Cyber incident response
Prepare for the inevitable, respond to evolving threats and recover rapidly, says Yolande Kruger, associate director, Deloitte Risk Advisory Africa.
Cyber attacks happen - they're reported in the news almost daily. How the targeted organisations respond to these breaches - especially if their response is perceived to be poor - is also reported. What usually isn't reported is the financial impact these attacks have on the business.
Yolande Kruger, Associate Director, Deloitte Risk Advisory Africa, says the primary aim of any cyber incident response plan is to identify the breach, recover from it and return to 'business as usual' as quickly as possible. "Studies show that the quicker you respond to any data breach that usually stems from a cyber attack, the less costly it is, which is why it's essential to have a proactive plan in place."
The 2016 Cost of Data Breach Study: Impact of Business Continuity Management (BCM), conducted by the Ponemon Institute, considers the financial and reputational benefits of having a business continuity management plan in place to deal with data breaches. For the first time, the study included South African companies.
According to the study, having a BCM plan in place can result in:
* $9 reduction in per capita cost of data breach;
* 11% reduction in the per capita cost of data breach;
* 15% reduction in the total cost of data breach;
* 52-day reduction in the average time to identify a data breach;
* 36-day reduction in the average time to contain a data breach; and
* 29% decrease in the likelihood of a data breach over the next two years.
Cover all your bases
Kruger advises that businesses have a proactive and responsive cyber incident response plan in place that covers all of the necessary processes and procedures.
Deloitte's Cyber Intelligence Centre provides clients with a monitoring service to notify them of a breach - or can even detect early warning signs of a pending attack. The client is supported in putting together a triage team to analyse the incident, contain, eradicate and recover, followed by post-incident analysis. "Once the cyber incident has been analysed and its root causes identified, you need to put a remediation plan in place to ensure it doesn't happen again, or - if something similar happens - you are able to respond appropriately," says Kruger.
According to the Ponemon Institute study, businesses face a 26% probability of a material data breach involving 10 000 lost or stolen records, particularly organisations based in South Africa. Those are pretty high odds, which means no business, regardless of size, can afford to be without a cyber incident response plan.
Kruger says any cyber incident response plan should address the following:
Crisis communication: Dealing with stakeholders, the public or the press.
Technical considerations: Create an architecture that can rapidly adapt to and recover from cyber incidents. The ability to switch smoothly from the breached system to another with as little disruption as possible to the business and its customers, the better.
Risk and compliance: Strengthen your ability to address regulator and law enforcement inquiries. For example, there's the Protection of Personal Information Act (POPI), whereby the business needs to advise people if their personal identifiable information is compromised, as well as any additional regulatory requirements (such as the mooted Cyber Crimes and Cyber Security Bill) in terms of general notifications of the breach and the implications in terms of possible fines. Companies are having to be more open about disclosing incidents, which includes communicating any breach to affected individuals as well as the media. On this point, Kruger points out that, while legislation may be in place to govern this type of activity, such legislation is only as effective as the regulator thereof.
Governance: Set the tone at the top and provide mechanisms for cross-functional communication. The business also needs to be prepared for how it's going to deal with the media and stakeholders, so a crisis communication plan is needed that lays out who in the organisation may speak to the media and what they are permitted to say.
"The way we deal with a cyber incident is no different to the way that we deal with any other crisis within a business," says Kruger. "It's essential to have a multi-pronged approach to cover all your bases and reassure all of your stakeholders, the regulators, investors and your employees."
For additional information about the far-reaching implications of a cyber attack and steps that can be taken to pre-empt and deal with one, read Deloitte's whitepaper: Beneath the Surface.