Last week, RiskLogic brought you the news on the GDPR Regulation that will affect any business or persons who hold European data. This new regulation, although positive for its subjects in question, could be a damaging change for businesses who have not implemented effective cybersecurity and data breach procedures.
It’s being predicted that the EU could collect as much as $6 billion in the first year due to many organisations not taking these changes seriously.
An Overview of the Regulation
The regulation will affect anyone holding European data who fails to report a breach within 72 hours, in a detailed report. This may affect:
- A New Zealand or Australian business with an office in the EU.
- An ANZ business whose website targets EU customers, for example by enabling them to order goods or services in a European language (other than English) or enabling payment in Euros.
- An ANZ business whose website mentions customers or users in the EU.
- An ANZ business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals in order to analyse and predict personal preferences, behaviours and attitudes (largely used for marketing).
The fine for failure to report on a breach could be up to 2% of the business’ annual revenue, or 10,000,000 Euros (whichever is larger).
Using our own Cyber Security Incident Management Procedures program, we’ve compiled our top five steps you should be considering by May 2018. When the regulation becomes law, every organisation will have a responsibility to maintain a higher level of resilience. Above all, you will no longer be subject to just reputational, operational, legal or regulatory impacts, but now also financial.
Tip 1) Acquire a detailed Cyber Security Incident Management Procedure & Plan
RiskLogic’s detailed program on effective cyberattack recovery spans four key steps: Identify, Contain, Eradicate & Recover.
This program will enable you to:
- Provide IT personnel with general and specific procedures for dealing with cyber incidents.
- Provide an escalation path to Executive Management for major cyber incidents that have potential to cause human, financial, legal, reputational and/or strategic impacts.
- Provide IT personnel with preparation lists in order to better prepare them for cyber incidents.
- Provide IT personnel with a process to deal with cyber incidents where a defined process for a specific threat is not included.
The document provides a protocol for dealing with cyber incidents specific to your organisation. It includes assessment tools, key cyber roles and responsibilities, processes for specific threats, mitigation strategies (in general) and for specific key threat areas.
An example of how you can simplify this process is illustrated in our own diagram:
With the likelihood of a data breach stronger than ever, it’s useful to reach out to these documents to follow effective processes unique to your people and the structure of your organisation.
72 hours isn’t a long time to report a large breach to a European Council, it’s worth understanding now if you have the steps in place to do this.
Tip 2) IT Personnel to have Access to General & Specific Cyber Procedures
Your most important asset during a breach is your IT Personnel. For them to do their job to the highest and most effective standard after an attack, your procedures should be used to manage the containment eradication of the attack, and to manage the recovery from the attack. Identify and assess the processes in the Incident Management Plan to make this happen.
Once your plan has been signed off by Senior Executives and your IT team has been trained, they should be able to easily answer:
- What data was lost or breached and who is the immediate contact to notify?
- How are they notified of the breach of data?
- What personal information does the breach involve?
- What was the cause of the breach?
- What is the extent of the breach?
- How can the breach be contained?
Tip 3) Document Escalation Paths for Major Events
When an event has progressed from an attempted breach to a serious event, your Senior Executives will need to know the details as they occur. Keeping a procedure in place for this will ensure the correct decisions are made from the information coming in.
In many cases, it is some time until the size and level of a breach is confirmed. Escalation paths can be a good way to learn this early on. In our clients’ plans, we follow a plan like the example below.
Tip 4) Identify the Risk Classification
In our programs, we separate risks into five key classifications:
- A data breach through unauthorized access to customer or sensitive data (including medical information and member level monetary transactions) that may result in information being stolen or disclosed in an unauthorized manner. This would lead to reputational, legal, regulatory, and financial impacts to the organisation.
- A denial-of-service attack or network interruption from an attacker (e.g. Hacktivist) against either you or a third-party provider that may result in reputational, operational, legal or regulatory impacts to the organisation.
- Phishing, pharming and drive-by attacks against your employees or third-party providers that may result in financial or reputational impacts to the organisation.
- Malware or ransomware from an attacker that may result in significant financial, legal or regulatory impacts for the organisation.
- Corruption or conflict of interest within your organisation by employees or a third party may result in unauthorised payments being performed. This may lead to financial, legal, reputational or regulatory impacts to the organisation.
Once the classification has been determined, it’s time to assess likelihood factors. Your organisation should understand the cause and damage that has occurred. Understand quickly the threat source, motivations and the further capabilities of the hacker.
Summarising the threat source quickly will then help you implement the correct procedures to deal with it. For example, did it come from:
- Lone individuals
- Third party providers, contractors, or other inside entities
- Organised crime
- State/s sponsored activity
Unauthorised access can occur from poor password security from users, password sharing, or accounts being used inappropriately throughout the organisation.
One of the top four key risks in the world today is IT Administrator passwords being used/accessed to create havoc. Gaining access to an administrator password is the fastest route for hackers/criminals. This can have devastating effects on the organisation and can lead from a small incident to a snowballing one affecting the whole organisation.
Tip 5) Know what Your Reporting Channels Are
The internal reporting, communication and structure of your crisis team should be well documented, checked and acted upon during an event. The same should be implemented in your external reporting, especially with the new legislation.
A good starting point is to understand where New Zealand sits right now with regards to processes for reporting breaches. The Privacy Commissioner has a handful of ways to report breaches, and these can be found here: https://privacy.org.nz/news-and-publications/guidance-resources/privacy-breach-guidelines-2/
CERT Australia recommends that businesses report Cyber Incidents. This can be done by:
- Calling the Hotline 1300 172 499 or
- Emailing firstname.lastname@example.org
- Online via the Australian Cybercrime Online Reporting Network (ACORN) https://www.acorn.gov.au/
These changes come into effect on May 25th, 2018. This gives organisations only a small timeframe to ensure that their processes are in place. Whether you are directly affected by these changes or not, this is a good excuse to review the processes your IT team has in place.
To put the seriousness of cyber threats in 2018 into perspective, IBM ran a detailed report on the impacts stating that a minor event can last 19.7 minutes with a financial impact of $53,210 per minute. The chances of these smaller events happening are 69% over 24 months.
We’ll be reporting on these numbers and findings from IBM and McAfee in next week’s article.