Hello and welcome back. My name is Ralph Bryan and welcome back to the next session we're going to do in terms of managing security incidents. This is about assessing and understanding the incidents our next stage of the incident lifecycle, next setting cycle. So really we're going to have to get as much information as we can. And that can be quite difficult in that sort of panic that can set in after some sort of major incident. So you know we need to understand exactly get as much information as we can. It's going to be information gathering. It's going to be just deciding who is exactly at risk. And I think risk is really where I want to focus. In fact when you look at your breach response underneath the GDPR for example it talks about only reporting to the regulators where individuals are at risk only notifying the individuals where the individual is at high risk. So we have to kind of find a way to quantify and understand how big this breach is. If a laptop has gone missing when it's got loads of personal data on it we might even say that's fine. The personal data is encrypted. Yeah it's annoying to lose the laptop. The individual probably needs a new laptop but we might say look with all the controls on that laptop. It's got top level encryption and password ID and the data on it was kept to a minimum. We might say well, we're not going to tell anyone about that because no one has ever placed at Risk? No one has ever placed at risk. So we don't really have to understand what the risk is. And I think that's our first point, how many records are affected, how many people are affected, what type of data might it be. So we've really first got to do that information gathering, go to our staff member or our customers or our supplier, whoever it is, the reporting the incident and try and do as much gathering as we can. What do we need to know? Who might be involved? What sort of data is it? Where did it come from? How did it occur? How long ago was it? It's even possible that we might have security breaches reported to us, that it might've been a vulnerability that might have kept us open and breached for years, but we weren't aware of it. We weren't aware that that data was breached. The bridge could have happened 10 years ago, who knows? But we're only now finding out about it. So what we have to really understand is just get as much information as we can as much information as we can. We need to take an assessment to find as much information as we can about who and what is at risk. In order to start taking some sort of decisions all this information will inform our decision making process from then on. Because we're going to need to understand what exact teams we might need to engage. Is it security teams? Is it legal counsel? Is do we need our second parties involved? Security experts, privacy experts who do we need engaged the senior management or is it not important enough to get the senior management involved? What team's really involved? What business units do we need involved? What facts do we have and then based on those facts, what we need to do first, there's going to be almost a couple of stages of response here. There's going to be some initial actions, some really early things we need to do, plug the hole stop the breach. Perhaps even shut down some of our systems or stop using that vendor or where they were going to be issues. We're going to need to fix the hole damage limitation if you like. And then there's going to be some longer term actions. So much more longer term actions that we're going to need to take to reduce that damage to reduce the damage down to an acceptable level. And then that while those actions are occurring, we're going to need to monitor those actions, understand exactly what those actions are. Who's doing them when, why and then carry out that review or lessons learned. So you might see this response process in the exam. The fact you need to engage team, review the facts, analyze the facts, take short term actions longer term actions, monitor and review. So who's going to be in our team? You're going to need some command and control. That command and control could come from the security team equally. It could come from senior management depending on the level of the breach. You might need a data forensics team to make sure we've got the right evidence in place to make sure the evidence is protected. Sometimes actually by turning off computers or shutting down networks or deleting stuff that's infected with the virus. We can actually destroy the evidence. So we need to actually really think whether our initial actions are going to be good enough to destroy or whether they result in evidence destruction as well. So that's why important to have this sort of forensic readiness approach. Do we need lawyers involved? We need legal counsel involved especially if we're dealing with our second parties who has lived up to the contract. Who hasn't lived up to the contract. You are we exposed to a regulator or a fine from somewhere. Are we proposed to a court case for damages. So legal counsel perhaps quite important. Privacy teams, well obviously we're working in privacy we're going to need to know what the GDPR or other privacy laws. Hipper for example requires us to report to who. So privacy teams are going to be really important And then obviously security experts obviously the IT teams. Obviously the IT teams and the security teams are going to be our lifeline here helping us through our process. Helping us understand what's possible and what isn't possible and when and then the vendors as well our second parties. Things tend to get complicated when the more second parties are involved the more out of your control it is when you're waiting on responses from other people. But your goals here are relatively straightforward. We need to stop the additional data loss secure areas. I mean it could be a physical breach you might literally have to put a cordon up put a guard there, repair a wall, repair a window. It could be a physical break in for example or it could be a technology break in where you've got to shut down access or repair. Put a security patch on or something like that. Where is the information now? Where is the information? Once you've stopped the data loss, once you stop the leakage we might even need to try and recover the data. Who has the data? Did we send the wrong thing out to the wrong customer? I've got several examples of that where someone just attached the wrong thing to the wrong email and it's gone to the wrong person. So we might need to go to that individual and say look sorry you got sent the wrong thing can we get it back? Have you deleted it? So we wanted to recover the information. What if the data's been posted to public websites where can we contact the owners of those websites and get it removed? Right? Can we remove or recover that information if the laptop is lost can we get it back? Can we if somebody found it? Has the police got it. So we might need to think about recovering that information. We're certainly going to need to document and interview the people who discovered the breach. Anyone who's been involved that could be staff members, it could be second parties for example and then we're going to make sure that the evidence to protect it. Again, evidence, evidence, evidence. Don't forget about forensic readiness and don't forget about sort of a chain of custody. If you knew what when and who was holding onto what evidence and where is it and how can we prove that what we've got holding now is the same as it was when we first discovered it. So it's kind of looking at the diagram, there's quite a famous diagram here where it talks about service delivery over time. So actually what tends to happen is you when you were you were doing business continuity research, they tell you about a MTPP or a mineral tolerant period of disruption. This is a mineral tolerable service level that you want to achieve within a certain time. You want to achieve back to your MTPP, be your mineral tolerable period of disruption. So this is our mineral intolerable service level, this is the level of service that we're happy with, our business operating. And we can crack on normal service level as much as we like, our current service level comes in and then bang, we have a breach. Now this is our breach, Bang, we have a breach and what will happen of course, is after a major breach, your service level will plummet. It'll drop down to below the minimal service level, bang, the breach has occurred, our service level plummets, it's now beneath what is acceptable. And then as I said, we need a short term recovery goal, our short term goal is to get ourselves back up to that minimum level that we're happy with as quickly as possible. And then in the longer term we can then think about having a longer term recovery goal of getting back to normal. Yeah, getting back to abnormal. So what we, what we essentially have to worry about sometimes here is what's optional and what's essential. Yeah, how do we get back to the essential level of service as quickly as possible and then what is optional? And I know it's not nice to go around asking members of staff, are you optional? Clearly no one's optional or else you wouldn't have them. But there are going to be certain activities that certain staff members might do. They might need to re repurpose or they might not need to do with the time of crisis, for example. So this becomes all about communications. In the early days, in fact that all the way through a security event, it's all about communications. We need to know what we need to communicate to who there's going to be a number of different entities here. So I think it's worth just thinking about communications and notifications. What do the management need to know and when. How often do you need to update them? How how are they going to brief to deal with inquiries? What about your partner organizations, your vendors, your second parties, recovery suppliers. How are you going to have good communications with them so they can notify you of breaches. You can work with them to understand get regular updates as to how it's progressing and what's going on. What do the regulator need to know? Especially if there's a legal responsibility to report a breach. Well, when do you tell them who tells them? Who can talk to them? If they come and talk to you, generally speaking, you're going to want your privacy and security teams to be doing that conversation. Your customers who was authorized to talk to the customers, what messaging, we're going to give over to our customers. If we've got a cool center that cool center needs to be prepped and briefed. If we've got salespeople or account managers, they might need to be prepped and briefed. Other businesses, other partners in our in sphere, what about the individuals themselves, do they need to know? Is this something that could have been swept under the carpet? Or is this something we're going to need to go public with? Is this something that puts their data breach? Are we going to need to offer them some sort of compensation or remediation or tell them they're at risk in order they can change their passwords on other websites. What our staff need to know. I think it's really important to understand how our staff, what our staff need to know because who can then can't they talking to? We live in an age of social media and actually your staff can sometimes become your worst weakness. They can talk to their mates on social media and senWhatsapp messages and post things on Facebook. And what we really want is a is an image projected carefully prepared crisis communications statement rather than staff going, my God, it's chaos here. So think about what you're going to communicate to your staff and what your staff are and aren't allowed to tell and communicate with people. Your recovery teams, you're going to need to tell them what they need to do. They should have recovery plans, they should be reporting back on those recovery plans, law enforcement, you might need to get the law involved in this might be a criminal action. You might have a rogue individual trying to hack you or break you or leaked data to a competitor. So you might need to take action against an individual who's broken the law, computer misuse act or or or equivalent. And then finally the media and the press, you can be proactive here. You can actually manage the media if the media are going to show up on your front door well you need to be prepared. You need to be able to communicate with them, decide what you want them to know and when and then deliver according to that sort of carefully prepared crisis communications statements. So instant response is not just about fixing the tech, it's not just about recovering your organization's short term and long term. It's also about communications and notifications. Key element you'll be asked a lot about how you communicate within the exam I'm sure. The final thing they tend to ask in the exam is how roles change when you get an instant? So essentially it's worth just looking around your organization and thinking well what did you do before and what are you going to do in the crisis? Yeah so the management for example, they're going to be thinking about managing the business. But in the crisis role they're going to be taking, making public statements. They're going to be assigning extra resources. They're going to be your command and control. HR, they were doing recruitment and performance management. That's optional stuff. In a crisis they're thinking about where my staff are, my staff safe. Yeah, sales instead of selling, they probably need to contact existing customers and do reputational management. Instead of selling new stuff they need to be telling their existing customers or all the good things we're doing. You can actually come up with a positive spin on anything, look how well we're managing. This can actually reassure your customers. Same with customer service, call centers, anything where the public come in and talk to you. They're going to need to be briefed to respond. You're dealing with extra traffic, dealing with queries, marketing are going to change from giving positive messages about your new things you're doing to changing and having having you help manage that reputation and pr and your media images. Security, pivot from prevention to response privacy you've gotta pivot from complying with the law to advising on new activities. So just understand how these roles might pivot in the event of the crisis. That's what we're going to talk about in terms of that sort of initial assessment. And then we're going to move on to instant response within the next section
