Incident Response and Recovery
With daily headlines and ubiquitous information relating to data breaches, it’s no longer a question of if, but when your business is going to be breached. Suffering a data breach will not always lead to a catastrophe however, mishandling your company’s response most certainly will.
How your company responds to a data breach may ultimately define the future of your business. Many companies aren’t aware of their obligations for correctly investigating a data incident and can cause more damage mishandling their investigation than the breach itself. Many companies still don’t have a Data Breach Incident Response Plan, whilst those that have one, may never have tested the effectiveness or practicality of the plan.
Many businesses are still unaware of the correct procedures for investigating a data incident, often blindly relying on their IT team or third-party provider for assistance. Not all incidents are notifiable data breaches however, they should all be treated as such until proven otherwise.
The typical response for many companies is for IT to contain the breach, reactively investigate some logs, restore from backups and return the business to normal operations as soon as possible. This approach may further expose your business to additional risk through deletion or destruction of potential evidence or altering the chain or continuity of evidence and thus potential non-compliance.
Most data breaches are considered high tech crime offences, as defined in Commonwealth legislation within Part 10.7 – Computer Offences of the Criminal Code Act 1995, and the crime scene, whether physical or cyber, should therefore be treated accordingly.
Should IT Investigate?
As highlighted above, this is a much broader investigation than your IT team simply reactively checking some event logs. Furthermore, allowing IT to deal with or investigate the incident, without specialist assistance may potentially cause more harm than the initial incident, thereby exposing your company to additional risk and exposure to potential litigation.
Understanding criminal legislation, privacy, data protection and preservation, digital forensics processes, Chain of Custody (CoC) and Route Cause Analysis (RCA) is vital when investigating a data incident or data breach. Each incident should be thoroughly investigated by specialists and qualified experts to preserve evidence and identify. How, where, when and what did the threat actors gain unauthorised access to within your systems? Did they gain access to any personally identifiable or financial information (which could then make the incident a Notifiable Data Breach)?
Furthermore, the investigation should ascertain if the threat actors took control of your email platform, sending your clients malicious emails from your inbox. Also, have the threat actors left any hidden remnants that will enable them to monitor your systems and emails, enabling them to launch secondary attacks weeks or months later?
If your IT manager or third-party provider is not aware of these processes or suitably qualified in these areas then you should consider consulting with appropriate specialists.
Cyber Audit Team (CAT) Incident Response
CAT’s comprehensive Incident Response services help to maintain business continuity, whilst providing swift, clear and confidential remediation advice. Our qualified security and intelligence professionals possess the expertise to investigate cyber incidents of all types – from low-level IT security events to sophisticated, highly targeted attacks.
Utilising a variety of advanced specialised techniques and leading technology, our team is able to identify how a security incident occurred and unravel the movements of a threat actor to identify the true extent of the breach. More importantly, our team seek to minimise our client’s risks exposure, reduce potential brand and reputational damage and reduce the risk of regulatory fines or enforced remedial actions.
We will work to contain the incident, investigate the matter correctly, ensure that your brand and reputational damage is mitigated and help your team to return your business to normal operations as quickly as possible. We will do this in a discreet manner, whilst ensuring regulatory compliance is observed and followed.
Notifiable Data Breaches Scheme
Changes to the Privacy Act 1998 (Cth) now include mandatory Notifiable Data Breach (NDB) legislation, which became law in Australia as of 22 February 2018. Company’s no longer have the option of keeping quiet following a data breach, with potential penalties for non-compliance of $420,000 for each director and $2.1 million for businesses. The Act mandates the data breach be investigated, with disclosure of data breach to the regulator as soon as practicable and to all affected persons within 30 days of discovery of the breach.
The amendment is designed to ensure that companies take appropriate measure to protect their customer’s valuable and sensitive data, whilst preventing it from being accessed or stolen and falling into the wrong hands. More importantly, the amendment is designed to enhance and protect an individual’s privacy, affording greater protection of their Personally Identifiable Information (PII) and Financial Data, whilst mitigating identity theft and financial fraud.
For more detailed information please contact CAT today, or visit the excellent resources available through the Office of the Australian Information Commissioner (OAIC) website here.