Breaches – the inevitable reality

Whether you’re a consumer or employed in the public, private or third sector, the inevitable reality is that you will eventually experience an information security breach. Like death and taxes it’s not a question of if you will be breached, it’s a question of when. So how should this inevitable reality change the way we behave both at work and in our private lives?

Don’t panic

Firstly, accepting that something is inevitable doesn’t mean that you can’t delay it. Just because mortality is a central fact of our existence doesn’t stop us taking steps to prevent our early demise. In information security (at home or at work) this means simple preventative steps are still appropriate, and effective. The fundamentals aren’t expensive and are simple enough for anyone to grasp;

  • Use a password manager to generate strong unique passwords
  • Use two-factor authentication wherever possible
  • Keep your software and apps up to date
  • Know where key data is and back it up to a separate location
  • Run anti-virus
  • Restrict access to those who need it.

Second, whilst death is final, information security breaches aren’t, so you have to think about what to do after the unthinkable has happened. To do this you have to move beyond preventing to detecting and responding to breaches. Detection and response are vital to mitigating the impact of a breach, and ensuring you and/or your organisation can continue normal operations as soon as possible.

Detection

The first indication of a breach for many people is when they receive a ransomware message on their screen or receive notifications saying their message to someone was blocked because it contained an infected attachment. You can avoid this by implementing measures to detect when a vulnerability exists (i.e. a hole in your systems becomes apparent) or when credentials are compromised (i.e. someone gains access to your systems using a stolen username and password). You don’t need to spend a lot of money, there are some effective free or low cost ways of doing this;

  • Sign up to security update notifications for your software;
  • Use Shodan Monitor and see what you have connected to the Internet within your network and get real-time notifications of vulnerabilities in your network.
  • Subscribe to the ‘Have I Been Pwned‘ service which will notify you if your email address appears in a data dump which resulted from a breach.
  • Configure your accounts to send you login notifications where possible.
  • Implement local and perimeter security measures which will log and alert when network traffic or system behaviour indicates a breach, e.g. Microsoft Sysmon, NCSC Logging Made Easy.
  • Train staff to spot unusual activity which could indicate a breach (being locked out of their account, unable to access files, receiving unusual requests for payment authorisation etc.)

Response

Once you’re made aware of a breach you need to act effectively, and quickly. Panicking won’t help, and making bad decisions quickly will make things worse, so you need to develop a simple but effective incident response process which works for you personally or your size of organisation.

A great place to start is the guidance from the NCSC, which is really helpful. In brief, their advice is;

  1. Gather information about the problem;
    1. What has been reported, by who, and what symptoms are you seeing?
    2. Can you tell if data has been lost, corrupted, deleted or disclosed to unauthorised third parties?
    3. What is the timeline and scope of the incident, and how will it affect your business?
  2. Resolve the problem;
    1. If your IT is outsourced, contact your IT service provider
    2. If you look after your own IT, you need to clean or reinstall systems and ensure all systems are up to date, reset passwords for affected accounts, and restore data from backups.
  3. Communicate with the relevant stakeholders;
    1. Contact customers (Troy Hunt has an excellent guide to breach disclosure if your customer’s data was compromised)
    2. Contact the Information Commissioners Office if you have a disclosable breach (or other regulatory bodies as may be applicable in your situation).
    3. Contact suppliers and partners to ensure they understand what happened what (if any) action they should take.

Learn

If you accept that a breach will almost certainly happen, and that you should shift from prevention and/or denial into preparation, remember that every incident (or near miss) is an opportunity to learn.

  • Could you have prevented it?
  • Do you need to change how you respond to breaches?
  • Are there steps you can take to mitigate the impact of future breaches?

As long as you establish and continually improve your ability to detect and respond to breaches you will find the frequency and impact of breaches significantly, protecting you and (where relevant) your customers.

Leave a comment