Your organization has been breached. Now what? According to Mary Galligan, retired FBI agent formerly in charge of cyber and special operations and director in Deloitte and Touche’s security and privacy practice, that question is rarely given due consideration.
Try as it might, it is economically unfeasible for a corporation to lock down everything in its system. And many of the things that businesses do in order simply to grow and innovate, including expanding third-party relationships, M&A, and hiring additional employees, will exasperate risks.
The traditional multi-faceted approach to data protection -- security, vigilance, resilience -- has been given a skewed budget, largely allocated to security. This has left resilience, or the ability to respond to increasingly inevitable attacks, rather underdeveloped.
Galligan says today's definition of "resilience" has evolved from simply how to recover systems to full-on crisis management. At the Cybersecurity in Financial Services event hosted by Deloitte and BITS, she explained that proper communications, legal consultations, and increasingly cyber insurance have become prominent elements of resilience.
"Companies need a cyber incident response plan with detailed processes for coordinating efforts among different front-line functions, such as the general counsel's office, public relations, and the office of the CIO," she said. In the event of a data breach, the first course of action should be to alert the general counsel's office to limit legal and investigative issues down the road.
Business continuity plans "should have a far-reaching scope," she said, "and it should include follow-on scenarios that could result from an attack."
Fear corruption, not destruction
"The financial sector is also increasingly concerned about, not just the destruction of infrastructure and data, but also the corruption of it, and how that might play out differently," says Ed Powers, national managing partner of cyber risk services at Deloitte. "In this scenario, the systems are intact but unreliable. It's a question of if we can we trust the integrity of financial institutions." This raises the question of what degree of corruption is permissible in an organization, and when it stops being negligible.
Economics are also at play here, Powers says. Being able to back up a system is relatively easy, but actually reverting to that backed-up system is difficult and comes with cost and reputation ramifications.
These are undeniably important resilience issues to address in advance of a threat or disruption. After all, in the moment of attack, having executives run around in a confused panic rarely does any good.Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio