Tactical and strategic steps for successful cyber incident preparedness

September 30, 2022 | David Krebs

To kick-off this year’s cyber awareness month, we wanted to present an article that would look back on the past year along with our experience counseling organizations, large and small across all sectors, through the ordeal of cyberattacks, data extortion scenarios and other data security incidents. The intention of this article is to set out some of key measures that could help prevent these attacks from having devastating impacts on the victim organization.

Growing importance of incident preparedness

Ransomware attacks that now usually operate on a dual extortion model (data encryption plus data extortion), as well as other cybercrimes such as social engineering and email scams, have been rapidly increasing in Canada. The Canadian Centre for Cybersecurity reported that in the first half of 2021, ransomware attacks had increased by 151% year over year. According to many sources, this trend seems to be continuing in 2022. It has certainly been our experience that this is the case.

On the regulatory response to this in June of this year, Canada’s Minister of Public Safety introduced Bill C-26 (alongside Bill C-27, which is aimed at updating Canada’s federal private sector privacy legislation). Bill C-26 amended Canada’s Telecommunications Act and introduced the Critical Cyber Systems Protection Act in an effort to bolster cyber security across federally regulated essential infrastructure (telecommunications, finance, energy and transportation sectors). These cyber security programs must implement reasonable steps in detecting and minimizing cyber security incidents, in addition to managing organizational risks, such as risks associated with the supply chain and the use of third-party products and services. While not directly applicable to other sectors, implementation of such programs is important for almost any organization.

CISA, the Cybersecurity and Infrastructure Security Agency of the United States, currently highlights four easy steps for anyone to take to enhance cybersecurity.

It is trite to say that it is not if a cybersecurity issue will emerge, but when. It is the controls and organizational preparedness that will help manage these incidents with the least amount of detriment.

These measures are not a cure-all that will prevent all breaches, but they are fantastic tools to prevent severe outcomes. They seem straightforward enough, yet their implementation is far from consistent across sectors and across the country. Without organizational will, resources and knowledge, they will either not be implemented successfully or inconsistently.

CISA four “easy” steps

  • Enable Multi-Factor Authentication (MFA);
  • Use Strong Passwords;
  • Recognize and Report Phishing; and
  • Update Your Software.

Canada’s Centre for Cybersecurity highlights six top measures organizations can take to protect their systems and prevent attacks:

  • Developing an incident response plan;
  • Patching systems;
  • Strong User Authentication;
  • Using offline Backups;
  • Enabling security software; and
  • Training employees.

Foundational and programmatic measures

These security measures, both technical and organizational, must be planned, implemented and supported internally. There must be an organizational and leadership buy-in.

For instance, a password policy must be managed and implemented in a way that best protects the organization. Beyond forcing strong password use, employees should be trained on not re-using passwords in their private lives, password retention hygiene and not to share passwords with others.

In order to recognize phishing attempts, employees must be trained and made aware of the risks. In order to report phishing, organizations require an infrastructure and organizational escalation processes to do so. Patching routines must be developed, followed and monitored.  In order to implement MFA, organizations require the will, resources and time. These are some examples of why “easy” to comprehend is not the same as “easy” to see through and implement in an organization.

For those reasons, a strong cybersecurity program requires these additional steps to succeed:

  • Knowledge and Leadership. Management and a Board that understands and is knowledgeable about the risks and regulatory environment. A leader in charge and accountable for data security, who has the backing and resources to meet the risks the organization faces.
  • Incident preparedness. Incidents will happen; organizations need to have a plan in place that addresses the possible sequence of events, who the internal and external team will consist of and how and when to deploy resources. This includes knowing, assessing and obtaining appropriate insurance coverage and coinciding risk assessment. It also includes considering any unique aspects to your organization or business that could complicate an incident response. For example – is there a key customer relationship; are their systems that are particularly vulnerable or house particularly sensitive information?
  • Privacy Awareness. Strong security will help organizations be compliant with privacy laws. Knowledge of and compliance with privacy laws will help organizations manage and protect data according to sensitivity, as well as the incident and prioritize resources.
  • Vendors and Customers. Provisions in contracts with vendors and customers should reflect the needs of the organizations, including provisions that enable contractual and regulatory compliance.
    The Data. Know the data you possess. This is part of incident preparedness but goes further. Understanding data is part of risk mitigation and data governance.
  • Allocating sufficient resources. Once the organization understands the risks, appropriate resource allocation will follow, including assessment of cyber insurance needs.

Disclaimer

This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.