Once you’ve suffered a cyber attack, much of the damage has already been done. There’s no way to make the disruption disappear or to circumvent your data breach notification requirements. Ignoring the attack or your regulatory obligations will only make things worse.
Under the GDPR (General Data Protection Regulation) organisations are required to notify their relevant supervisory authority within 72 hours of discovering certain types of data breach.
Specifically, you must notify your supervisory authority if the incident “pose[s] a risk to the rights and freedoms of natural living persons”.
Additionally, you must notify affected individuals if the incident results in a “high risk”.
Before you contact anyone, therefore, you must identify whether the data breach meets that threshold. That might seem like even more work, but it can have significant short- and long-term benefits.
For example, reporting an incident allows individuals to look out for suspicious activity, such as money disappearing from their bank accounts, and enables them to take steps to protect themselves.
Notification also helps other organisations prepare for similar attacks. Criminals often reuse successful techniques, whether it’s a particular scam method or a network vulnerability, and publicly announcing this threat gives organisations time to address the issue.
If all organisations do this, you will benefit massively in the long run.
This issue connects to a far bigger problem: no one is truly aware of just how big the threat of cyber crime is. The number of reported incidents has surged in the past few years, but experts suspect there are still a vast number of unreported breaches.
If there was more transparency, organisations would realise how important it is to address cyber security. It would also make criminals’ jobs harder. As it is, cyber crime is practically a no-risk venture: whether you succeed or fail, you fly under the radar and almost certainly won’t face any consequences.
Will reporting incidents stop cyber criminals?
Organisations might counter these points by noting that very few cyber criminals are identified even when cyber crime is reported. A survey by the UK’s National Crime Agency found that only 38% of respondents are confident that law enforcement responds appropriately to cyber attacks.
This problem is exacerbated by the light punishment that convicted cyber criminals receive.
Cyber security journalist Brian Krebs is one of the few people who regularly reports on the prosecution of cyber criminals, and often criticises the leniency of judges. Commenting on one case, he wrote:
[C]ourts around the world continue to send a clear message that young men essentially can do whatever they like when it comes to DDoS [distributed denial-of-service] attacks and that there will be no serious consequences as a result. […]
I would submit that if we don’t have the stomach to put these “talented young hackers” in jail when they’re ultimately found guilty, perhaps we should consider harnessing their skills in less draconian but still meaningfully punitive ways, such as requiring them to serve several years participating in programs designed to keep other kids from following in their footsteps.
Doing anything less smacks of a disservice to justice, glorifies DDoS as an essentially victimless crime, and serves little deterrent that might otherwise make it less likely that we will see fewer such cases going forward.
It’s therefore clear that breached organisations aren’t the only ones that need reconsider the value of identifying and responding to cyber attacks.
It requires a coordinated effort from everybody involved to appreciate the magnitude of the problem and how to reduce it. Organisations’ responses should include a detailed breach notification procedure, but it’s just as important to fortify defences and mitigate the threat of attacks.
If you’re facing a cyber security disaster, IT Governance is here to help. Our Cyber Incident Response service provides the help you need to deal with the threat, as our experts guide you through the recovery process.
They’ll review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.
Prevention is better than the cure
Although it’s impossible to eradicate cyber security risks altogether, organisations can and should create a layered security system to identify vulnerabilities.
This means creating a system that addresses both technical and organisational weaknesses. An organisation’s biggest weakness is often its staff, so staff awareness training is an essential starting point.
Meanwhile, many attacks stem from technical vulnerabilities, so organisations should also conduct regular penetration tests to assess their systems’ security.
Penetration testing is essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the organisation’s networks or applications.
A level 1 penetration test provides adequate protection for organisations that want to identify exploitable weaknesses, such as those in the OWASP Top 10.
These tests replicate the kinds of low-budget attack that an opportunistic criminal hacker would attempt, and are ideal for small-to-medium-sized organisations or those with no experience of security testing.
You can find out more about penetration testing and the ways IT Governance can help secure your organisation by downloading our free guide: Assured Security – Getting cyber secure with penetration testing.
This free green paper explains in detail how penetration testing works, explaining the vulnerabilities that they can help you identify and the ways that risks can be mitigated.
You’ll also learn the five major types of penetration test: external network tests, web application tests, internal network tests, social engineering tests and wireless network tests.
A version of this blog was originally published on 30 July 2018.