With the current pandemic, an unprecedented wave of cybercrime is flooding the entire world, with a major risk of Data Breaches in the form of theft, corruption, or hijacking of critical data. To take stock of this unprecedented situation, as an expert specialist in Data Privacy and Data Protection, we along with AUSY group’s cybersecurity division, present our views on the current situation.
Has the health crisis had an impact on business security and cyberattacks?
The health crisis we are experiencing has brought profound, drastic changes to the way we work, with short-term constraints that aren’t necessarily sustainable over time. Most companies need to put exceptional measures in place to maintain their operations. Some of them were already experienced in teleworking methods, facilitated in recent years by legislation, cloud services, and collaborative tools. Others had to react urgently, sometimes even at the expense of the security of their infrastructure. For example, employees who weren’t prepared or sufficiently aware of the IT risks involved, were permitted to use personal equipment for professional purposes or install consumer software not approved by IT departments.
Once cybercriminals realised this, it wasn’t long before they took action. Cybercrime has clearly grown to unprecedented proportions since the beginning of the pandemic. Cybercriminals have managed to play on the pervading panic, the destabilisation of employees in their home environment, and the gradual blurring of barriers between professional and personal activities.
For example, there’s been a sharp increase in phishing attacks worldwide achieved by sending false notifications to get people to connect to a videoconference, listen to an audio message, or get the latest news about the spread of the epidemic. These attempts to infect IT tools are true time bombs waiting for just one thing: for the user to reconnect to the company’s network!
Today, more than 90% of malware is spread by email through “Spray and… Pray!”, a term borrowed from the financial world that refers to the mass sending of generic messages, or “Spear-Phishing”, a more complex and effective technique that targets an individual more specifically and is therefore more deceptive for the user. Once you’ve clicked through the wrong link, you’ve opened the door wide to malware, which will try to exploit weaknesses in your PC configurations or in your installed software that hasn’t been updated.
In short, whatever resources a company has invested in the technical protection of its IT infrastructure and its applications, all of us as users remain the weak links and potentially the source of a Data Breach.
How would you define a Data Breach?
The GDPR defines a Data Breach as an accidental or unlawful breach of security leading to access to personal data and potentially their destruction, loss, alteration, or disclosure, resulting in a possible invasion of the privacy of the data subjects. The goal is to collect valuable data either to monetise the data in other environments or to demand a ransom (usually in the form of bitcoins).
The European Union’s GDPR (General Data Protection Regulation) adopted on 27 April 2016 is the text of reference regarding personal data protection. It strengthens and unifies the protection of data and the free movement of data for individuals within the European Union.
In your area of work, what are the main impacts and consequences of a Data Breach?
We can only note the vulnerability of our organisations and the exposure of our data in the face of this growing cybercrime. Over the past five years, there’s been an explosion in the frequency and impact of data leaks. The damage caused by cybercrime is estimated to reach around $6 trillion in 2021. Attacking a business can be very lucrative: hackers demand millions of dollars to restore data encrypted by ransomware. If the company refuses to pay, hackers have no qualms about auctioning off the data or posting the data online. So, a Data Breach inevitably leads to more or less serious consequences for a company’s reputation and therefore a financial impact related to the potential loss of customers, partners, or investors. In addition, if negligence is clearly evident, the supervisory authority may impose a fine of up to 4% of the company’s overall turnover.
Have you noticed any recurring pitfalls in managing a Data Breach?
It’s been said time and time again that it’s no longer a question of knowing IF your company will be the victim of an attack, but WHEN AND ESPECIALLY HOW TO REACT when it happens? You shouldn’t wait until the house is on fire to think about how to reach the firefighters and what you should save first. So, the right questions need to be asked today about the procedures, technical resources, and organisation to be deployed on the day of the crisis.
We rely on our experience to detect systematic failings in the face of the type of attack. Above all, the issues mainly relate to a lack of acculturation of the organisation as well as inadequate processes and governance. The main pitfalls in managing a Data Breach are directly related to the lack of preparation or the lack of implementation of formal processes as well as uncertain governance that expose organisations to the impacts that I mentioned. When a breach is detected, no one is prepared to deal with operational matters.
Is it easy to detect a Data Breach and assess its technical impact?
Far from it! According to a 2019 IBM survey, a security incident is identified on average 206 days after its occurrence, and an average of 106 more days are needed for corrective actions and post-mortem examinations. That’s almost a year! These time frames can be explained by the large amount of data and records generated each day by modern information systems (from several gigabytes for small information systems to terabytes for large groups) and the increasingly sophisticated techniques used by malicious parties. ISD/ISS teams are often too small and overburdened to be able to process, analyse, and correlate the information properly.
What technical information needs to be collected and included in a technical report to properly document a Data Breach?
The main purpose of the technical data to be collected during a data leak is to guide decision-making in a time of crisis. The collected data should answer the following questions:
- Who are the people affected by this incident?
- What types of data (nature, format, quantity) were accessed without authorisation?
- Who had access to it (internal, external, unidentified)?
- When did the leak occur, how long did it last, and when was it detected?
- How have the data in question been manipulated (reading, copying, exfiltration, alteration)?
- What was the source of the leak (malicious act, human error, technical error)?
- What corrective actions should be applied immediately and in the long term?
- Could the phenomenon happen again?
The only way to be able to answer these questions is to have been prepared before the incident, namely:
- Regularly ensure that all the relevant systems generate logs (firewalls, web proxy, databases, anti-virus software, office access systems, etc.).
- Make sure that these logs are centralised, secured, and protected against malicious tampering. It’s difficult to analyse the source of ransomware if the log centralisation server is also encrypted, for example.
- Map the data, associated processing, authorised access, and interactions between the various tools. For example, if the company processes sensitive data (health, banking, personal), it’s very important to know the data storage location and format and who has the right to access the data.
- Make sure that all access and actions on company data are non-repudiable and properly tracked.
In addition to guiding decisions taken by management and the DPO (Data Protection Officer) on how to manage the crisis, this information will also make it possible later on to provide evidence to the regulator, communicate effectively to the data subjects, and help in the implementation of technical remedies and fixes.
How do we know that a Data Breach has been properly managed?
A Data Breach is considered to be well managed when:
- An incident record was opened as soon as the problem was discovered.
- All information about the problem necessary for the Data Protection Officer has been documented.
- All the data processors (as defined by the GDPR) concerned have been informed of the progress made on the problem.
- All information about the progress made on the problem is documented in the ticket.
- The problems or limits that led to the problem have been clearly identified and corrected.
- In the case of a data processor, the Data Protection Officer immediately communicates all information about the problem to the data controller(s) after identification by the DPO’s team.
- In the case of a data controller, the Data Protection Officer communicates all information about the problem after identification by the DPO’s team within 72 hours to the supervisory authority and potentially to the data subjects after consulting the company’s management and/or the supervisory authority.
- All the information was communicated. All the procedures requested by the supervisory authority and the data subjects were completed within the allotted time.
- The status of the associated incident was updated appropriately and closed only when the situation met all the required conditions.
- Technical measures to prevent a recurrence of the original problem are put in place in a lasting, reliable, and documented manner.
When is the management of a Data Breach completed complete?
A Data Breach case can be considered complete when the incident is closed with one of the following actions:
- Case recorded and not communicated to the supervisory authorities and to the data subjects (as defined by the GDPR) after the company’s management has taken an informed decision based on all the case information provided by the Data Protection Officer.
- Case recorded and communicated to the supervisory authorities after the company’s management has taken an informed decision based on all the case information provided by the Data Protection Officer. All the information was communicated. All the procedures requested by the supervisory authority have been completed. The data controller hasn’t made any further specific requests.
- Case recorded and communicated to the supervisory authorities and to the data subjects after the company’s management has taken an informed decision based on all the case information provided by the Data Protection Officer. All the information was communicated. All the procedures requested by the supervisory authority and the data subjects have been completed. No further specific requests have been made by the data controller or the data subjects.
What are the most effective remediation methods?
Let’s face it, there’s no quick fix. Defence in depth remains the most suitable standard. The goal is to put up as many layers of security and protection tools as possible to delay an attacker (and therefore be able to detect an attacker in time) or limit the impact of an attacker’s intrusion. From perimeter protection to data encryption to the principle of least privilege, all resources have their role to play. But as mentioned before, a malicious or careless user who copies a confidential document on a flash drive to take it home completely bypasses all these tools. Continuous preparation and adaptation work in terms of information, organisation, and processes with employees and partners is therefore of the utmost importance.
What do companies lack in dealing with attacks properly, and what could be a better approach?
In a traditional organisation, which is what most of our customers have, various people at different levels are involved in this type of situation:
- Legal consultants and lawyers
- Security specialists, as defined by ISO 27001
- IT managers focused on day-to-day operations management
- A legal department, also operating day to day
However, most of the time, these roles are provided in parallel, with varying degrees of capability, without there being any appropriate link or synchronisation in order to coordinate and guide all the operational tasks to undertaken. Therefore, no one can or wants to deal with the “problem” in its entirety.
In addition, given the current post-pandemic situation, struggling companies are focusing more on restarting their operations and nursing their financial health than on data security. Also some teams are still decentralised, which means that data security isn’t a priority issue. It can also complicate the coordination of actions for an appropriate response to an attack.
The data controller (as defined by the GDPR) must consider the management of Data Breaches a priority and has 72 hours to identify the problem with the right level of detail, implement corrective measures, and inform the CNIL and the data subjects. Managing a Data Breach requires a global framework for governance and communication and for technical analysis and remediation.
What is the benefit of partnering with a third party (OAKland/AUSY) to manage a Data Breach rather than working with just the company’s resources?
Relying on trusted partners to prepare beforehand and manage a Data Breach after the fact can be the solution. Bringing together complementary strengths and know-how, as is the case between Oakland and AUSY, we would make it possible to offer comprehensive, end-to-end management of data security issues. The combination of expertise in cybersecurity and GDPR ensures support for the prior alignment of the organisation and the breach management process both in definition and implementation and in managing crises, not to mention the ongoing adaptation to changes in organisation and regulations.
Oakland Group also has experience with upstream preparedness and awareness actions, but also the appropriate reactions and procedures to follow once an incident has occurred. This coupled with AUSY’s cybersecurity technical expertise ensures an end-to-end service, from the consulting phases to remediation. In addition, the GDPR uses very specific language and is based on a well-defined structure of responsibilities, communication channels, and time frames. Partnering with a company whose core business is data and data protection makes it possible to add the governance and process layers to the technical know-how provided by AUSY. Therefore you benefit from a single point of contact – direct and simple activation of the process, and support until the final closure of the incident. All-in-one service!
S.O.S. Data Breach is there for you! contact us
