Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: A Data Breach Won’t Happen to Us…
Quick Take
On this episode of Compliance Unfiltered, Adam and Todd have a very candid chat about the perils of believing that your organization is impervious to a cyber-attack.
How does an organization learn that they’ve been attacked? What are the first things to do when a Data Breach does happen to your organization? Curious about the real world fallout from a Data Breach? Wonder what the true cost of a cyber-attack to your organization might be?
Well, you’re in luck as you’ll find all those answers and more, on this week’s Compliance Unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the straw that stirs your compliance drink, Mr. Adam Goslin. How the heck are you, sir? I am doing just fantastic today, Todd. How about yourself? Not bad. All things considered, not bad, and I’ll take it.
Today, we’re chatting about a common trap that organizations fall into, and that is, a data breach won’t happen to us.
Now, Adam, as you know, that’s a fantastical premise, right? Yet it happens. Let’s tee this one up for them. All right. Well, you know, you’ve just been breached, and really, the intent here is that, do you know what life in your organization is going to look like from that moment on? I can assure folks that nothing’s going to be the same for a real long time. In some ways, when you become cognizant of a breach, it’s kind of like getting a dreaded diagnosis from the doc. It’s all of a sudden, and all your priorities shift the future of the company’s been called into question. There’s no guarantees and people, when they start to discover what’s transpired, they look at you differently. So the sad part is, data breaches can be avoided. But time after time, companies are getting breached because they don’t think it will happen to them. Maybe they took a doing the bare minimum approach, maybe they just put some lip service to their security and compliance, or simply just got complacent over time and didn’t have controls to keep things on track to trust but verify. I think I’ve said that a time or three. But, if you’re in the boat of not quite understanding what to expect in the coming days, weeks, and months after all hell breaks loose, I can tell folks that every single corner of their business is going to get affected by what just happened. So it’s definitely not a position that is enviable. For anybody that’s listening that’s had to go through it, they know exactly what I’m talking about. But well, for many of the folks out there that haven’t, what’s the expression one of my ex-bosses used to say, it’s career limiting.
Well speaking of an unenviable position Adam, how do companies discover that they have an issue? well once you become aware, the interesting part is, how you end up finding out. If you think about it, I mean it could be that the internal team figures out, Houston, we’ve got a problem. It could be some known trusted third party, a customer or vendor that’s giving you an alert that they’re seeing something strange. It very well could be that the attacker’s letting you know, hey by the way, you’ve just been breached. It could also be that you’re finding out that your own company’s had an issue, by seeing your name lit up on the Googler. So in the first couple of scenarios, you could be lucky enough to have some time to be able to get your arms around things before fit hits the shan publicly. That’ll at least give you an opportunity to try and get your arms around things, and have a shot of getting all your ducks in a row. But when you’re in the latter two scenarios, where the attacker’s letting you know, or it’s hitting the news as your first entree to we’ve got a problem, you have an astoundingly short timeline, or it doesn’t even exist. You’re literally going from zero to, it’s not even zero to 100, it’s like zero to 10,000 in T minus no seconds. So you might not even have till the end of the day to start formulating a game plan. So if it’s already broke, you’re already way behind.
I’ve gotta ask a question here man. You said that people have found out on the news, or on Google, that their company has had a breach. Even in today’s landscape of technology, that’s still a thing? Well I mean, in some cases it depends on how it rolls out, right? But if the attackers gone in, and grabbed data, they’ve already scraped it off the systems, they’ve thrown it out onto the dark web, and people that are monitoring the dark web, are looking for data from your organization. All of a sudden somebody gives a tip to the good guys that their stuff’s out there, and all of a sudden you’re landing up on Krebs with your name in lights. I’ll tell you what there’s a few things in this life that are going to really screw up your day. But finding out secondarily, yeah that sucks.
Now what are some of the first things organizations need to do once they’re aware? well once you believe you’ve got a problem, there’s a series of things that’ll happen in fairly quick succession. So you’re going to need to get the issue confirmed with your IT cybersecurity staff, and outsourced vendors, whatever it may be. You’re also going to need to, very quickly make sure that the executive leadership is notified that you’ve got a problem. You’re going to need to get immediate calls out to your legal team, and your insurance company. One of the things that’s a gut reaction for folks when they find out they got a problem, depends on how they were notified, but if you have a problem, and you’ve got some semblance of idea of where this problem exists, there’s a knee-jerk reaction to shut down the system that is being impacted. One of the things to be cognizant about is, don’t do anything without some good advice from experts. But that gut reaction to immediately just shut off the system, or whatever it may be. Don’t do it. Get the advice of your experts as you’re going through this process. Because you could, by an effort to save things, or stop the attack, whatever it may be. You may also be destroying critical evidence that you need to be able to figure out, what did they get to? How far did they get? Where’s it coming from? Where else did they get to within the systems? If you’re just automagically sundowning systems and whatnot, you could be clearing critical logs, including information and data that needs to be integrated.
Your legal team is going to start provisioning guidance on what to do, and what you need to say. They’re going to need inputs, and be closely coordinating with your organization. But you want to be real careful to follow their guidance, follow their advice. We’ve had discussions about this, especially the legal arena before, but one of the biggest problems that folks will run into is that, let’s say you’ve got a lawyer, you’ve got somebody on by name, but they really don’t have any idea what you do, or where’s your stuff is at, and what your agreements say. When fit hits the shan, that’s not the time to be going, oh, so what would you say we need to do here? We don’t want to be having those conversations at that moment in time, you want to be able to get these people engaged and get them immediately, boots on the ground, running, etc. We don’t want to be training them up. As soon as you get the insurance company integrated, they’re very likely to assemble their team of experts and get them deployed to your organization to try to help, to try to mitigate, to try to ascertain, and do forensics to figure out, what happened? How’d it happen? When’d it happen? How long has it been happening? What data’s impacted? All that fun stuff.
So, Whose on that team? What does that team look like? Well, unfortunately, when the insurance company gets into the mix, it’s typically their group of experts. So they’ve got people that they trust to go in and do things. So these are definitely not, we’ll call it inexpensive, but no matter what, it’s not going to be inexpensive resources that you gotta bring to pay everybody. For whatever the reason may be, the trusted partners to the insurance companies are typically far from the cheapest ones out there. They’re not bargain shopping, they’re just trying to make sure that they can help with protecting, right? And so, they’ll draw in various experts. Really it ultimately depends on, what’s the profile of the target organization? What types of systems do they have? That will kind of equate to the various realms of expertise that’ll be needed as you go through that process. But, all of these things start happening literally within hours of you being cognizant of it.
Your normal day by day operations, that was yesterday. Everything goes off to the wayside. The security issue hits top of mind. Typically, the next six to 12 months is going to be dealing with the fallout, if your business even survives for that period of time.
And that’s a real fear. That’s not hyperbole. There’s a lot, a lot of organizations that end up going below the waterline, as a direct result of experiencing something like this. I mean, the experts are going to come in and treat your business like a crime scene, doing forensic investigations with all these in sundry experts, and you’re going to be on calls day and night. The forensic investigators are busy pouring through your logs and your systems, trying to figure out what all happened? Where did they get to? What was hit? What was impacted? As they’re going through all this evidence, and sifting through that. Simultaneously they’re doing other testing and validations, and you’ve got one team that’s trying to figure out what happened. You’ve got another team that’s busy evaluating how they could have gotten in. Maybe even other members of the team, are busily doing security testing in concert with the forensics team.
So you have both of these groups, figuring out what happened and trying to plug the holes. Both of those are going to be gleaning valuable information, and sharing it with one another. And for those organizations that run under the header premise, we have for this particular episode, of it’s not going to happen to me. You’re in for a wild ride, shall we say. Absolutely.
Now, what typically happens when it comes to public notifications? Well as you’re going through the process, at some point in the game, it’s very likely to be sooner than you’re ready, the incident becomes public. It’s not whether it’s going to, it’s either going to leak out, and if you got notified by a public source, then you’re screwed eight ways from Sunday. But no matter what, when an organization becomes cognizant of this, it’s really effing challenging to try to keep things quiet. Things typically start leaking out. And so, when you’re going through this process, it’s not like you can go, well, we’re just going to sit this on the back burner. It’s probable that it’s going to just leak. And so, you’ve got things to worry about there, including your existing clients, future customers, vendors, partners, employees, and shareholders. They’re all going to end up knowing about what’s going on, beside the broad public announcement that you’ll end up making to the world. You need to figure out specific communication for each of the various stakeholders that I was iterating through a minute ago. Anybody that you either pay or receives a payment, is going to need to be involved in the communication stream. I’d say take the list of those folks, and get them into buckets of communication. That way you can do your best to get things organized, as far as the who and what, and what to say. The amazingly obvious statement is, don’t start making public statements without the guidance of your counsel, and close coordination with your insurance company. You want to gain and gather the input from the team of experts that are popping out of the woodwork. But take their lead. It’s very appropriate to leverage their guidance and advice. If you think about it, the legal team is there to help protect the organization. Meanwhile, the insurance company is trying to mitigate costs through the process. The manner, mechanism ,and content of what you share is going to be critical.
Now the horror movie part of the conversation, Adam, what types of fallout do organizations typically suffer? Well, there’s certainly the financial aspects, right? The fallout from some type of a cyber attack or breach, it literally can shut businesses down. There’s all sorts of different factors for cost of a data breach that are out there. But it really depends on the types of information that’s being taken, the industry that you’re in will sway it, the volume and amount of data that was stolen will play into it as well. So, for a lot of organizations that don’t have cyber insurance or adequate cyber insurance, in many cases it’s a fatal blow for the company. Make sure your cyber liability insurance is providing the appropriate coverage, and that it’s actually valid. I’ve seen organizations that thought they were covered from an insurance perspective, and found out at the wrong time that the policies either weren’t providing the coverage they thought they had, or weren’t providing enough coverage for what happened. Even with cyber liability insurance, there’s a lot of companies that don’t make it six months past a cyber attack. There have been organizations, I can’t remember the name of the one, but there was one in Europe, it was a certificate authority that got nailed and I mean, this was a running, flying business that was pushing through a ton of annual business. They quite literally went from this month I’m a viable business, to next month gone. And it’s hard, you’ve got other ripple impacts, right? What are the impacts going to be to things like business loans, lines of credit? What happens with your existing stuff that you quote, have in place? There’re maybe provisions in there, which would make people bail. But certainly if you’re going through, hey, I need to go line up some additional dollars, how easy is that going to be when everything on Google is just talking about how you just had a data breach. You’ve also got ripple impacts to staffing in a lot of cases, just so the company can survive that process. There’s often drastic cuts, leaving the organization understaffed. The biggest challenge with an organization when it comes to the people is, that unfortunately it’s the people you can’t afford to lose the least, that are typically the first ones to move on. So even if you had to do cuts, and you were planning on the experienced folks being there, being able to help, it often doesn’t work that way. A lot of times, the folks that you can’t afford to lose, are the ones that go.
I mean, is that just the nature of you know kind of you’re responsible for something, something goes wrong, you end up holding the bag? How’s that work? It can be from anywhere across the organization. Just look at the logistics of how this rolls out in an organization, right? Whatever, I’m just going to make a number up. So the organization currently has 600 people and you go through an event and we’re going to need to go from 600 to 250 type of a deal. And you keep the best and the brightest. Well, guess what? You just went from number one, there’s a crap storm hitting, number two, you lopped off more than 50% of the staff. The people that are left are just absolutely f’ing drowning, and you’ve got your best and brightest left, quote unquote, and yet they’re getting overwhelmed. They’re getting stressed out. Like, I don’t need to deal with this, whatever the case may be. Yes, IT or security related positions might be in that arena. I mean, think about the ripple impacts to, oh, I don’t know, customer service, and support. You have things along those lines like sales, right? Yeah. I mean, it could be literally all over the board.
Well, let’s say you navigate to the point where you can now start to rebuild, quote unquote, your name in lights is having an issue. Every time you’re talking to a new client, to try to get them to do business with you, even if you’ve taken it very seriously and have a good story to go with, all they’re seeing is your name in lights. So, it’s astronomically challenging to watch that process unfold. But yeah, there’s a lot of ripple impact once you’ve had to go through the process.
Well, is that reputational damage? I’m sorry, we’re getting a little off topic. But is that reputational damage something that like, certain companies are too big to fail? Like Target, even though there’s an issue and everybody knows there was an issue, most people aren’t going to stop shopping at Target because of that. Like, is there some of that? Or how does that work? Who survives? How do we know? You don’t is the long story short. It depends on a ton of factors, right? Health of the organization before they have an event, how big the event was, what the ripple impacts of the event are going to be. Depending on the nature of the business, you look at what realm they’re in. If I’m in the security space, and meanwhile I had a breach, how well is it going to go when you’re trying to convince people to, hey, trust me, we didn’t learn our lesson before, but we’ve got it together now. We’re all over it like white on rice. It typically doesn’t fly. That makes sense.
Now, who does the breach impact internally? Well a lot of people, a ton of people. I kind of alluded to it a minute ago, like, well, if there is a problem, it’s an IT thing type of a deal. Yeah, right out of the gate, just with the things we’ve talked about so far, it’s hitting a bunch of different business areas. It’s hitting executives, it’s hitting legal, it’s hitting HR, it’s hitting operations, it’s hitting sales, it’s hitting marketing, it’s hitting support, it’s accounts payable. Very very quick, as the tsunami basically starts engulfing everybody within the organization, before you know it, it’s all hands on deck, literally all hands on deck right out of the gate. Yeah sure it’s IT and legal, but those people, in those arenas, yeah you can pretty much figure that you’re not going to have an opportunity to talk to any of them for a while. They’re going to be locked in a bomb shelter trying to navigate the waters. It’s brutal when the breach happens. It’s not like oh, my scheduled time is 8 a.m. to 5 p.m., look it’s 4:58, I gotta go. Yeah no, that’s absolutely not the way it works. When this type of fit hits the shan, this is sleeping in shifts. This is trying to go and get food and a couple hours of sleep, so you can get back to it. A lot of times, in organizations, you’ll literally see the people at the core of it, do things like pull up a couch to get a little bit of sleep and get back to it, or go grab a room at a hotel next door to the office, whatever it may be, because it is tough, man. It’s real tough. You’ve got all sorts of overtime. Coming in nights and weekends, maybe a Saturday, until you kind of claw your way out.
But the legal folks, as we talked earlier with them being familiar with your business and certainly familiar with the cyber arena, you’ve got to be able to have them walk in, and hit the ground running, so you can get advice quickly. The normal contract lawyer, business lawyer, general legal counsel, they’re not going to have the knowledge to be able to just hit the ground running. Once you’ve got the security issue confirmed, hey, we do have a problem here, now you’ve got leadership getting dragged into the middle of it.
You’re going to need to have conversations with various groups, anybody that’s talking to a client or a customer, sales, support, and customer service are all going to need to get in the loop. As you loop them into it, you’re trying to get together your talking points, and your how do I answer these questions. You’ve got accounting getting dragged into the mix, because the minute that this lights up, now all of a sudden we’ve got a boat ton of spending that we need to go in and do. The minute that it goes public, I guarantee you that it’s going to have taken an immediate, and long-lasting hit for inbound dollars. So, they’re going to be going through and doing a bunch of juggling. Most organizations are going to need access to some type of funds right out of the gate. HR is probably going to get pulled into the mix, in one of a couple of different ways. Either there’s an immediate need for personnel with different skill sets may be one side of it. It’s everything that you need to get on staff, depending on the nature of the issue. Otherwise, as things start to tighten up and the company is realizing that it doesn’t have enough money to navigate the waters, then you need HR involved for coordinating
layoffs and things along those lines.
So, we’ve talked through a lot of examples in this bit here. But every single fricking realm of the organization is going to get involved in one way or another. Everybody’s going to go get dragged into it. A different way to look at it too is everybody’s jobs on the line if we don’t navigate these waters. We were just talking earlier, about the example of you’re at 600 and need to go to 250.
Well, what happens if you go from 600 to 30, or go out of business, you know what I mean? It happens.
Now, what damage control can be performed? I mean, you’re finally in the midst of the situation, what can you actually do about it?
Well, the minute that things go public, there’s several things that the sales teams can be dealing with. You Know, prospective customers in the pipeline immediately, or whipping breaks. Most of them are just going to duck and run. There will be a couple of prospects that say, hey, we’re going to pause things, let’s cycle back next quarter. You’re inbound pipeline, you can pretty much call that a done deal. And it’s going to be quarters before, you know, you’d start to even be able to get all the communication worked out from those folks. A big part of the damage control with customers is really going to depend on the results of the forensic investigation. If you’ve already had a strong and robust security program, but just happened to get hit with a zero day, you may be able to salvage a lot of the customers if you move fast with the right communication. But if the experts are coming in, and they’re determining that your company was deficient in a number of different areas, you’re going to have an impossible task of retaining those existing clients. And it’s not just the prospects that you’re going to lose, even the most loyal satisfied customers are going to start immediately working on finding a replacement for you. We’ve talked about it before a number of times, but customers, clients and partners, they’re going under a guiding assumption that you’re taking care of things properly, that your security’s top of mind, and you’re protecting their information and data. It’s a real rough go. Your client success teams are going to be in the hot seat for answering a ton of uncomfortable questions. So again, working on putting materials together for them, to put them in a position where they can respond with company approved outbound communication points are going to be critical. You don’t want them just winging it, and answering how they see fit. You definitely want those scripts. There’s no way you’re going to keep this type of an event under wraps. There’s too many people, and too many technologies involved. So your best bet is, getting your arms around the situation quickly. Identify the source cause and the issue, and remediating it expediently, making sure that you get expert approved communications out as quickly as you can. We did a piece a little while ago about, how I hate when the organization that got breached, sends you those letters that say, we care deeply about your security, but oh, by the way, we were breached. So yeah, you don’t wanna be in that bucket.
Now, how long does recovery typically take? Well, for a typical organization, once they know they have an issue, you’re looking at typically between 100 to 150 days from, hey, Houston, we got a problem, to we have cured the problem. In some cases, it takes longer than 150 days. In some cases, you move faster than 100, but generally speaking, you’re looking at somewhere around three or four months to be able to navigate those waters. Just imagine three to for months of dealing with this fallout. Long days of overtime and stress, it’ll literally eat years off your life. What I mean by the recovery is, is that just for you to be able to get back to normal business operations, to clear up any compliance obligations and pay fines, gain customer employee trust, starting to work on getting that restored. Making sure that you have the right controls, technologies, and expertise in place, so you’re not be in this position again. And there’s a lot of hard lessons that get learned by an organization that has to go through this process. Some of the ripple impacts may mean, you need to switch vendors. You might need to put in security solutions you didn’t have before. You will need to go ahead and bolster your cyber security and compliance stance, making sure you’ve got things buttoned up. I’m a huge fan of trust but verify, making sure that you have a structure in place whereby you can keep your eyeball on what needs to be done, and did it get done? Did it get done correctly? Did it get done correctly when it was supposed to get done? All of those are going to start to play into it. Invariably, there’ll be some additional training or retraining of personnel related to security and compliance as a result. In that training specifically, that’s something that you really need to roll out to everybody. This is everybody from the mailroom clerk to the CEO, that needs to be involved in this training. I can’t tell you how many organizations that I’ve interfaced with where it’s like, well, we don’t need to train the CEO. No, you train everybody. Anybody could be a witting or unwitting participant in causing a problem for the organization. So it’s important, it doesn’t matter if they’re employees, contractors, freelancers, or vendors that have access to your system, but you need to make sure they know what they’re doing.
For organizations, as they go through this process and they start to identify, this is really where the peeling of the onion starts to come into play, right? As you start to identify shortcomings in your controls or vulnerabilities that you’ve got in your systems. The real question for these organizations is, how did that vulnerability even get there? How is it we didn’t know that this was an issue? Why didn’t we have an alert? Why didn’t we have a detection mechanism? So what organizations typically will find, is that they’ve got missing control coverage, control definition, and control execution within their environment. And really, it’s a lesson to be learned as you go through that process of really taking an analytical mind to, how the hell did this get there in the first place? Because the more that you can get all of those controls buttoned up, the more you’re strengthening and improving your overall cybersecurity plan.
Now, why should organizations have a plan before a breach were to occur? Well, it seems counterintuitive, especially to those organizations that run around with their fingers in their ears, repeating the words, la, la, la, la, la, about there being a possibility of a security breach. But a lot of folks don’t even know, who do I need to get, who do I need to notify if we have a problem? They don’t know what their contractual or legal responsibilities are. They definitely don’t have any type of a standard operating procedure for what to do. You’ve also got an entire organization of people that are going to want their own answers. The employees, the board members, they’re all stakeholders in this mix, and they’ll be looking for answers as well. Because there’s so many things that you need to fling into motion. You definitely want to have pre-thought through your incident response plan in advance. Making sure that you have coverage for things like, what are the escalation steps that we need to take? Who needs to be involved? What’s going to get communicated to whom? By whom, and when? How are you even going to affect the communication, who’s going to do that? Who’s going to be saying what? So, your security team should be walking through a tabletop exercise regularly, so that you can basically stage up the team at large for being able to navigate these waters with everybody, walking in eyes wide open. Certainly I would recommend doing a broader scale test, you know test the emergency broadcast system. But doing a test of the incident response plan, doing that at least once a year. Oftentimes what I’ll see is, I’ll see organizations leveraging lower severity incidents, simply to exercise their response plans, and get those tested out.
So I have a silly question for you here. Is an incident response plan the same as a disaster recovery plan? Is it just a nice way to say it, or is it different? Typically, your incident response plan will govern the nature and direction and steps that are taken, given certain circumstances, right? Your incident response plan could be covering everything from, benign security investigations, all the way to we have a holy crap moment type of thing, and everything in between. So you’re not necessarily going to need to invoke your disaster recovery plan, or business continuity plan. However, you may need to invoke it depending on the severity and nature of the incident.
Keeping in mind with an incident plan, some of the things that come into play are going to be in the technology arena. God, it could be that, whatever, a helicopter just blasted through the roof of your manufacturing facility, who knows. But the business continuity and disaster recovery, is really more of a detailed plan that kind of plans out how do we recover from varying degrees of these incidents. It could be everything from technology to non-technology, or things like staffing, and vendors. There’s all sorts of considerations.
Parting thoughts and shots for the folks this week, Adam. Well, you’ve got the notion of trying to get back to normal after you get through one of these things. How long is it going to be before you quote, get back to normal? Well, I don’t know what to tell anybody, but if you’ve had the unfortunate experience of going through this, you already know that life isn’t going back to the way it used to be. There’s definitely going to be some adaptation of new things, new process, new structure, and new controls. The security event for the organizations that do navigate the waters, and survive the process, they’re changed, they’re definitely changed afterwards. There is a high likelihood for organizations that go through that process, that you’re going to end up needing different staff, different vendors, and different technologies. It’s probably going to include some massive belt tightening to navigate the waters. And once you’ve gone through that process, it really is going to push a whole different approach for the organization, and for the business. The negative impacts of a data breach, are certainly going to be there for years. But once you’ve gone through that process, you have a much stronger affinity for having your ducks in a row, doing things proactively, and begin taking your security and compliance seriously.
I don’t think there’s anybody that’s been through a breach that didn’t kind of see the light. It’s a horrifying experience. You definitely don’t wanna be in that mode.
And that’s part of the reason why TCT stepped into this arena. We created the company to help people make managing all of this stuff suck less. So that’s the whole reason why we got into this space. Indeed. Tell your friends, if you’ve listened this far, you’re a fan of ours and we’re a fan of yours. Let other friends in the compliance space know about Compliance Unfiltered, like, review, share, all the things, help us in all the ways.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
