Today, companies have contingency plans for many conceivable emergencies and disasters in place. Yet astonishingly, this doesn’t hold true for IT security disasters like hacks and data breaches, for which many companies are still surprisingly ill-prepared. Companies need a strategy to keep their data and systems safe in a worst-case scenario. Therefore, IT security escalation management should be an integral part of any such planning efforts.
Hacking attempts and network intrusion have increased tremendously over the past few years. Recently, there were a couple of incidents such as the Colonial Pipeline hack in early May 2021, or the attack against the payment service provider Visma Esscom, in which case a zero-day exploit in a software of the security company Kaseya led to several branches of the Swedish supermarket chain COOP being unable to operate. All these examples highlight the fact that nowadays the biggest threat to companies seems to come from cybersecurity breaches.
In particular, the shutdowns of gas pipelines and supermarkets have shown to the public how vulnerable the infrastructure we take for granted is to hacking attacks. These incidents have also demonstrated to companies that it is imperative to be prepared for such cyber attacks. How can one get ready to be prepared against them, though? And what do you do when you fall victim to cybercrime?
Stay prepared
Firstly, being prepared is essential. One of the most important things is to keep all your data and files encrypted, using only the strictest encryption standards. Ultimately, this will ensure that hackers will not be able to decrypt your data and read your files, once they have stolen it.
Train your employees
In particular, it is of utmost importance to train your employees to be alert for any suspicious activities, such as phishing emails and social engineering attempts, as well as to pay attention to meticulous “password hygiene”.
All too often, employees are susceptible to social engineering attempts, such as spear phishing emails or phone calls from a person pretending to be a customer, a colleague or a superior, and trying to elicit valuable information from them. Likewise, many employees use easy-to-guess passwords like “password”, “ABC” or a simple combination of letters and numbers that can easily be targeted in a brute force attack. Making your employees aware of these issues is already a big step toward a resilient security setup.
If something has happened, firstly establish that you have been hacked
In all likelihood, the outcome of a hack won’t manifest itself as clearly – and frighteningly – as in the case of closed supermarket doors or empty gas pipelines. In fact, it is often more likely that your team won’t even realize that an intrusion has happened and your data was stolen. As the old adage goes “There are only two kinds of companies: those that have been hacked and those that haven’t realized it yet.” While this paints a bleak picture of the general situation regarding cybersecurity, it also starkly highlights the need to be prepared.
Maintain your core processes in the event of an attack
Assuming that the worst case scenario has occurred, what would you do now?Firstly, you should escalate the issue internally and alert your company’s internal computer emergency response team (CERT). Most big companies, at least, already have such a response team.
However, this assumes that your organization already has the necessary standard operating procedures (SOPs) and incident response guidelines in place and every employee is aware of their responsibilities. Questions like to whom an issue should be escalated, who else should be kept in the loop, who informs the CERT and your legal team, should be clear to everyone. Such questions and the associated steps should be clearly recorded so that no time is lost in an emergency – otherwise major mistakes would likely occur.
Act swiftly
A key part of IT security escalation management is acting swiftly so that no time is lost. A slow response allows hackers to wreak even more havoc in your organization and compromise more parts of your systems. However, if swiftly alerted, CERTs can undertake the right measures and if necessary disconnect infected parts from the overall system to prevent cyber contagion. Thereby you can perhaps still minimize the damage. Similarly, CERTs have to perform digital forensics audits during and after a security breach to preserve evidence that may help them find the actual perpetrator.
When is an attack reportable to supervisory authorities?
A data breach affecting personal data might imply a report obligation under several data protection laws, such as the General Data Protection Regulation (GDPR) of the European Union (EU). Under Art. 33 of the GDPR, in the case of breaches which are likely to result in a high risk, data controllers must notify supervisory authorities without delay, and no later than 72 hours after becoming aware of one. Evaluation of whether a breach is reportable is a complex task, and to obtain advice with respect to a particular issue, you should seek professional advice in your own jurisdiction.
What are the legal consequences, when personal data under the GDPR is affected?
A personal data breach is a serious issue that can have grave consequences for a company.
According to the GDPR, in serious cases, beyond the notification to the supervisory authorities, data controllers may have to communicate the personal data breach directly to the affected individuals. Failure to notify a personal data breach, or to notify within 72 hours, may lead to corrective actions and fines of up to EUR 10.000.000 (ten million euros) or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. However, the reputational damage can cause even more losses to the affected company.
What is important for preserving digital evidence?
Preserving digital evidence — as opposed to physical evidence like fingerprints — comes with its own set of problems. First and foremost, digital evidence can easily be destroyed during an incident response and thus all traces of the perpetrators can be lost. Similarly, if the perpetrators have been identified and the criminal case will be brought to court, there are high standards for the admissibility of evidence into the proceedings. If your company introduces digital files as evidence to prove the identity of the attackers, it is your company’s obligation to prove that the evidence wasn’t tampered with, in order for it to be admissible in court. This makes the quality of your digital forensics teams’ work so important and it is needed for the rigid adherence to the right SOPs.
In this regard, your CERT should follow clear incident response guidelines that attach great importance to digital hygiene. One critical rule to follow among these guidelines is that the system should not be shut down as the data that is on rapid access memory (RAM) may thereby be lost. Likewise, you shouldn’t run any programmes as this may delete or overwrite data and log files that could have been used as evidence later on. Instead, your CERT should disconnect infected computers and servers from the overall system and copy potentially compromised data and files onto a sandboxed system where the preserved digital evidence can be stored and forensics can be run.
In sum, being prepared is of utmost importance and your organisation should start by educating your employees on the looming threat of cyberattacks and how they can help in protecting your company. Furthermore, storing all your data fully encrypted can provide your company with the highest security level as modern encryption makes it exceedingly hard – if not impossible – for hackers to decrypt the files and read them.
This article is for informational purposes only and do not constitute legal advice. To obtain advice with respect to a particular issue, you should contact your attorney.