How to respond to a cyber security breach

These days, it’s not a case of what do to if a cyber security attack occurs, but when. Breaches are commonplace and come in many forms, and are alarming for the businesses affected.

Organisations can learn a lot from the experiences of others that have endured an attack.

A true team effort is required, as there are so many actions required for an attack to be spotted and managed as quickly as possible. Staff need to be trained and the business must have policies in place dictating the correct procedure. Organisations that do not have clear reporting lines can find themselves floundering.

A response plan is critical. This should identify who is responsible for co-ordinating the response and which third parties need to be involved. Running dummy attacks internally will also ensure stakeholders have some familiarity of their responsibilities.

An effective response involves being familiar with the organisation’s own systems and carrying out regular penetration testing. It is not unusual to come across companies where old technology, or a failure to install updates, has left them vulnerable.

Regulators will want to see how employees reacted: how quickly was an attack spotted, was it appropriately escalated, were the individuals dealing with the attack aware of potential reporting obligations and, crucially, have the relevant employees received any training? Failures on these points increase the chances of enforcement actions from regulators.

Key stakeholders are the internal IT department, any in-house or external legal team, the data protection officer, and any cyber security experts. The benefit of instructing lawyers early on is that they can co-ordinate the disparate parts of a response, and potentially help claim legal privilege over certain elements of the response.

The response team can then consider what information each separate group needs to gather to determine exactly what has happened: where has the attack come in, what has been compromised, is the attack over or is it ongoing?

A common key ingredient in a bad response is not knowing which third parties need to be informed of the attack. Insurers may need to be notified immediately, otherwise any relevant policy risks being voided. The insurer may also require technical experts to be brought in to mitigate the threat.

Attacks of a certain severity that involve personal data need to be reported to the Information Commissioner’s Office under UK law, and, potentially, to the individuals affected, too.

Regulators in other jurisdictions might also need to be notified of a breach. The timescale for notification is often tight — for example, 72 hours on becoming aware of a breach. Therefore, this is not the moment for businesses to be establishing, for the first time, which countries’ data protection laws apply to them.

Reputation is key, as well. So liaising with PR consultants may be another part of the jigsaw to consider.

Ransom demands are an increasing feature of attacks. The ICO and National Cyber Security Centre advise organisations not to pay — even if to secure the restoration of personal data.

We were recently instructed to act for a multinational organisation, after it had received notification from a threat actor that personal data had been exfiltrated and placed on the dark web, and a ransom was demanded.

The organisation appointed a cyber security expert to contain the threat, and we advised on reporting obligations. The focus was to ensure that as full a report as possible was made to the regulator, also demonstrating that the individuals had reacted quickly when the breach was detected and that they had been trained to safeguard personal information.

Although no sensitive data was involved, the organisation informed the individuals affected and took out identity fraud insurance on their behalf. In this case, the regulator was satisfied that it had acted responsibly.

In another example, we were approached by a company that had received advice about its fallible system but ignored it. We advised that the company and directors were at risk of claims and that failing to report to the ICO could be extremely damaging.

What these, and other examples, have shown is that, where processes are established, systems are updated and invested in, and expert advice is adhered to, organisations will be better equipped to ride the wave of inevitable cyber attacks and mitigate their impact.

Joanne Vengadesan is a partner and data protection expert at Penningtons Manches Cooper