A key question raised by pending changes to the Personal Information Protection and Electronic Documents Act (PIPEDA), which require organizations to notify Canada’s Privacy Commissioner in the event of a breach depending on its impact, is how to decide whether they are obligated to report.
And it although it’s a single question, it’s not an easy one for many organizations to answer, said Ali Arasteh, senior manager at FireEye. Reporting breaches under the Digital Privacy Act becomes complicated if a company doesn’t know when it was breached or how much data was touched by a bad actor. In some cases, they may not even know they’ve been hacked.
On average, it takes 147 days to discover a breach, according to FireEye’s Mandiant M-Trends research. Arasteh said Mandiant responds to 200 incidents a year, and many breaches in the U.S. result in notifications, he said. The new requirements in Canada will be useful in garnering more attention at the executive level for security and risk issues such as data breaches, and law enforcement agencies will benefit as the breach notification requirement will allow them to justify the resources they need to deal with the problem.
However, there is still a huge gap in many organizations, both from a technical and skills perspective, in terms of how to evaluate the impact and scope of a breach, said Arasteh. “The nature of security issues and breaches means it’s sometimes very difficult to decide when to notify third parties or not.” Organizations need to determine whether personal information was accessed and disclosed, and what harm that breach may cause.
He said that’s a tough call to make, as there are a number of factors that determine the impact of a breach and its scope. But if the hacker wasn’t detected until five months after the initial access, they have probably gained access to everything. Most hackers are able crack an enterprise’s Active Directory within three days, said Arasteh. “If an attacker has been around a couple of weeks, you can assume they accessed all critical information.”
It’s hard to find out what damage has been done, as it takes a great deal of time and resources, while a company’s board of directors wants to know the impact and scope immediately, he said. “Answering these questions takes time.” And unless you put in the effort, you don’t know what data has been accessed, and there is a chance you might not be able to figure it out if there’s no evidence left. “That adds to the complexity.”
Arasteh said it helps to look at the motivation behind the attack. “There are a number of actors you need to take into account.” Was it a government sponsored attack? A financial actor monetizing information? Someone looking to damage the company’s reputation? “Motivation is important.” In Canada, there’s been increase in attacks aimed at disruptive business operations, he said, as well as ransomware scenarios.
It goes without saying that organizations need to work at earlier detection of breaches. “The potential impact will be lower,” said Arasteh. “The earlier we can find the attacker in the lifecycle, the easier it will be to scope incident.” Many enterprises make significant investments in controlling the perimeter, but once an attacker gets past, the organization has no visibility or detection capabilities, he said. This lack of visibility means they can’t go back to look at traffic to understand what was happening a month ago or know what data was leaving the perimeter that shouldn’t have.
These investigative capabilities are also critical to determining the impact and scope and whether it needs reporting or disclosing per the Digital Privacy Act, said Arasteh, and organizations should look at having third parties on retainer who have the missing skills. “Typically organizations don’t have the maturity respond to a sophisticated attacker.”