You wake up at 2 a.m. to your phone’s red alert alarm going off – your system has suffered a breach and you’re the first to find out.
As the cold sweat breaks out on your format and you start struggling to get into clothes so you can rush to the office and take action, the questions start forming in your mind: Who got in? What did they take? How long have they been there? Should I call my CIO?
In many organizations, there are no easy answers to these question. As a conflux of factors such as increased complexity within the IT environment, increased scrutiny from regulatory forces, and growing sophistication of hackers come to a head, securing sensitive data is the cyber challenge of our time. But with the right proactive approach, frontline IT responders can prepare to remediate attacks, knowing exactly the risks of any intrusion, as well as who to call in the aftermath of that 2 a.m. alert. These approaches were explored by Cisco Canada and IT World Canada in a webinar, “Canada’s Digital Privacy Act: Are you prepared for the changes coming?” on Aug. 15.
The challenge
At its core, the main challenge is that crime pays – and cyber crime pays even better. According to analyst firm Gartner, the cyber crime market will generate $6 trillion in 2018, dwarfing the $3.7 trillion that is spent by enterprises on all IT operations.
It’s no wonder that about half of all legitimate security alerts aren’t addressed, said Jack Pagano, director of security solutions at Cisco Canada. Most cyber security teams are too short-staffed to deal with all these alerts, with ISACA estimating that 2 million security jobs will go unstaffed by 2019.
Those that are hired to the team face an environment of growing complexity. The average enterprise is relying on more than five vendors to provide network security.
“Every new solution comes with another management interface, and each one demands human resources and management hours to set up, set policy, and respond to alerts,” Pagano said. “You’ve now added complexity without much overall incremental effectiveness since your security solutions don’t work together to share information.”
As a result, intrusions into corporate networks go detected for far too long, sitting undetected behind the firewall for more than 100 days, according to Cisco.
That doesn’t bode well for new updates to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) coming into force Nov. 1. The most important changes to the legislation, which affects Canada’s private sector, are the requirements to report breaches. Affected individuals must be informed about privacy breaches and in some cases even the Office of the Privacy Commissioner of Canada and other regulatory bodies. Firms must also provide auditable records of privacy breaches.
While the recent European Union Global Data Protection Regulation (GDPR) defines that organizations must inform of a breach in 72 hours, the updated PIPEDA regulations use more vague language, points out Jim Love, CIO of IT World Canada. This puts the onus on organizations to prove they both have a plan of action and followed it properly in case of a breach.
“We have more judgment involved in what we do, so it’s even more important for us to answer these questions,” he said. “The government will be asking ‘did you have a policy and did you follow it?'”
Despite the increased compliance pressure, some surveys show that concerns around data breaches are declining among executives. While 50 per cent of executives were concerned in 2015, only 44 per cent were concerned in 2017.
Furthermore only four in 10 executives say they have an appropriate policy in place when a breach occurs, yet none think their policies need improvement. “Under the new PIPEDA, this is going to be critical,” Love says.
Prepare data by prioritizing based on privacy sensitivity
To prepare for PIPEDA, organizations will need to classify their data in a way that prioritizing security for the most sensitive, personally identifiable information (PII). It won’t hurt to do some data pruning as well, deleting what you don’t’ need and aren’t going to use.
“If you don’t know what’s significant and what needs protection, you won’t figure it out at the time of a breach,” Love says. “Answer this question long before you have a breach on your hands.”
The purpose of prioritizing privacy data is to know what plan you’d take if that data were to be breached. Love points to examples within his own business context as a publisher: did a story get released a day earlier than it should have? No problem. Was the audience services database breached? If so, what tables were exposed and was the data encrypted or not?
Once data is prioritized, run simulations that involve the real responders to data breach incidents. They should know who to call and what to do when each category of data is exposed. You’ll also be able to determine what protection each category of data requires.
At Cisco, the strategy is to collect intelligence about security threats and share it across various products that create a layered security approach. “If you build your security infrastructure like a tiled roof, the hackers will slide off to the sides like rainfall,” Pagano says.
That intelligence layer is powered by Cisco Talos, the largest non-governmental threat intelligence agency in the world with more than 250 researchers. That work is integrated into Cisco’s products that protect from the endpoint to the mobile user to the network on-premises or the cloud.
Pray for remediation
With a proactive approach like this, you may never find yourself praying that your data breach won’t require a regulatory audit. But in the cases that it does, there are other people to call before you go to the big guy upstairs.
Cisco’s Incident Response services are designed to help intervene when the proactive steps have failed and an emergency response is required.
“We are essentially tlaking about putting our crack team of security experts at the end of a phone, so that when you suffer a breach they spring into action, literally jumping on a plane to your site and helping your scope, close and recover from a breach much more quickly,” Pagano says.
Cisco offers its professional services on a year-round basis through a retainer that provides access to its security experts for proactive precautions as well. This will see Cisco working alongside your security team to assess your breach preparedness using tabletop exercises and other methods.
In this scenario, Cisco becomes part of that communications chain that you know you can reach out to after that 2 a.m. crisis alert.