One of the most difficult issues in enterprise cybersecurity – something the US Securities and Exchange Commission is now openly struggling with it – when should an enterprise report a data breach?
The easy part is, “how long after the enterprise became aware of the breach should it be disclosed?” Different numbers have different compliance regimes, but they are relatively close, from 72 hours GDPR to the First four days of SEC.
The hard part is defining when any corporate entity “knows” if something has happened. At what precise moment does Walmart or ExxonMobil know anything? (If the language says “when the Chief Financial Officer of the enterprise is convinced that a data breach has occurred, this would be much simpler.”
To unravel this question of awareness, we must first break it down into two distinct aspects:
- What is reasonable evidence of a data breach?
- Who should decide on a data breach for a business? Security Operations Center (SOC) Leader? The CISO? The CIO? The CEO? A subset of the board? The whole board? Maybe he’s just the chairman of the board?
Let’s start with element one. With the exception of obvious attacks – such as a ransom attack where ransom money was received and proof of tampering – most attacks are gradual. Someone in the SOC finds an anomaly or something else suspicious. Is that enough to report? Almost certainly not. Then a more senior person in the SOC joins.
If things still look bad, report it to the CISO or the CSO. That executive might say, “You sold me. I must report this immediately to the CIO, the CSO and possibly the CEO. ” If so, the exposure phase has not yet been reached. Those other execs need to be weighed in.
However, the CISO / CSO is more likely to push back, saying something like, “People have not set this aside yet. It’s still one of the first things to be different. Check out some backups, make comparisons, check the darkweb for any confirmation. Keep inquiring. ”
Does the clock still start? Again, probably not. An undertaking cannot report every cybersecurity investigation. The level of proof required to merit public disclosure is high. After all, it’s a pity the poor executive reports a violation that could be anything later.
Another factor: Most cybearthieves and cyber terrorists excel at hiding on their tracks and leaving misleading clues. Logging is common for the logs, which means that IT security cannot trust the logs so far – at least initially. Remember how often the first forensic report differs materially from the second forensic report. It only takes time, even for experienced forensic investigators, to separate the truth from something misleading left by the attackers.
For the latter, who decides who will make the final decision on a data breach? It is possible to argue for the best cybersecurity expert (probably the CISO / CSO) or those most responsible for the enterprise (CEO or board), but for some enterprises, the Chief Risk Officer may be a good candidate.
Does every enterprise choose for itself? Should the regulators decide? Or should regulators allow each business to decide for itself who the point is and report that title to the regulators?
Jim Taylor, chief product officer at cybersecurity vendor SecurID, argues that the trigger should happen right there in the SOC. “It simply came to our notice then. He may be the senior analyst, he may be the SOC manager, ”said Taylor. “There has to be guilt, responsibility for these things.”
But premature decision making can be problematic. Report a breach prematurely and you are in trouble. Report a breach too late and you are in trouble. “You’re damned if you do and damned if you don’t,” Taylor said.
The truth is that this stuff is hard and it’s hard should be hard. Every violation is different, every enterprise is different, and strict defined rules are likely to create more problems than they solve.
“The nature of the breach is a big factor in when it is revealed,” said Alex Lisle, CTO of Kryptowire, another cybersecurity firm. “If you think a lot about keeping a forensic team, you should seriously consider reporting it.”
There was a great line in the old TV show ‘Scrubs’, where a doctor in charge of a test lab asked someone trying to repeat a test, “Do you think I was wrong or do you think I was wrong?” That scenario often comes into play when different people are trying to find out if the venture was actually attacked. The type / type of staff know that they have been attacked and that they expect further investigation to prove such? Or does the team really not know?
That’s when an appointed head of a breach decision needs to stand in, based on experience and, honestly, a strong gut feeling. Certain parts of cybersecurity are pure science. It is not often a very early decision as to whether data has actually been contacted.
Copyright © 2022 IDG Communications, Inc.
When should the data breach clock start?
Source link When should the data breach clock start?