Chapter 8
Managing the Brand When the Worst Occurs

A crisis unmasks everyone.

Mason Cooley, professor, aphorist

Chances are, if it hasn't yet happened, it will. Maybe a breach has occurred and it just hasn't been uncovered; this is as common as it is disturbing. Sometimes a worst-case scenario doesn't look that way at first. It's sort of like looking at a spitting cobra through a window only to discover too late that one of the panes is missing. The experience may be interesting, terrifying, even mesmerizing. And then you feel the sting, followed by immense pain.

This chapter is intended to provide a general outline for responding to a cyber breach. It is not a specific, defined breach response to every situation. Not all companies are the same, and not all breach events are the same. Attacks are launched against different targets by different attackers in various countries. Even motive from one attack to the next varies, sometimes greatly. Enterprise preparedness is extremely variable, ranging from very good to virtually nonexistent. Preparedness is interpreted differently. Some organizations don't see much risk, others become consumed by it. Some companies strive to be compliant with industry guidelines and meet a variety of government regulations, while others remain unaware of the regulations or intolerant of them. Being prepared means different things to different people. In the absence of specified recommendations, interpretations are derived based on an organization's risk tolerance. The real problem with determining risk tolerance is that many entities measure that degree of tolerance differently. Basically, there's trouble ahead.

The best advice is this: Prepare for it. Don't wait for the breach to occur to take action. As Mason Cooley remarked, a crisis really will unmask everyone. Some who become unmasked will show that they are not in the least prepared. Others will demonstrate competence and preparation. The unprepared will not expect a breach. The prepared, even though they may be surprised when it comes, will at least not believe that it was unexpected. When a company is unmasked as unready, it truly is a crisis, because its brand is on the line. While many may to be blame, a few will come into the crosshairs as the investigation evolves. A company unmasked and found to be incompetent will have a hard time living down the reputation it will have developed. A company unmasked and found to be ready for the crisis will stand a far greater chance of overcoming it.

The common denominator between the two kinds of companies is that both are likely to suffer at least one breach, and both will be subject to intense scrutiny in the examinations that arise from the breaches, whether from one or more federal, state, and foreign country regulators; opposing legal counsel; insurers; business partners; investors; and corporate contract customers.

When a breach of security or of actual data occurs, it is necessary not to lose time. Time is, as they say, of the essence. But it is equally important not to act without thinking about the problem at hand. Some managers think and act well under pressure. Others do not. A breach of information can get complicated quite rapidly, and having a basic structure to follow is important. Many companies have developed incident response and data breach plans. It's always important to get legal buy-in on such plans of response and action.

Assume that every breach will have the capability to disrupt company operations. Also assume that the breach will become public. While some companies are able to avoid reporting a breach legitimately, others will hide it. But very few companies that experience a breach of regulated data will be able to avoid reporting it in every jurisdiction. Companies that have legally been able to avoid reporting breaches in the United States have been forced to report them in other countries. This can be very costly and painful. Even companies that do not have to report a breach, perhaps because no regulated data was involved, may find that the brand is compromised. Word gets out through a number of channels. Maybe a former employee who knows about the breach mentions it after going to work for a competitor. Or maybe that former employee was not restricted from mentioning the breach because management assumed the employee didn't know about it. Maybe the employee who goes to another employer was involved in or responsible for the breach. This has certainly happened on a number of occasions. The employee either made a mistake, which contributed to the breach, or there was a malicious act that led to the breach. This is not uncommon.

In the case of an employee who makes a mistake, it can be forgiven, and additional training may be able to prevent that employee from committing the same mistake twice. Awareness of any deficiencies that led to that administrative error can be increased. It is feasible that under the term of lessons learned, a relatively minor breach can contribute to the prevention of a major breach at a later date. But in the case of the malicious act, the employee is usually terminated. Here's a problem, though. These employees are often not arrested and criminally prosecuted. The reason is clear: Management and the board believe that a public airing of the breach in the form of a criminal prosecution will bring an extraordinary level of awareness into the public record. While such matters may be handled adequately to manage the brand reputation, many companies still shy away from going public.

Unfortunately, even in the event of a malicious action leading to a serious breach and compromise, when the employee is terminated, that individual is likely to go to work at another employer. Because there is no criminal record on file, the worker can be employed by another company. The event won't show up on a background investigation either, unless the investigative process is rigorous—and most definitely are not.

Unless strict precautions are taken to prevent disclosure, word will get out. From there, it is a short jump to social media and the press. This can become an uncontrolled brand management nightmare.

There's really only one way to manage this kind of crisis. Anticipate what is going to be needed and have a plan. Clearly, companies have varying requirements, and every company is somewhat different. Industry sector is a differentiation, as is size of company, geographic distribution, regulatory and legal jurisdiction, and other factors. But there are consistencies among companies, too. For the purpose of this chapter, assume a company based in the United States.

Always bring in an external security and forensics firm. A lot of companies think they can best handle a breach internally, but this is almost never the case. And then there's the chance that a member of the team may be involved in the breach. Having a forensics firm on call enables independent judgment, which will prove valuable when dealing with regulators and opposing legal counsel.

Be Prepared

Bear in mind that a typical breach investigation will be conducted in five distinct but interconnected phases. These phases are: (1) initiation; (2) forensic evidence capture; (3) Web and behavioral analytics; (4) risk impact analysis; and (5) reporting to constituent groups, internal and external.

1. Initiation

  • Establish attorney-client privilege prior to the event and the breach investigation, for oral and written communication, including e-mail, Web postings, and other forums as appropriate to disclosure. Determine, with the assistance of legal counsel, what to include in written communications. Discuss the issue with the general counsel or other legal counsel with the authority to approve the activity. Not all companies have an in-house legal counsel. If there is no internal general counsel, discuss the issue with the appropriate external legal counsel. Make certain the legal counsel has experience in data breach management, data protection, privacy, and regulatory compliance, as well as third-party vendor management. This can be an issue for smaller companies with no in-house counsel. The smaller firms may rely upon the advice and counsel of the attorney that has been used for a wide variety of other issues, and this is one area in which expertise and experience are critical to success. Consider these options for the establishment of attorney-client privilege, as appropriate to prevailing conditions:
    • Use of in-house counsel
    • Use of external counsel
    • Use of combination of in-house and external counsel as appropriate
  • Establish a breach investigation management team. Conditions may vary, but in general include members with the following roles and responsibilities:
    • General counsel or other legal representative, as noted in the prior section.
    • Executive sponsor, if not the legal representative. However, since the legal representative will play a critical role, this is a good option. This is especially true in the event of a breach involving regulated personal information, including medical and financial information.
    • External legal counsel, as appropriate to individual client circumstances. External legal counsel may play a role in the team under certain circumstances. If the in-house legal officer does not have the specific experience and background, it may be advantageous to have an external lawyer with such experience on the team.
    • Internal security. This may be the chief information security officer (CISO) or, in larger companies, the CISO and the chief security officer (CSO). The CISO/CSO should not necessarily lead the investigation but should play a key role. The reason that the CISO/CSO should not have the lead role is that whatever the outcome, there is going to be a legal consequence. It may be a civil or even a criminal matter. It may be a regulatory issue. That is why it is so important to have the general counsel or an equivalent run the investigation. In some companies, this is behind the practice of having the CISO or CSO report to the top legal officer of the company.
    • Internal IT infrastructure. The breach took place within the infrastructure, either technically or operationally. Technically, it could have happened over the network. Operationally, it could have been a stolen computer or other device.
    • Human resources. Insiders are often the cause or the source of the breach, so that makes it a human resources problem. HR's level of involvement will be determined by whether or not the employee(s) involved was engaged in a malicious act. HR may also be asked to participate in a “lessons learned” awareness program as part of an enhanced information risk management program. They may also need to validate the existence of the current awareness program, in cooperation with the CISO or CSO.
    • Corporate communications. This member or team can help communicate both internally as well as to the media should that be an outcome of the investigation. The involvement of the member or team from the outset will help shape the message and the outcome.
    • Privacy or regulatory compliance, as appropriate. The problem is that not every company has a privacy or compliance officer. One reason is that companies that do not manage personal information are often under the mistaken notion that privacy is applicable only to personal information. Business proprietary information is equally valuable. Every company, regardless of size and business, should assign someone to watch over the privacy of information.
    • Risk management. Not all companies have a chief risk officer (CRO), but some do. That risk officer should always be involved and work closely with the legal officer on all matters regarding the breach. Where there is a CRO, that individual should participate in the board-level briefings.
  • Establish chain of custody requirements consistent with U.S. Department of Justice guidelines. There's a very real possibility that the imaged drives of the company's computers will contain evidence that will be presented in court or to regulators, and even insurers and business partners. Demonstrating that strict procedures were followed can be convincing that the company, despite a breach, is handling the predicament efficiently and skillfully.
  • Establish internal communication standards and protocols:
    • Assign a point person of contact for external communications with consultants, advisers, and so on. Sometimes this can be a communications team member, even a security team member. Typically, though, it is the legal officer assigned to the case.
    • Assign a point person for communicating with the audit and risk committee of the board of directors. Again, this is often the legal officer, but the legal officer may want to seek the advice and counsel of others on the breach investigation team. There are two kinds of meetings with the board. One is a meeting, either formally or informally, with the head of the risk committee. The other is a meeting with the full board.
    • Establish a frequency and method of progress communication with various constituent groups. The core of the group—legal, security, risk, IT, and several others—may need to meet periodically throughout the day in the early stages of the breach because conditions may fluctuate and things may change rapidly. Flexibility is the key to staying on top of a fast-changing environment. The full team should meet twice daily at first for status condition, in the morning and then at the end of the day.
    • Establish encryption standards for written communications, including e-mail and other documentation. This is important, especially when it is uncertain whether the breach is still under way and the extent of penetration and compromise is unknown.
    • Depending on circumstances, contain breach information to the breach management team.
    • Advise employees at the appropriate time, but in the interim try to contain the information to the smallest circle possible. During many breaches, word tends to leak out to employees, and then it is almost impossible to contain it. Slow days at the office love bad news.
    • Plan to turn the breach into an awareness and training opportunity, as appropriate to the incident, and at the right time. That time will not likely be during the investigation phase. Take the time to take in the event, the response to the event, the cause or causes of the breach, the impact of it, its complexity, and other factors. Gaining perspective may take some time, and meaningful awareness and training will require the integration of that perspective. Mirroring life, education and learning are lifelong experiences. Learning from a breach event is no different.

2. Discovery and Forensic Evidence Capture

  • Begin the process to confirm that a breach has occurred and profile the scope and dimension of the breach point as soon as possible. It sounds easy to verify this assessment: that a breach has occurred. That is not the case, and some breaches go undetected for years. It is also not always possible to define the extent of the breach, so identifying the breach point is desirable, even preferable.
  • Determine the potential range of information that may be affected:
    • Personally identifying information (nonpublic personal information, or NPPI) such as protected health information
    • Credit card and financial account information
    • Employee family information, if applicable
    • Intellectual property, trade secrets, or other internal confidential business information
    • Jointly held business proprietary information:
      • Alliance partners, including government and industry
      • Customers
      • Third-party vendors
      • Investors
  • Examine the breach history of the company, if any, to evaluate any commonalities. It is possible that the current breach is similar to a prior breach, which may facilitate the identification of key indicators in the process of discovery.
  • If there is no internal breach history, look for similar breaches of regulated data at other companies in order to evaluate any commonalities. Search the Internet for similar cases: There are numerous cases posted on various industry and government web sites, often with substantial detail. Consider discussing this with any third-party vendors, too, because those firms may have experienced similar attack patterns.
  • Change passwords throughout the organization, using complex composition based on leading practices. While not a panacea, this should be an immediate response.
  • Determine if the breach is continuing or if it has stopped. This isn't always easy to know, but knowing the answer is essential.
  • Review insurance coverage. Cyber insurance is a rapidly evolving area, and it pays to keep up with the changes. Sometimes the insurance policies get reviewed only after a cyber event, which can lead to wrong conclusions based on a rush to judgment in interpretation. Examine the types of applicable insurance. It is also reasonable to bear in mind that a cyber breach may involve other types of accompanying threats, including the threat of physical violence, sexual assault, extortion and blackmail, and even kidnapping. Examine these insurance policies to verify coverage before the breach hits:
    • General liability
    • Technology errors and omissions
    • Directors' and officers' insurance
    • Cyber breach insurance
  • Determine if the breached data was encrypted. Oddly enough, sometimes the answer is unknown for a period of time. But it's important to know:
    • What encryption method was used
    • If the devices were encrypted at the file level or if full device encryption was used
    • Whether or not kill switches were installed on the devices, enabling them to be shut down and made inaccessible
    • Whether the data was accessible and readable at the time of compromise
  • Isolate and image any hard drives and begin forensic examination by a qualified external and independent professional. Be sure to require authorized access to the computer drives as a precaution in the event an insider with privileged access attempts to modify drive content. Ideally, all forensic analysis should be executed in a highly secure, zoned area, with enforced badging, monitoring, and appropriate surveillance.

3. Web Behavioral Analytics

  • Begin Web and behavioral analytics: Evaluate IP addresses, web sites, and e-mail addresses to assess the level of potential damage:
    • Internal
    • Third-party vendors
    • Customers. This can be controversial since many companies under attack are often hesitant to share this information with customers. But sometimes toxic IP addresses from customers may be connected to the attack. Not notifying the customer may also increase the risk to the customer, who may not know of the toxic IP address presence.
  • Categorize IP addresses by type:
    • Type A. Authorized by the company and its customers or other third parties and intended to be in the environment.
    • Type B. Unauthorized, toxic, with no valid reason for being in the environment.
    • Type C. Authorized by a third-party vendor or customer but toxic. The other party simply does not realize that the IP addresses are toxic. This is an indicator that they have been attacked and are likely unaware of that breach. The presence of toxic IP addresses from even a customer could mean that these are the IP addresses that could be broadcasting information out of the enterprise.
  • Determine possible toxic IP address origination and ISP threat sources using various threat database tools:
    • Examine ISP selection and distribution. Certain ISPs are known to be unrestrictive and allow criminal or suspect traffic. If the ISP is found to be suspect in the attack, take immediate measures to cancel the agreement and seek alternative ISP providers.
    • Examine toxic IP address histories.
  • Determine the source of the breach:
    • Internal:
      • Employee
      • Ex-employee
      • Third-party vendor employee or ex-employee
      • Independent contractor
      • Other
    • External:
      • Nation-state
      • Transnational organized crime
      • Hacker organization
      • Independent rogue hacker
      • Rogue individual
      • Other
  • Determine if there are multiple breach points. This is an increasingly common condition and may lead to confusion and diagnostic error if not managed effectively and aggressively.
  • Determine the method or methods of breach used to gain access to privileged data.
  • Determine if the breach or attempted breach involved local proximity:
    • Was it a wireless signal intended to trick employees into clicking on the link and consequently downloading malware?
    • What was the source of proximity threat?
    • Was malware downloaded?
      • If yes:
        • By whom?
        • Has it spread throughout the enterprise, and could it still spread?
        • What was the nature and origin of the malware?
        • Are patches up to date?
        • What do the logs indicate?
    • Are known and unidentified wireless networks monitored and recorded for determination of origin and consistent presence?
  • Physical intrusion:
    • Was a physical intrusion through perimeter security involved?
    • Does physical intrusion constitute a physical threat to employees or others?
    • Is video surveillance evidence available for analysis?
  • Determine if a multidimensional, multivector threat is occurring.
  • Are other physical plant locations experiencing suspect traffic or attack conditions? This could be an indicator of a diversified attack scenario or, alternatively, of an attempt to confuse the target and cause a diffuse allocation of defense assets.
  • How integrated is the physical and logical threat detection system?
    • Internal and centralized versus decentralized
    • External and managed by a third party

4. Risk Impact Analysis

  • Initiate a risk impact analysis and root cause analysis.
  • Verify the type of data affected:
    • Intellectual property
    • Trade secrets
    • Personally identifying information (PPI)
    • Protected health information
  • Examine paper and electronic record formats:
    • Look for user-defined fields that may contain personal information and that have not been cleansed of data.
    • Addressing paper records is important for several reasons. First, certain regulatory requirements pertain to paper records. Second, if there is an inside accomplice, a paper record may be less restricted and therefore more accessible and more at risk. Third, if an intruder is able to breach perimeter security but is unable to penetrate computers, paper records would be at risk.
  • Determine if law enforcement notification is required or desired. Law enforcement triggers include:
    • Personally identifiable information (PII)
    • Personal health information (PHI)
    • Intellectual property and trade secrets
    • Information pertinent to critical infrastructure
    • Defense information. This may include the identities of any military personnel, which could be used in the commission of blackmail, ransom demands, or other crimes.
  • Determine the requirement for specific government, law enforcement, and intelligence notification:
    • Federal Bureau of Investigation
    • Secret Service
    • Department of Defense Criminal Investigative Service
    • Immigration and Customs Enforcement
    • Drug Enforcement Administration
    • Department of Homeland Security
    • Department of State
    • National Cyber-Forensics and Training Alliance
    • IC3 (Internet Crime Complaint Center)
    • Central Intelligence Agency
    • State police
    • Local police
  • Define internal reporting requirements with external consulting and/or legal adviser:
    • Daily or weekly progress read-outs:
      • Attendees list:
        • Required
        • Desired
    • Preparation of interim reports for discussion with:
      • Law enforcement
      • Regulators
      • At-risk corporate customers or clients and partners
      • Board members
  • Develop a tactical plan for point-of-breach containment, which is always a consideration in:
    • Regulator negotiation
    • Insurer presentment
    • Corporate customer contract negotiation
  • Examine corporate agreements, including service level agreements and business associate agreements, to determine contract obligations and reporting requirements, which may be separate from regulatory reporting requirements:
    • Determine contract client or customer and regulator notification strategy. Determine notification based on specified requirements. For example, some agreements require notification based on determination of a breach based on regulatory requirements. Other notifications are based on a negotiated agreement between parties. This is why it is critical to actually define the term “breach” and then specify the notification timing and format.
    • Create a regulator and client negotiation framework based on breach circumstances, findings on vulnerabilities, threat vectors, and remediation strategy.
  • Examine the enterprise risk management framework to determine consistency and effectiveness.
  • Examine policies and procedures for information security and privacy and compliance.
  • Establish regulatory reporting procedures in case such notification becomes a requirement:
    • Regulators:
      • State
      • Federal
      • Industry
      • Foreign country
    • Corporate customers
    • Consumers
  • Determine appropriate negotiation strategies based on breach circumstances, institutional deficiencies, and remediation strategies.
  • Determine requirements for temporary restraining orders/abuse reports and execute accordingly:
    • Examine target ISP deployment.
    • Examine web sites and search engines participating in breached data distribution.
    • Determine country-level government cooperation.
    • Determine if alliance partners in the United States may be valuable in the application of pressure against foreign ISPs, web sites, and search engines as part of breach analysis.

5. Reporting to Constituent Groups

  • First, work with legal counsel and other independent advisers to determine the appropriate audience for any reporting. One common mistake made by companies is that the investigative process is a strictly technical analysis. It is true that the attack and the analysis of it is technical in orientation, but that is only one aspect of what needs to be conveyed. Sending technical information to an untechnical audience may result in frustration and inaccurate conclusions. An executive summary for the nontechnical audience, including members of the board of directors, is essential. When writing executive reports, it is vital to use the language of the business and of risk. Avoid losing the audience with overly technical language. While it is true that more senior executives and board members are more attuned to cyber-related issues, senior management and the board will often be more responsive to the management of risk than the management of technology. Many organizations make the fundamental mistake of creating only technical documentation. In large part this is due to the technical nature of the breach and the deployment of technical staff to investigate the breach. But an executive summary for a nontechnical audience is vital.
  • It is important to remember that there will likely be a diverse set of readers for the report. Among the readers may be insurers, law enforcement, company executives, key shareholders, various regulators, nontechnical corporate customers, external legal counsel representing various interests, internal auditors of multiple companies, strategic partners, third-party vendors, and others. Accessibility to the importance of the report is essential, so the report should be sufficiently accessible to a varied business audience.
  • The executive report should contain the following sections:
    • Introduction highlighting general risk conditions and trends.
    • Description of the breached company, markets served, products and services offered, global reach, and so on. Again, the audience may be diverse and not necessarily understand the business of the company.
    • Description of the intrusion event based on forensic examination and Web and behavioral analytics.
    • Date of intrusion. There may be multiple dates over a protracted time period. In some cases, given either the sophistication of an attack or the deficiencies of the targeted organization's intrusion detection and prevention capabilities, the dates of intrusion may be difficult or impossible to calculate. In many documented cases, the breach activity remained undetected for years. But every effort should be made to accurately identify intrusion dates.
    • Description of at-risk data, regulated and unregulated. Be as detailed as possible. Not all paper and electronic records are in the same format. Be prepared to provide specific examples of information and record types.
    • Analysis of preliminary mitigation measures. This is key for the structuring of successful negotiations with corporate customers and regulators and a reduction of risk impact.
    • Breach containment analysis:
      • Completed
      • In process
      • Scheduled
      • Unscheduled
  • Conclusions and recommendations. Documenting conclusions and subsequent recommendations is important to various constituent groups, including executive management and the board of directors. It is also crucial in discussions with regulators and corporate customers. Conclusions must be detailed as well as thoughtful, reflecting a meaningful level of effort. This will help in convincing regulators and customers of the institution's commitment to effectively manage risk impact. In cases where there is an insufficient demonstration of careful planning and execution of the breach investigation, there may be increased regulatory inquiry and pushback from corporate customers whose data may be impacted. The failure to convince corporate customers and regulators of the level of effort applied may result in increased breach-related costs, impaired reputation, and the loss of business and even corporate valuation.
  • Technical summary (actual reporting structure may vary by type of attack). Absolutely fundamental in understanding the event, the technical report will have value to the technical audience:
    • Introduction
    • Review of suspicious IP addresses, e-mails, Web activity, and so on
    • Summary
    • Details as appropriate to the breach event:
      • Threat source
      • Vulnerabilities
      • Breach enablement
    • Recommendations
    • Forensic review and analysis of selected computer hard drives:
      • Summary
      • Detail
    • Recommendations
    • Scanning and vulnerability tests:
      • Summary
      • Detailed technical findings
      • Conclusions and recommendations

One of the worst mistakes that can be made is the failure to act quickly and decisively. Failure to act quickly and decisively is usually due to one of two conditions: Either the preparations for launching an investigation are inadequate, and precious time is lost trying to gear up for the effort, or it isn't clear that a breach is taking place because signals of the breach are missed entirely. Some companies don't monitor logs very well, and signals coming from the logs can easily be missed—especially if no one is watching and analyzing the contents of the logs.

No one wants a breach. Almost all organizations are likely to experience one. Many of those experiencing a breach will make mistakes in risk assessment, breach severity, what to report, when to report it, how to report it, and to whom it should be reported. There is no substitute for being prepared, and being prepared will pay dividends when it comes time for disclosure. And that's the thing about a breach. All breaches will probably be reported to someone.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.133.151.220