How CIOs should respond to a data breach

Picture the scene: You’re the CIO of a major Southeast Asian financial institution. You arrive at work on a Monday morning and the first thing you do is take a call from you CISO.

“We’ve been breached.” They tell you. “What do we do?”

On average, data breaches in Southeast Asia cost 156 SGD ($113) per compromised record, with organisational costs totalling around 3.18 million SGD ($2,310,715).

There are a number of different factors that can mitigate some of these costs – industry variations, third party involvement, stolen credentials etc. – however, time and again early identification and containment has been proven key to keeping the financial impact to a minimum.

Unfortunately, it routinely takes around 184 days for companies operating in the ASEAN region to detect that an incident has occurred and a further average of 65 days to contain the incident, escalating costs and significantly damaging the reputation of organisations amongst their customers.

Sat in your office, you hang up the phone. What are you going to do?

Below is a short list, outlining some of the key steps a CIO should undertake when responding to a data breach, and some they definitely shouldn’t.

Step 1: Organise

When you discover your organisation has been breached, there’s a ‘golden hour’ in which you need to act.

The first thing to do is assemble your incident response team, which is often led by the CIO due to their links to top level management and overall responsibility for IT strategy.

Among board level executives, there is often the misconception that cybersecurity is exclusively an IT problem.

This is not the case and your response team needs to contain representatives from all areas of the business, not forgetting legal advisers and individuals to manage both customer and media communications.

Step 2: Contain

What caused the breach? How did the criminals gain access? Have credentials been stolen or is this the result of third-party vulnerabilities? What have they stolen?

Unless you know what caused the initial breach, you can’t contain it and if you can’t contain it, you can’t mitigate the financial costs and reputational damage to your organisation.

When WannaCry hit UK hospitals in 2017, the reason so many computers became infected was because they hadn’t been patched properly – despite warnings about the EternalBlue vulnerability being disclosed earlier in the year.

Deploying patches, resetting passwords and disconnecting any infecting machines from the corporate network are all immediate steps you can action to stop the damage from escalating.

More long-term containment measures such as recalling and deleting information should be kick started at this point, too.

Step 3: Evaluate

It’s important you work out exactly what has been stolen in the breach and who is going to be impacted the most as a result.

In the majority of high-profile cases, cyber criminals make off with the personal information of customers; anything from medical data to credit card numbers and contact information.

Sometimes, the hackers will use this information nefariously themselves however, it’s more common that the stolen data makes its way onto the dark web to be sold to the highest bidder.

It’s also important to think about how the stolen data could be used against the victims of the breach.

The Equifax breach was so shocking, not only because it affected 146.6 million people, but because the data stolen included social security numbers, passports, driving licenses and taxpayer IDs, meaning people were at risk of having their identities stolen.

Step 4: Notify

Pre-GDPR, more than half of CEOs had reportedly not been told about the worst breach suffered by their company.

In today’s age of compliance, notifying the right people that you have suffered a data breach is vital. Although Singapore is in talks to introduce a mandatory data breach notification regime in the next few years, currently there is no obligation for companies in Southeast Asia to report a breach.

However, if the data stolen relates to individuals living inside the European Union, you have 72 hours to inform the Information Commissioner’s Office.

You should also inform any customers that have been impacted by the group. A data breach is always going to negatively affect a company’s reputation but if you are transparent with your customers and provide them all necessary information at the earliest possible date, it might win you some serious plus points in the future.

Furthermore, if it looks like your breach has a specific target, like the Prime Minister of Singapore who had his medical data stolen last month, you need to inform that individual immediately.

Finally, if any third parties have been involved in the breach, you should also inform them.

They might not yet know they’ve been affected and will also need to implement their security strategy in order to mitigate the damage.

Step 5: Futureproof

Your assembled team has managed to contain the breach and limit any further damage against your company; the relevant parties have been informed and your communications team is putting out a statement to help deal with the reputational fallout.

In the coming days and weeks, it’s important to go back over your security strategy and look at what went wrong and what you need to be doing differently in the future – especially if this not the first time your company has suffered such a breach.

If you don’t already have a CISO in your C-Suite team, hire one. Additionally, ensure all your employees have had sufficient security training and are aware of and comply to your company-wide security strategy.

Finally, once you have a new strategy in place, use an external Penetration Testing company to help you evaluate just how effective your new security approach actually is.

It’s far better for any remaining vulnerabilities to be picked up by White Hats than for you to only find out about them when you suffer another preventable data breach.

What shouldn’t you do?

Responding to a data breach is always going to be stressful. However, there are a few things you should avoid doing once you’ve realised there’s been a breach to help take some of the headache out of the process.

The most common hurdle that organisations fall at is ‘notify’. Disclose a breach too soon and you might not yet have all the information necessary to provide your customers with the answers they’re looking for.

Leave it too long to tell them, you look like you’re trying to stage a cover up and will almost certainly lose the respect and trust of your customers.

It’s also important you don’t try and improvise your response.

If you don’t stick to your plan, important steps might get missed and you could ultimately end up making the situation worse.

If you don’t have a strategy in place, it’s important you try not to panic as off the cuff decision are rarely helpful. Never be too proud to ask for help if you need it.

Equifax pretty much wrote the ‘what not to do’ playbook back in 2017. From the very start it was a shambles, with executives being accused of selling off shares before the breach was even made public.

There was also no clear message given to those affected, customer support workers weren’t supplied with enough relevant information to help those in need and there appeared to be a communications blackout from the company.

As a result, cyber criminals were able to take advantage of the disorder, setting up a fake phishing website to trick concerned customers looking for answers.

Disclosing a data breach is never going to be easy and as today’s threat landscape continues to evolve it’s likely to be a case of ‘when’ not ‘if’ you experience an attack.

However, with a strong team, a strategic plan of action and an understanding of the steps you need to take, your CIO is best placed to respond to a data breach and help create the policies that prevent them from happening again.