By James Henry, Practice Director, Auriga
When the financial services sector suffers a data breach, it costs. As one of the most tightly regulated industries in the world, the financial sector faces stiff penalties when a breach occurs but perhaps even more costly is the loss of trust and the resulting erosion of the customer base. The 2016 Cost of a Data Breach report produced by the Ponemon Institute found loss of business is the single biggest cost to because customer faith is hard won. And yet, inevitably, data breaches will continue to occur, so what can these organisations do?
The focus thus far has been on minimising the impact of these attacks so that the organisation can bounce back. Incident Response (IR) is often the first form of defence which will see the organisation follow a given procedure to handle and mitigate the effects of the breach. This will typically start with disclosure to the relevant regulatory authorities and those customers affected. But in order to disclose, the company also needs to carry out digital forensics to determine the nature of the attack and the extent of the compromise. It’s this conflict that so often causes the delay between a breach being detected and announced.
IR can often feel like a knee-jerk response that seeks to kick-start a linear process of detection, investigation and response. It can be IT centric, with containment and remediation the principal focus, and can that can be problematic when it comes to improving the overall security posture of the organisation which requires a top-down approach. Plus it can also fail to look at the wider picture by seeking to contain and remediate the immediate threat; an approach which could see the same attack recur on other systems, for example.
Given that most IR plans are reviewed at best quarterly and usually on an annual basis and are largely static in nature it’s easy to see why these are failing to address the problem of breach diversification. Clearly, IR is only a part of and the defining way to handle a breach.
Another key finding from the Ponemon study was that companies that participated in threat sharing activities saw costs diminish. Such threat intelligence helps reduce the number of attacks liable to infiltrate the enterprise as they can help by flagging anomalous activity that may have gone undetected. But in truth threat intelligence is only the beginning of an iterative process.
As a feed of information, threat intelligence can inform the company but it also be far more proactive and be used to steer the organisation but only if the flow of that information is facilitated upwards through the company to become business intelligence. For that to happen, what’s needed is a resilience strategy; a point recently reiterated by the Financial Conduct Authority.
Because cyber resilience is so closely aligned to risk management and is strategic in focus, it is also a great way of escalating cyber security to the boardroom. Resilience then becomes part of the company culture and becomes a discipline in its own right. Threat intelligence feeds then become instrumental in helping heighten or lower the risk profile of the company and, by comparing this to the risk appetite of the business, it becomes possible to direct business strategy using this information.
Cyber resilience differs markedly from security because it accepts risk and seeks to create a pervasive policy that adapts to changes in that risk. Rather than being defence and recovery-centric, the focus is on sustaining business operations. Why does this matter? Because cyber resilience is adaptive. If threats change, cyber resilience can accommodate and adjust the threat profile, if technologies change and bring with them new attack vectors such as the Internet of Things, the cyber resilience policy can adapt and incorporate these.
What’s key here is recognising that response to a data breach is not fixed. Yes, the IR process must be observed but the results of that need to feed back into the way the business is run, and not just from an IT perspective but from a strategic one. In this way, data breach mitigation helps hone the company and focus remediation efforts. Costs are reduced. And, crucially, customer retention is improved through actions that demonstrate the organisation is cohesive, self-learning, and perpetually improving.