banner image banner image
 

Unmasking Cyber Threats: How to put safeguards against data breach & mitigate risks

Sachin Yadav, Partner - Forensic, Financial Advisory, Deloitte India, is a seasoned cybersecurity expert with over 17 years of experience in digital forensics, electronic discovery, and incident response. In this interaction with Adgully, Yadav sheds light on recent cyber fraud trends, best practices for conducting investigations, and crucial steps organizations can take to mitigate cyber risks.

Could you provide an example of a recent cyber fraud incident and how it was addressed?

There was a recent Ransomware outbreak (the “incident”) at one of our client premises. 200+ computer systems were infected, leading to business disruption at their corporate office as well as manufacturing units. The perpetrator demanded a huge ransom amount to release the stolen data. They were also threatening to publish sensitive company information (such as employee personal records, business critical details, etc.) across social media platforms.

We were engaged to respond to the said incident and carry out a root cause analysis. A team of cyber incident response and digital forensic professionals worked 24x7 for almost 5-6 days with the client’s IT team to contain the lateral movement of ransomware infection and restore operations. While we were able to limit the extent of the outbreak, the company suffered a significant financial loss during this period.

The team successfully identified a few critical vulnerabilities present in the IT infrastructure which helped establish the modus-operandi of the intrusion.

In parallel, the team also assisted the company’s management to formulate a communication plan to notify CERT-IN/ local Police and other important stakeholders of the company, including employees.

What steps would you take to conduct a thorough investigation following a data breach?

Conducting a thorough investigation entails the following steps:

  • Assess the impact: Deploy a qualified team to determine the scope, scale, and complexity of the reported data breach. It includes identifying the types of data compromised, the number of affected records or systems, and the potential exposure of sensitive information.
  • Identify, isolate, and contain: Take immediate steps to identify and isolate impacted computer systems to prevent further unauthorised access. Invoke containment measures by changing passwords and revoking access from critical business applications/ systems. Patch open vulnerabilities and/ or update operating systems, antivirus definitions to minimise any further possible compromise.
  • Acquire and preserve evidence: Acquire system artifacts/ other relevant evidence related to the breach. This may include creation of forensic images of affected systems, preserving log files, and documenting all activities performed. Correlate sequence of events to identify tools, tactics, techniques, and procedures (TTPs) adopted by the perpetrator. This would be required to initiate legal proceedings if need be.
  • Notify and communicate: Comply with legal and regulatory requirements (required under a data breach) by notifying and sending out a communication to affected stakeholders, including customers, employees, business partners, and regulatory authorities.
  • Remediate:  Implement immediate remedial actions to address the identified vulnerabilities or weaknesses exploited in the data breach. This may involve patching systems, updating security configurations etc. It is recommended to run remediation activities in parallel to the root cause analysis so that real time effective measures can be implemented.
  • Monitor and implement lesson learned: Implement robust network traffic monitoring for any signs of persistent threats. Elevate security protocols/ practices and update the cyber incident response plan based on the lessons learned.

How do you ensure compliance with privacy regulations while investigating data breaches?

Globally, data privacy/ protection regulations are mainly focused on defining who has access to data while data protection focuses on applying those restrictions. In the event of a data breach, these laws have provisions to levy hefty financial penalties, making it imperative for organisations to put stringent safeguards against misuse or breach of data.

Even while investigating data breach incidents, investigators should follow some of the best practices outlined below, to help protect possible inadvertent leak of information:

  • Obtain consent or authorisation from data owners before accessing, collecting, sharing personal data for investigation purposes.
  • Assess mandatory disclosure timelines and accordingly notify affected stakeholders, including CERT-IN, customers, employees, business partners, and other regulatory authorities such as RBI, IRDA, SEBI etc. applicable to the Indian jurisdiction.
  • Engage with legal counsel (also referred to as “Breach Coach”) throughout the investigation process to ensure compliance with legal and regulatory requirements, protect sensitive information, and mitigate legal risks associated with the data breach.
  • In case the data breach involves hacking or unauthorised access by human intervention, engage law enforcement authorities and pursue legal action.
  • Evaluate the potential value of the compromised data and/ or business disruption impact, as well as the potential for regulatory penalties or legal liabilities.
  • Ensure that all collected data is secured (encrypted) during transfers and storage. Implement strong access control and authentication mechanisms.
  • Use appropriate technology to segregate/ mask the data which appears to be personal in nature (such as KYC documents, medical records, personal photographs etc.) prior to analysis.
  • Only collect and process the minimum amount of personal data necessary for investigation.

How would you assess the financial impact of a cyber-attack on an organisation, and what measures would you recommend mitigating such risks?

Cyber-attacks often have a huge impact on organisations, which could be in the form of financial loss, reputational loss, loss of trust, to name a few.

Provided below are examples of a few direct (and indirect) financial impact that an organisation could face:

Direct financial impact:

  • Legal and regulatory penalties as per local data protection/ privacy regulations within India/ outside India.
  • Ransom payments in case of a ransomware attack.
  • Expenses associated with hiring qualified investigators/ professional advisors, breach coach, and compliance requirements resulting from the breach.
  • Contractual penalties, litigation cost and/ or liability claims from affected parties.
  • Cost incurred for restoration of impacted IT systems and data recovery efforts.
  • Investment towards updating relevant cyber security tools/ technologies, to help prevent future attacks.

Indirect financial impact:

  • Business disruption, downtime, low productivity leading to loss of revenue.
  • Loss of reputation/ brand image due to lack of trust of customers/ business partners.
  • Losses incurred due to intellectual property theft.
  • Delays in strategic growth aspirations, and/ or planned merger and acquisitions.
  • Cost for employee awareness training and hiring new workforce to strengthen cyber security posture.
  • Cost towards elevating regulatory compliances/ tightening of vendor on-boarding process.

Measures to mitigate risks:

Mitigating risks that arise from cyber-attacks need focused strategic initiatives:

  • Training and awareness: Create organisation-wide training and awareness campaigns, carry out cyber drills/ simulations, table-top programmes to test effectiveness.
  • Strong detection, prevention, and prediction of threat: Continuously and proactively monitor incoming and outgoing data traffic to identify and timely respond to security events.
  • Cyber liability insurance: Evaluate cyber insurance policies to understand coverage limits, exclusions, and deductibles for various types of cyber-risks.
  • Strengthen third party diligence: Assess the cyber security maturity of third-party vendors and suppliers to mitigate supply chain risks and ensure compliance with security standards.
  • Periodic risk assessment/ audits: Conduct regular assessments to identify and prioritise cybersecurity risks, vulnerabilities, and threats.
  • Best practices security protocols: Implement robust cyber security protocols, such as firewalls, intrusion detection systems, endpoint protection, and encryption, to prevent and detect cyber-attacks.
  • Contractual clauses: Include cyber security related clauses in contracts with third-party vendors to establish security requirements, liability provisions, and incident response obligations.

Could you outline the key components of a robust cybersecurity policy?

Key components of a comprehensive cybersecurity policy include:

  • Introduction and purpose: Clearly define the purpose and scope of the cybersecurity policy.
  • Policy scope and applicability: Specify the scope of the cybersecurity policy and types of information assets covered, including the organisational units or individuals to whom the policy applies.
  • Roles and responsibilities of key stakeholders: Outline specific responsibilities related to cybersecurity awareness, incident response, risk management, and compliance.
  • Risk management framework: Define risk assessment methodologies, risk tolerance levels, and criteria for prioritising risk mitigation efforts.
  • Information security policies: Ensure that information security policies are aligned with industry standards, regulatory requirements, and best practices.
  • Data protection and privacy: Define procedures for handling sensitive information, personally identifiable information (PII), and confidential data.
  • Compliance and regulatory requirements: Establish procedures for monitoring compliance, conducting audits, and reporting on cybersecurity posture for GDPR, HIPAA, PCI DSS, and NIST cybersecurity framework.
  • Access control and user authentication: Define and establish policies and procedures for managing user access to information assets, systems, and networks.
  • Incident response and training: Establish reporting requirements for cybersecurity incidents, including incident notification procedures and communication protocols. Conduct regular training to help relevant stakeholders understand these protocols.

Could you share a successful example of how an awareness campaign helped reduce the risk of cyber-attacks in an organization?

In my experience, most cyber-attack incidents are triggered by phishing attempt(s) followed by compromising credentials to gain unauthorised access to the computer system(s) resulting in a data breach/ theft.

For our clients, we conduct regular phishing simulation exercises to test employees’ ability to recognise and respond to phishing emails.

In this exercise, with the help of the in-house cyber security team, simulated phishing emails are sent to employees, and those who fail in these simulated attacks receive immediate feedback and additional cyber security training. These exercises help raise awareness of phishing threats and encourage employees to exercise caution when responding to their emails.

Another method we also tend to deploy is by carrying out ‘cyber war games’ (also referred to as breach or attack simulations) at a client’s  premises. This involves a team of external ethical hackers that deploy advanced techniques to intrude into the organisation’s network with the in-house cyber security team defending such attempts. This helps assess the effectiveness of an organisation’s security controls/ protocols.

In addition, table-top exercises are carried out which involves scenario-based discussions with key function leads of an organisation to assess their roles and readiness to respond to a cyber incident.

Some other awareness campaigns are to conduct compromise assessments which helps organisations identify whether a compromise has occurred (or is still ongoing), assess risk and vulnerabilities, with the ability to respond effectively to future incidents.

How do you integrate intelligence gathering into cybersecurity operations to enhance threat detection and response?

By leveraging threat intelligence from various sources, to proactively identify and mitigate cyber threats before they impact an organisation’s systems and data.

Gather threat intelligence from a variety of internal and external sources, including Open-source intelligence (OSINT) from publicly available information sources such as social media, forums, and news websites.

Integrate threat intelligence feeds and APIs with existing security tools and systems, such as SIEM (Security Information and Event Management), IDS/IPS (Intrusion Detection and Prevention Systems), and endpoint security solutions.

Continuously monitor the effectiveness of threat intelligence gathering and integration efforts by adjusting the threat intelligence strategy and processes based on lessons learned, emerging threats, and changes in an organisation's risk profile.

Related Items
Media
6 MINUTES TO READ
@adgully

News in the domain of Advertising, Marketing, Media and Business of Entertainment

Related Items