By Helge Skov Diernæs, Management Consultant at NNIT & Lars Hviid, Senior Security Architect at NNIT
9-1-1 or 1-1-2 is used globally when calling for help. But which number is used for requesting cyber-help?
When you have a fire you cannot put out, you call the fire department. When you witness a robbery, you call the police. But who do you call when you witness an ongoing break-in into your IT infrastructure or applications?
The EU General Data Protection Regulation (EU GDPR) has highlighted the necessity of a swift and capable response by demanding all companies to have a breach policy and to enforce it effectively. This requires an effective incident response organization to be prepared to cope with even the nastiest breaches. Similar to the fire department, this is the life-line you call when the incident resolution exceeds your own incident response capabilities.
Cyber Incident Response
Anyone familiar with incident response organizations knows that a typical breach policy, including underpinning procedures, includes:
Roles and responsibilities
And particularly after EU GDPR goes live, the following is also required:
Internal & External communication plan for affected accounts
External communication plan for handling press inquiries, dialogue on social media, etc.
Legal plan and potential e-discovery concerns
Preparedness is key and the question is how prepared your incident response organization is for breach handling. The question becomes even more crucial if your IT landscape involves cloud and outsourced solutions. In the case of EU GDPR, all relevant logs must be consolidated, which requires strong vendor guarantees and service levels. Example: does your current SLA include access to all EU GDPR relevant logs?
Going forwards, handling breaches satisfactorily therefore requires an effective incident response organization including adequate security monitoring and datamining technologies to enable swift responses, forensics, and technological countermeasures - combined with strong execution of communication and legal plans.
Partner with a cyber-security provider
A cyber security provider can provide the buffer of breach-handling-expertise needed when a breach occurs; however, it is recommended to partner up before the need arrives. Similar to physical security companies, a cyber-security provider must be tied into the company alarm/SOS structure and have emergency keys (passwords) to enter (log onto) the IT premises. Otherwise you end up with inefficient security consultants instead of an efficient Computer Emergency Response Team (CERT). A qualified cyber security provider has the required diverse and specialized skills, moreover proven processes and procedures, to manage even the nastiest breaches and limiting financial and reputational damage.
Key to success is to proactively establish a bridge between the external Computer Emergency Response Team (CERT) and the in-house Security Operations Centre/Incident Response Team. This ensures swift incident coordination of both onsite and offsite personnel to quickly provide incident verification and mitigating actions, whilst also securing evidence for legal action if required. This is vital to have in place for EU GDPR compliance after May 2018.
The flexibility of this combined approach offers your company the best match between your need for enhancing your breach handling capabilities and the cost. Rather than “either/or”, you can now opt for having both. Which one you ultimately select is up to you.