As a leader who shepherded his city through recovery from a major breach, and has helped other organisations (hospitals, fire departments, etc.) and neighbouring municipalities deal with ransomware and other cyber attacks, he is uniquely-positioned to make that statement. Sobering. Scary. But not insurmountable.
Mathieson’s thoughts and approach are echoed by cyber-readiness lawyer Carol Piovesan, and inspectors from the RCMP Cybercrime Investigative Team. Here is their collective 5.5-step approach for responding when you suffer a breach.
First, what constitutes a breach?
According to the authorities, any time that data , especially someone’s personal data, is accessed by an employee or outsider who does not have permission to see that data, a breach has occurred.
Sometimes it’s malicious; sometimes it’s purely accidental. For instance, a filing cabinet is thrown out before being emptied, and data gets viewed by garbage collector. Or someone has company data on a thumb drive or laptop, and leaves the device on public transit. According to authorities, this all falls under the umbrella of a data breach and must be investigated.
The very first moment you have any suspicion that your data and/or network has been breached, you must implement your response plan. Don’t have one? Please check out tomorrow’s blog post; we’ll lay out the items to include.
Here are the 5 steps to take – almost simultaneously.
#1 The RCMP says: Call law enforcement ASAP. Your local police department is fine. Local divisions work closely with the National Cybercrime Coordination Unit (NC3). Jason Greeley, Director, Cyber Crime, Federal Policing Criminal Operations, RCMP, says, “If your corporate headquarters are robbed, you call the police right away. It’s the same thing with a cybercrime.”
He adds, “Under-reporting is a problem in Canada. We would rather be called in right away, because evidentiary gathering opportunities are better the sooner we get involved. If you’re uncertain, let us decide if a crime has been committed. When things are moving at the speed of a packet, every second counts.”
#1: The lawyers say: Call your lawyers ASAP. Some information will be subject to client solicitor privilege; you need to know what can be shared, and with whom.
Many companies also have mandatory reporting protocols to consider. For instance, HIPAA compliance is very clear about what needs to be reported and when. In other industries, the Privacy Commissioner may need to be involved. Let your legal team guide you through this process.
Note: We numbered both these “1” because they need to be done concurrently.
#2: Mobilize your tech team. Containment is critical. Your team leaders need to understand what is happening as quickly as possible and may need to take your system off-line to contain the breach, depending on the nature of the “incident” and the type of data you store.
Obviously this is not done lightly. There can be life-and-death consequences if healthcare systems are taken off-line because the EMR database has been breached. For businesses, stopping production can impact the bottom line to the tune of thousands of dollars an hour. Nevertheless, it is critical to get a handle is going on as soon as possible. Having good protocols and cybersecurity solutions in place will make this much easier.
#3: Contact your insurance company.
#4: Have your communications and PR teams on standby. Consistent communication with your employees, clients and other stakeholders will be key throughout the process. People need to know what to do next and will be looking to your leadership for direction. You also need to protect the company’s reputation by having open, yet controlled and strategic dialogue with the press.
#5: As you go through your remediation steps, notes should be taken of what happens and what needs to be adjusted to minimize the likelihood of future attacks, or at least reduce their potential impact.
I wish I could say you will never fall victim to ransomware or other malware, but that is not the world we live in today. We’re happy to work with you, or colleagues in other companies, to assess your current system and endpoint vulnerabilities. We can recommend software solutions that will reduce your risk, sometimes greatly, along with backup and disaster recovery solutions to get you up and running quickly should disaster strike. Or should I say, when disaster strikes?
Earlier in this note we said that the problem is not insurmountable. With good preparation and professional counsel, that is true. But you do need expert, outside advice. Even if you don’t call us, please seek an expert’s opinion – sooner, rather than later, or when it’s too late.
Note: Although these are steps recommended by multiple cyber-security specialists, we recommend you consult your legal team for direction on how to proceed in the event of a breach. Also, as stated in our Breach Preparedness Planning post (October 6th), it is advisable to consult your lawyers, governance officers, insurance company and other decision-makers in your firm before anything untoward happens, so that you know how best to respond for your specific company’s set of circumstance within the industry and jurisdiction in which you do business. Sounds serious. It is.
