Charlie proposes an inventory of information which your organisation should consider to conduct a cyber data risk assessment.
This week I was conducting an exercise for a government organisation. As we have worked with the company for a number of years we decided to go for a slightly different set-up, so this time we used loss-of-data as the scenario. The scenario was an attempted extortion by a person who said they had a copy of one of the organisation’s databases and they were threatening to dump it on the dark web if ransom was not paid.
The first part of the exercise was the receipt of the ransom email. There was a brief discussion and as a team they decided to get the sample of data that was supplied with the extortion email verified by information security. There was a very visible change in atmosphere amongst the incident team when they were told the information supplied as part of the ransom email was confirmed as being genuine. The discussion quickly turned to questions regarding what the database contained, what was its value and what was the impact of the loss of the data? They also discussed that if the hacker had access to their main database then what other information could they have access to and what the impact of losing this data would be.
Many of the larger breaches have occurred in the USA and due to their regulations these organisations have a number of weeks or even months to prepare before they have told those affected. This gives them time to prepare for the breach and get themselves organised, to understand who was affected and to prepare their response. In Europe, with GDPR reporting regulations, there is a requirement to report the breach within 72 hours, and then inform those affected. As the time is so short, I think organisations should carry out what I have called a ‘cyber data risk assessment’ to understand their exposure to a data loss. As many hackers have been in their target’s systems for days, and in some cases even months, there is the possibility that all data could have been compromised. There isn't time to carry out an assessment and to fully understand the loss of the data after the hack, so I believe this should be done now in advance of any incident.
Similar to the work done as part of the organisation’s GDPR preparations, I think the following items should be documented. The organisation then has a full list of all the data and other electronic information they hold which could potentially be stolen by a hacker or, as revealed in this exercise, an insider who has internal access to the organisation’s system.
An inventory of information should be made taking into account the following:
1. What personal data we hold on which groups of people. This could include the following groups:
a. Customer data - including potential customers, past customers
b. Staff data - including salaries, bonuses, disciplinarians, complaints, investigations, home details, bank accounts, next of kin details and financial information
c. Information on Customer Relationship Management (CRM) systems
d. HR information - including copies of passports, details on past employees, pensions, potential employees, staff who have been sacked or disciplined
e. Supplier data - including potential suppliers and past suppliers
2. What intellectual property, patent information and inventions do we hold on our systems?
3. What ‘business’ information we hold, such as:
a. Negotiating positions
b. Price sensitive information
c. Possible mergers and acquisitions
d. Organisation strategies
e. Financial models
f. Restructuring information
4. What is the most embarrassing bit of information you hold? Consider information and personal comments in emails or company communication system?
5. Do you have data which can be exploited for financial gain or used to commit fraud?
a. Bank account numbers
b. Sort codes
c. Credit card information
d. Invoicing details
6. Our exposure to having operations impacted by a hack or infection to ransomware which could impact on our organisation, including:
a. SCADA and other industrial control systems connected to the organisation’s network
b. Integrated supply chain with third parties
c. Internet of things (IoT)
d. Internet connected building management systems
Once you have done the basic inventory, I think there should be a more in-depth evaluation looking at the following:
1. What are the categories of the data you hold? For example, do we hold National Insurance Numbers, do we hold credit card numbers or not?
2. How many of each data set do we hold? One of the earliest questions the media will ask after a breach is how many people are affected. If we change the number later into the incident and say more than we initially said, this will make us look incompetent or dishonest.
3. Understand the nature and value of the information held and how it can be used fraudulently by the hackers. Once we understand this, we can then devise appropriate measures and the support we can give to those affected. This can also help in our communications to those affected by helping them to understand the risk posed by the data breach.
4. We have to compile a complete list of those whose data the organisation holds so that after a breach you can contact them. There is not time to trawl through numerous databases to compile a list. You should also review how you would contact them after a breach, and whether you have the relevant details on how to carry this out.
5. For all data you need to understand how it is protected and how vulnerable you are to a cyber breach. Is the data encrypted, which makes it harder to obtain, or is it held unencrypted?
6. In general terms, you should also put together a list of the cyber-security measures you have taken to protect the organisation. These can play an important role in saying that you were prepared for a breach and that lack of investment, knowledge or preparation was not the cause of the incident. You should consider putting the following items on your list:
a. Formal certifications: ISO 27001, Cyber Essentials Plus
b. Standards worked to or aligned with
c. Compliance with industry standard, good practice or guidance
d. Staff qualifications
e. Third party contracts, affiliations or ongoing support
f. Audits, penetration testing, reviews
g. Staff awareness campaigns
I believe having this information readily available will allow for quick decision-making and the team responding to the cyber incident will have the information they need to made decisions at the beginning of an incident. We have limited time to get information together because of GDPR regulations, and our organisation will look incompetent if we ask for more time. As many say, it is not a case of ‘if, but when’ you will have a cyber breach, and so carrying out a cyber data risk assessment is important preparation and should be done as soon as possible.