security padlock

Cyber security is edging up boardroom agendas, as senior executives increasingly recognise the serious operational, financial and reputational impact a data breach may inflict on an organisation. From Bank of England's Operation Waking Shark 2, which aimed to expose vulnerabilities in the City's critical infrastructure, to the launch of a Government-backed national Computer Emergency Response Team (CERT), a mainstay of its £650 million National Cyber Security Strategy, the battle against cybercrime is being fought on multiple fronts.

It is a battle in which CIOs have a crucial role to play. Organisations are seeking greater preparedness but the approach to tackling such vulnerabilities requires equal measures of prevention and preparation for a response – to use a real world analogy, corporates need to take steps to prevent a fire, as well as prepare to deal with a conflagration.

A key step is one that sounds simple, but is all too rarely done: conduct an audit of the IT and physical security system.  A security assessment, like a financial audit, should be carried out by an outside team without a stake in the existing IT infrastructure. The team will be looking to understand the organisation's threat profile and vulnerabilities. 

Organisations should determine in advance of an incident what the chain of command will be for the incident response team. A specific executive should be nominated to lead the internal team and the external lawyers and IT consultants should be designated in advance.

However, as with any security system, there is no fool-proof way to prevent a cyber attack and preparing a response strategy is essential. A greater focus is, therefore, required on how such threats can be tackled more effectively.

After a hacking is discovered, one immediate goal of team will be to determine whether to notify law enforcement. This is not a simple decision. A hacking or data breach may require a different response compared to other types of crime. In particular, incidents triggered by outsiders are likely to present a much steeper challenge to law enforcement, as the perpetrators could be thousands of miles away and using proxy servers to hide both their location and identity, greatly limiting law enforcement's effectiveness.

Moreover, law enforcement will have trouble determining the scope of the incident – what was actually taken - without detailed knowledge of the corporate IT infrastructure. Most businesses prefer to avoid giving law enforcement the necessary level of unfettered access to their networks, which is required for them to conduct the investigation.

In my experience, most companies faced with this situation conduct a private investigation before notifying law enforcement, with three factors often driving this decision:

1. Sophisticated computer hackers rarely advertise their presence. As initial evidence may be confusing or hard to interpret, it is not always immediately clear whether any laws have been broken.

2. Hackers do not leave detailed lists of what they stole. Only painstaking reconstruction of a hacker's activities through sophisticated computer forensics can determine the scope of the offence. This forensic examination requires nearly unlimited access to secret corporate data and restricted networks, which most organisations do not want to grant to law enforcement, unless legally required.

3. It is much easier to control the public relations and communications strategy if the extent of the problem is known before going public. By handing the investigation over to the authorities, control over the timing and content of any public notification would be lost. This could prove a public relations disaster, especially since the public often blames the corporate victim for failing to prevent the incident, regardless of the facts.

Cyber risks are likely to escalate in a hyperconnected world and CIOs must work with fellow executives to develop a strategy to mitigate such threats. This requires a well-developed and regularly tested rapid response plan, ready for activation at the first signs of a breach.

Seth Berman is executive managing director and UK head of Stroz Friedberg, an investigations, intelligence and risk management company