. For those seeking more detail on this subject, I would suggest reading “Does insurance have a future in governing cybersecurity?” (Daniel W. Woods and Tyler Moore, © 2019 IEEE).
Next Steps
There is no such thing as perfectly “secure” – but you can take reasonable steps to reduce the risk of an information security incident occurring and being as well prepared as possible when one occurs. The first step toward understanding your company’s risk is security assessment, something I’ve been honored to do over the past two decades for many companies in the real estate industry.