Response Library - how to respond to cyber attacks

Become a Member of Cyber Rescue for a bespoke Cyber Crisis Response Plan, for your organisation. During a cyber attack, call us for succinct advice.  Click images for each report. (Or go to Threat analysisattack mapsresponse guidesquotesjokesLinkedIn or Twitter.)

Cyberthreats in 2017 Webroot - Survey of 600 decision makers at SMEs - 7 pgs - 1st August 2017
A cyberattack in which customer records were lost would cost an average £737,677 for a UK SME, their IT leaders estimated.
71% of SMBs are not prepared for cybersecurity risks.
 
Cybsafe - survey of 250 IT decision-makers within SMEs that sell to enterprise - 31 July 2017
33% of small businesses that sell to enterprises have had their cyber security precautions questioned as part of winning contracts in the last year
50% of small businesses that sell to enterprises have had cyber security clauses added to new contracts in the last five years
14% of small businesses that sell to enterprises have no cyber security controls at all
69% of small businesses that sell to enterprises have cyber security training in place
 
The State of Incident Response 2017 Demisto – 34 pgs – 20th July
47% of organisations find it hard to prioritise different cyber attack alerts.
More than 40% organisations say they are unprepared to respond to advanced attacks.
While automating incident response would provide immediate benefits, only 9% have this capability.
The main challenge for those leading attack response is having to work with a large number of information security tools.
 
Counting the cost – cyber insurance exposure exposed Lloyd’s of London and Cyence, input from over 50 experts, 56 pgs, 17th July 2017
Lloyd’s estimates insurers will receive $3bn to $3.5bn in premiums for cyber insurance in 2017, with 85% of that paid in the USA.
Successful attacks on commonly used hypervisor software implemented by cloud service providers could result in cascading outages & significant losses.
$53bn direct losses could be suffered by businesses if a major cloud service provider (eg Amazon, Microsoft, IBM) suffered an extreme outage.
 
Know the Odds - Cost of a Data Breach Ponemon - 1 pg - 20th June 2017
28% chance of suffering a material data breach, vs 0.5% chance of dating a millionaire
An experienced incident response team can help you quickly identify and contain a cyber attack
Be prepared to provide responders with logs & tools to help them understand what happened
Be prepared to quickly execute a reset of all passwords and service accounts
 
Cost of Data Breach - Annual Study Ponemon - interviews of 419 organisations in 11 countries - 35 pgs - 20th June 2017
28% chance of businesses suffering a material data breach in next 24 months
14% reduction in total cost of a breach if companies have good incident response
$225 per lost record is average cost of breach in USA, vs $123 in UK and $64 in India
$380 per lost record is average cost of breach in healthcare, vs $150 in communications & $71 in public sector
47% of breaches are caused by criminal or malicious activity; 28% by human error; 25% by system glitch
 
WanaCry Ransomware Crowdsourced Intelligence CMA = Cyber Management Alliance - contributions from over 20 individuals - 23 pgs - 16th May 2017
Lists operating systems that are affected by WanaCry (aka WannaCry aka WCry)
Speculates on attribution (who did it) and recommends technical actions
Provides advice to management on if and when to pay Ransomware
 
Economic Crime Board of the Police (CoL - UK) Agenda and Report by T/Commander Dave Clark to City of London - 30 pgs - 9 June 2017
20% rise in crimes reported to Action Fraud, at 280,706, but 5% decrease in crimes with viable lines of enquiry.
During 2016/17, City of London Police recorded a 179% increase in outcomes (partly from better recording).
Victim satisfaction with outcome of crime investigation has failed to 55% (from 67% in previous year).
 
Cyber Insurance in USA - Market Watch Survey CIAB (The Council of Insurance Agents and Brokers) - survey of insurance brokers in USA - 15th May 2017
98% of respondents noted that capacity in market is either plentiful or increasing.
75% of respondents believe there is, for the most part, adequate clarity in the content of a cyber policy.
32% of respondents’ clients purchased at least some form of cyber coverage.
76% of those with cyber insurance have standalone policies.
$6 million is the typical cyber insurance policy limit.
 
Cyber Risk Landscape for Insurers and Insured RMS (Risk Management Solutions) - reviews 50 cyber insurance products - 47 pgs - 15th May 2017
14% growth on cyber security expenditure, from US$75 billion in 2015, to $86 billion in 2016.
Extremely low conviction rates for cyber crime perpetrators (1 in 50,000 cases).
2.6 Terabytes: the world’s largest data leak by volume took place in April 2016
Yahoo! Twice breaks the record for the largest number of personal records compromised (2013, 2014).
The global cyber insurance market is predicted to reach $7.5 billion by 2025.
 
Latest statement on international ransomware cyber attack NCSC - UK's national focus are on two lines of defence - 14th May 2017
Guidance for Organisations: https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware
Guidance for Individuals: https://www.ncsc.gov.uk/guidance/ransomware-guidance-home-users
 
A broker guide to selling cyber insurance AIG - CyberEdge (r) Playbook - 15pgs - 12th May 2017
78% rise in average cost of a data breach in over last 8 years: now £2.53m
209 days is the average time from initial infection to discovery of breach
Gives examples of SME Claims on Cyber insurance, ranging from £48k to £105k
Types of claim paid by AIG: Ransom (16%); Breach (14%); Unauthorised access (10%); Other (60%)
 
Australia's cyber security strategy ASPI - 44 pgs - 10th May 2017
“cyber health checks” the next step towards Australia’s stronger private sector cyber defence.
Leading by example! The Australian government ‘raises the bar’ on meeting cyber security standards.
First annual assessment report reveals serious lack of transparencies around delivery timelines.
In urgent need of a coordinated communication strategy for any cyber incident may arise.
Greater government support for mid-tier and small to medium enterprises.
 
Transatlantic Cybersecurity Report EU & US Chamber of Commerce - Report 41 pgs - 8 May 2017
The report lay out 9 steps to strengthen transatlantic cyber security
EU and the United States make up the two largest economies in the world
The report lists a number of initiatives that all strengthen EU - US co-operation
 
Launch of Free Services to protect London's Businesses LDSC - Press Release - 2nd May 2017
London Digital Security Centre (LDSC) was founded by Mayor of London, Metropolitan Police and City of London Police
LDSC Membership scheme is initially aimed at those employing up to 249 employees, with plans to extend its reach by next year.
LDSC's first partner is SecurityScorecard, to provide security ratings to all London businesses
Deputy Mayor for Policing & Crime said: LDSC provides 1-stop shop to help businesses use technology to develop & grow
 
Why are so few women working in Cyber? Frost & Sullivan + (ISC)² 22 pgs, 27th April 2017
Percentage of women in sector unchanged since 2013.
11% of the information security workforce are women (14% in America, 7% in Europe)
51% of women working in information security experienced discrimination (vs 15% of men)
Women earn less than men in every level of the information security workforce
 
Global Cyber Risk Transfer Comparison Report Ponemon - survey of 2,168 involved in their company’s cyber risk management - 25th April 2017
The impact of business disruption to cyber assets is 72% greater than to property, plant and equipment (PP&E) assets.
The probable maximum loss from cyber assets is 27% higher than from PP&E assets.
Organizations insure on average 59% of PP&E losses, compared to an average of 15% of cyber exposures.
 
ISO/IEC 27035:2016: Security incident management The ISO process for managing information security events, incidents & vulnerabilities.
Managing incidents effectively involves detective and corrective controls designed to recognize and respond to events and incidents, minimize adverse impacts, gather forensic evidence (where applicable) and in due course ‘learn the lessons’ in terms of prompting improvements to the ISMS, typically by improving the preventive controls or other risk treatments.
 
What don't you know about Cyber Security? Five Questions every Board Member should ask:
1. What procedures do you have in place to manage a breach?
2. Have you tested your preparedness plans?
3. Do customers understand your data collection and usage practices?
4. How do you decide how much to invest in security - and where?
5. Are you educating employees on the best cybersecurity practices?
 
Evolution of Security Skills ComTIA - Skills needed to mitigate cyber risks - April, 2017
Between 18% and 32% of companies say they need significant improvement to existing security expertise.
For technical workers, 60% of companies use training to build security expertise, and 48% pursue certifications. 33% of companies say that security is a significantly higher priority for them today than it was two years ago.
49% of companies expect that security will be a significantly higher priority in two years than it is today.
 
Cyber Readiness Report Hiscox: Survey of over 3000 Businesses - 26 pages - 7th February 2017
55% of US businesses say they have cyber insurance vs 36% in UK and 30% in Germany
86% of experts agree that employee training has reduced the number of cyber incidents
45% of UK firms do not believe that a cyber insurance policy is relevant for them
91% of companies view cyber security to be a top priority at the board and C-level
 
Protecting information across government UK Parliament: Public Accounts Committee - 69 pgs - 2nd Feb 2017
Parliament calls for "detailed plan" for new National Cyber Security Centre.
Says that Data Breach recording processes are "inconsistent and dysfunctional".
Says UK Government taking too long to consolidate the 'alphabet soup' of agencies that protect Britain.
Cabinet Office "places too little emphasis on supporting citizens and service users beyond Whitehall".
Notes that Britain is below Brazil, South Africa & China at keeping phones & laptops secure.
 
Advancing Cyber Resilience with the Board World Economic Forum - 40 pgs - 18th January 2017
Internal and external cyber preparedness audits should be performed periodically and reported to the board.
The board should have visibility of how the stated risk appetite is being applied in business decision-making.
Cyber resilience is a leadership issue.
 
Strong Authentication - 8 Key Principles for Policymakers Cheteroff Group - 16 pgs - February 2017
(1) Have a plan. (2) Recognise security limitations. (3) Authentication must be easy to use. (4) Old barriers to strong authentication no longer apply. (5) Solutions must support mobile. (6) Privacy matters. (7) Biometrics must be applied appropriately. (8) Focus on standards and outcomes.
 
A strategic cyber roadmap for the Board Harvard Law School - 9 graphics on 1 page - 12th January 2017
Phase I – Know the Basics
Phase II – Oversee Preparedness
Cyber-risk management is everyone’s responsibility
Company’s best practices also for CISO engagement with law enforcement, industry peer groups and government
Board organisation is a function of depth of experience in cyber-risk
 
Cyber Risk Oversight - Director's Handbook NACD (National Association of Corporate Directors) - 12th Jan 2017
80% of black-hat hackers are affiliated with organized crime
48% of cyber breaches result from criminal or malicious attacks
38% of IT organizations lack a defined cyber breach response plan
48% of IT security professionals do not inspect the cloud for malware
53% of cyberattacks are first identified by third parties and 47% internally
 
 
Framework for Improving Critical Infrastructure Cybersecurity NIST (National Institute of Standards and Technology) - 61 pgs - 10th January 2017
Proposes enhancements to best practice response to cyber attacks, including:
Greatly expanded explanation of using Framework for Cyber Supply Chain Risk Management purposes.
Access Control Category has been refined to account for authentication, authorization, and identity proofing.
New section on Demonstrating Cybersecurity, eg correlation of business results to cybersecurity risk management.
 
CYBERscape 2017 Momentum Partners - 104 pgs - 10th January 2017
Includings mapping of cyber vendors in 16 categories
Describes operating metrics of fastest growing vendors
 
Helping Boards meet their cyber responsibilities KPMG - 15 graphics on 1 page - 7th Dec 2016
25% of CEOs regarded their organisation fully prepared for a cyber event.
Boards have duties to both internal and external parties.
The 5 step Cyber in the Boardroom methodology aims to assess present state and develop key risk indicators.
Investment in security awareness works as a force multiplier in an organisation’s security plan.
 
Cyber Security Annual report TAG Cyber (The Amoroso Group) - 388 pgs - 2nd November 2016
Written for hardcore CISO team members, includes vendor mapping.
CISOs must focus on 4 areas: compliance, technology, architecture & innovation.
Groups 50 security into 6 groups: Perimeter, Network, Endpoint, Governance, Data & Industry.
 
UK National Cyber Security Strategy HM Government - 84 pgs - 1 November 2016
Strategy to spend £1.9bn to support Vision for 2021 "that UK is secure and resilient to cyber threats"
"From the most basic cyber hygiene, to the most sophisticated deterrence, we need a comprehensive response."
Three Objectives: to Defend against threats, to Deter aggression and Develop cyber security industry.
UK Government will use forthcoming (EU) GDPR to drive up standards of cyber security.
Key Vulnerabilities: poor cyber hygiene, insufficient training, unpatched systems.
Police will expand efforts to identify, anticipate and disrupt cyber criminals.
Cyber Essentials for 5 controls: access; boundary firewalls; malware protection; patch management; secure configuration.
 
Is your company ready for a Big Data Breach? Ponemon - survey of 619 executives, privacy and IT specialists in USA - 5th October 2016
80% of USA executives say their data breach response plan would be more effective if practiced more often.
60% of USA executives say their data breach response plan would be more effective if supported by a dedicated budget.
34% of USA executives say their Board understand the specific security threats facing their organization.
27% of USA executives are confident they can minimize financial & reputational harm from a data breach.
26% of USA executives say their Board is prepared to take responsibility for incident response plan.
13% of USA executives are very confident they can respond effectively to international data breach.
 
Cyber Claims on Insurance Study NetDiligence - 56 pgs - 17th October 2016
Analyses 176 data breaches that were covered by cyber insurance in the USA.
The average total breach cost was $665K, with an average payout for Crisis Services of $357K.
80% of breaches cost between $5,822 and $1.6M (ie excluding the cheapest and most expensive).
The average claim for a large company was almost $6 million.
The average claim in the Financial Services sector was $1.8 million, while the average claim in the Healthcare sector was $717K.
 
ISO 27001: International Standard for Standard for Info Security Management Systems Analysis of how many organisations have adopted ISO 27001 - October 2016
20% increase over 12 months in number of organisations wordwide with ISO 27001 - total is now 27,536
90% increase over 12 months in number of organisations in USA with ISO 27001 - total is now 1,247
Japan has 8,240 organisations certified for ISO 27001 - that's 30% of global total
The UK has 2,790 organisations certified for ISO 27001 - that's 10% of global total
The ISO standard for Business Continuity is growing much faster (78% pa) than for Info Security (20% pa)
 
Governor CyberSecurity Dashboard Michigan State Board - 1 pg - 30th September 2016
Malware from internet activity on the rise since last month
Cybersecurity awareness and cyber culture remains operational
 
Cyber Attack Survival Guide Financial Times - Maija Palmer & Owen Walker - Online - 21st September 2016
It took TalkTalk 36 hours after discovering the hack to release a statement saying it had been attacked.
Most hacks follow warnings that were overlooked: emailed tip-offs that were never read, phone calls that were ignored.
Having an incident team makes the biggest difference in reducing the cost of an attack.
An attack "always seems to happen at the start of a long weekend and no one is around."
"You are actually wetting your pants at this point. Your goal was to prevent something like this happening."
The average tenure of a CISO at a company is a little more than two years.
 
Safe & Secure - Protecting London's data Gareth Bacon - London Assembly - 11 pgs - 31st August 2016
In London, the cost to the economy from security breaches is about £36 billion per year.
By March 2016, 2,181 Cyber Essentials & Cyber Essentials Plus certifications had been issued (ie to <1% of organisations).
A ‘Mayoral Standard’ for cyber security could potentially help all organisations in London.
 
Advancing Small Business Cyber Maturity Mark Tomlin - 102 pgs - Stored on Dropbox - 24th August 2016
There is no silver bullet to the cyber problem.
Cyber security often sits at the bottom of the priority list.
Proposes a proportionate, automated "Small Business Cyber Assessment Maturity Assessment Tool" (Chapter 6)
 
Joint investigation of Ashley Madison Privacy Commissioner of Canada and the
Australian Privacy Commissioner - 40 pgs - 23 August 2016
Press Release: "The company went so far as to place a phoney trustmark icon on its home page to reassure users."
 
Malicious Email Mitigation Strategies Australian Cyber Security Centre - 11 pgs - 31 July 2016
Excellent protections against malicious email attachments: whitelisting, filtering, converting, analysing & sanitising before opening.
Minimum protections against malicious email attachments: blacklist on file type & extension & virus scanning before opening.
Mitigate risks to your company systems by blocking use of non-authorised third party email services
Minimum method for verifying email senders: implement spam blacklists
Best protection for verifying email senders: implement DMARC
 
Hackers: Fake or real? Adrian Crawley - Radware - 1 pg - 2nd August 2016
In May 2016 we detected an exponential increase in the number of ransom letters being sent.
Around one in three organisations has experienced a ransom attack.
There are a number of indicators that will help you spoke a fake ransomware demand.
 
Building an Effective Incident Response Plan Rishi Bhargava - VP Marketing at Demisto - 1 pg - 29th July 2016
The 5 W’s of a comprehensive incident response plan: Who, When, What, Where Why
Top 10 Steps to an effective incident response plan, includes "Conduct table top exercises"
 
Presidential Policy Directive - USA Cyber Incident Coordination President Barack Obama PPD 41 - 2,258 words - 26th July 2016
The PPD defines for the first time what constitutes a "significant cyber incident" triggering a federal response.
The PPD delineates between “Threat responses” and “Asset responses.”
“Threat response” involves investigating the crime, so federal law enforcement leads (DoJ, through FBI & NCIJTF).
“Asset response” involves forensics and remediation, so Homeland Security leads (DoHS, through NCCIC).
Evaluation of cyber threats to be led by Director of National Intelligence (through CTIIC).
Department of Homeland Security to lead the effort to write the National Cyber Incident Response Plan.
Prevention and management of cyber incidents is a shared responsibility among the government, private sector, and individuals.
 
No More Ransomware Europol, Dutch National Police, Europol, Intel Security & Kaspersky Lab - 25th July 2016
718,000 users were attacked by crypto-ransomware in 2015-2016, up 5.5 times on previous year.
Launch of new tool containing 160,000+ keys will help victims to retrieve their data.
 
CyberSecurity - Protecting your future Robert Half - 100 interviews with UK CIOs and CTOs - 16 pgs - 12th July 2016
77% of UK CIOs say they will face more security threats in the next 5 years due to a shortage of IT security talent.
Top security concerns of UK CIOs: Data Abuse & Integrity (60%), Cybercrime (54%), and Spyware/Ransomware (39%).
Staff with skills in cloud security (51%), IT security technologies (47%), and big data analytics (37%), are the most in demand.
 
How to protect your networks from Ransomware US Government - 10 pgs - 11th July 2016
300% increase in number of ransomware attacks in the last year.
What to do if infected with Ransomware: Isolate, Secure Back-up, Contact Law Enforcement.
 
UK National Data Guardian for Health: Review of Data Security,Consent & Opt-Outs Dame Chaldicott - 60 pgs - 6th July 2016
41% of all breaches reported to the UK ICO were from the health sector.
The leadership of every [health] organisation should demonstrate clear ownership and responsibility for data security.
Ensure staff are equipped to handle information respectfully & safely, according to the Caldicott Principles.
Ensure the organisation proactively prevents data security breaches & responds appropriately to incidents or near misses.
Where malicious or intentional data security breaches occur, the Department of Health should put harsher sanctions in place.
Have a continuity plan to respond to significant data breaches, and test once a year as a minimum.
 
EU launches partnership for €1.8 billion investment against cyber threats The EU will invest €450 million in this partnership, under its research and innovation programme Horizon 2020.
The Commission will propose how to enhance cross-border cooperation in case of a major cyber-incident.
80% of European companies experienced at least 1 cybersecurity incident over the last year.
 
Cyber Resilience Report 2016 Business Continuity Institute (BCI) - 369 respondents in 61 countries - 29th June 2016
Top causes of Cyber Disruption: 61% Phishing, 45% Malware, 37% Spear Phishing, 24% Denial of Service, 21% Old Software.
Some respondents cited that they only came to know about a disruption through law enforcement & the media.
19% of respondents report it takes over 4 hours for their organisation to respond to a cyber incident.
7% of respondents estimated the cumulative cost of cyber incidents at over €250k.
66% of respondents report at least 1 cyber incident in last 12 months.
 
Cyber Security: Protection of Personal Data Online UK - House of Commons - CMS Committee - 29pgs - 20th June 2016
285 "breach notifications" at UK Telcos were reported to the Information Commissioner in last year
30 staff at UK's Information Commissioner handle 1,000 "cases" plus 200,000 "concerns" per year.
It is appropriate for the CEO to lead a crisis response, should a major attack arise.
A portion of CEO compensation should be linked to effective cyber security.
Businesses need to see security breaches as an inevitable part of being in the digital economy today.
The person responsible for cyber-security should organise realistic management plans and exercises.
 
Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA U.S. Department of Health and Human Services - 34 pgs - 17th June 2016
mHealth services often aren't covered by Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Innovation in health has led to "Non Covered Entities" that collect, share & use health info without being regulated by HIPAA.
Only 6% of free health apps and 15% of paid health apps always use encrypted SSL connections when sending data to 3rd parties.
mHealth has been projected to be a $60 billion worldwide financial opportunity.
In 2014, only 30.5% of 600 mHealth apps studied had a privacy policy.
 
CEO's Guide to CyberBreach Response AT&T - 24 pgs - 13th June 2016
25.2% of organisations experienced significant negative impact from a breach last year.
34% of organizations believe they have an effective incident response plan, & 9% update it at least twice a year.
6 Core Components of Incident Response, including to Define all breach scenarios & to create response templates.
Post-breach response is often an all-hands-on-deck affair involving the C-suite, IT, security, legal, comms, & other teams.
Communication that focuses on helping customers (Vs describing the problem) limits media interest.
Poorly coordinated incident response activities may cause more damage than the breach itself.
Log data is vital as it helps forensic experts perform post-breach investigations.
 
Internet access block for public servants 'absolutely necessary' Prime Minister Lee Hsien Loong, commenting on "Internet Surfing Separation" initiative - 9th June 2016.
100,000 computers used by Civil Servants in Singapore to be disconnected from Internet by May 2017.
New move by Infocomm Development Authority of Singapore described by PM as “a nuisance... , it’s inconvenient but it’s doable.”
"Are we happy? I don’t think so... . But in terms of security... , it’s absolutely necessary."
 
A proactive C-suite can reduce cyber-risk The Economist Intelligence Unit - Survey of 300 CISOs & CIOs worldwide - 2nd June 2016
53% reduction in growth of cyber attacks & breaches achieved by companies with a proactive C-suite
A proactive C-Suite will "actively monitor external threats and mobilise the entire workforce to stave off attacks."
53% reduction calculated as: proactive companies suffered growth in cyber breaches of just 9.8%, vs 21.1% at worst firms
 
UK National Cyber Security Centre - launch prospectus HM Government - UK - 12 pgs - 25th May 2016
Cyber is a Tier One threat to the UK's national & economic security.
The new National Cyber Security Centre will launch in Autumn 2016, led by Ciaran Martin, reporting into GCHQ.
The NCSC will run the UK's Cyber Security Information Sharing Partnership (CiSP).
The NCSC will include Centre for the Protection of National Infrastructure (CPNI), CERT-UK & the Centre for Cyber Assessment.
 
Cyber and the City TheCityUK and Marsh - 36 pgs - 17th May 2016
Includes map of the 31 organisations fighting cyber threats to Financial Services in the UK.
"Surveys say average annual cost of cyber crime to large firms is £1.5m – £3m, but this is likely to be far short of the actual cost."
Recommended Check-List for Board: #1 - The main cyber threats for the firm have been identified and sized.
Recommended Check-List for Board: #8 - Preparations have been made to respond to a successful cyber attack.
"We propose that the financial sector sets up a Cyber Forum comprising a steering group of Board level cyber risk owners."
"The City should work on systemic cyber risk reduction: infosharing, risk aggregation & sector resilience."
 
NIST Cyber Security Framework NFPPC (National Forum for Public Private Collaboration) - 1 pg - May 2016
Summary of NIST (National Institute of Standards & Technology) Cyber Security Framework
Mapping into 5 main categories: Identify, Protect, Detect, Respond, Recover.
 
Cyber Insurance Market Watch Survey The Council of Insurance Agents and Brokers (USA) - 6 pgs - 26th April 2016
The price for cyber insurance varies dramatically by industry and size of organisation.
The nature of cyber risk is man-made and constantly changing in order to overcome cyber defenses.
Cyber coverage continues to be written with vastly different definitions, terminology, limits, endorsements and exclusions.
Cyber Insurance: "It is too difficult to compare offerings, coverage enhancements and exclusions with too many carriers."
16% of companies in the USA purchase stand-alone cyber insurance, plus another 8% that buy "very limited" embedded coverage.
 
Guide to developing a data breach response plan Australian Government - Information Commissioner - 9 pgs - April 2016
Your actions in the first 24 hours after discovering a data breach are often crucial to the success of your response.
A quick response [to a data breach] can substantially decrease the impact on the affected individuals.
Implementing a data breach response plan can assist in mitigating the [significant] costs [of a data breach].
 
Example Data Breach Response Plan Australian Government - Information Commissioner - 4 pgs - April 2016
There is no single method of responding to a data breach.
Some data breaches may be minor, and dealt with without action from the Data Breach Response Team.
4 key steps: contain breach & assess; evaluate risks for individuals; consider breach notification; review and learn from incident.
 
Cyber Defense Matrix Sounil Yu - 27 pgs - 6th April 2016
Mapping of vendor landscape on two dimensions.
Asset classes: Devices, Apps, Networks, Data, Users.
Operational Functions: Identify, Protect, Detect, Respond, Recover.
 
Cyber Security Response in the cloud Microsoft Azure - 13 pgs - April 2016
Microsoft uses a shared responsibility model in the Azure services to define security and operational accountabilities.
In the event of a declared security incident, notification by Microsoft will be made without unreasonable delay and in accordance with any legal or contractual commitments. Customers should recognize that an exercise balancing between accuracy / completeness and speed takes place.
 
Data Breaches - Insurance and How Organizations Manage Advisen and ID Experts - Survey of 203 American Risk Managers - 17 pgs - March 2016
81% of US companies that have bought cyber insurance have never filed a claim on it (pg 15)
75% of US companies have developed an incident response plan but only 42% have tested it (pg 3)
45% of US companies believe their company has adequate resources to detect all breaches (pg 3)
 
Incident Response and Cyber Crisis Cooperation ENISA (European Union Agency for Network and Information Security) - 35 pgs - March 2016
A Cyber Crisis is a serious threat to structures, values & norms that - under time pressure & highly uncertain circumstances - necessitates making vital decisions.
Cyber Crisis Management has 5 steps: Sense-making, Meaning-making, Decision-making, Termination, Learning (Fig 3).
Cyber Crisis Management has 3 levels: Technical (eg detection, forensics & remediation), Operational (eg threat analysis and mitigation), Strategic (eg to invoke contingency plan and public communication).
The typical Incident Response process has 15 steps (see Fig 1)
 
Data Security Incident Response Survey BakerHostetler - lessons from 300 incidents in 2015 - 15 pgs - March 2016
52% of breaches are self-detected, 48% notified by a 3rd party
Cause of breach: 31% hacking; 24% employee mistake; 17% external theft; 14% Vendor; 8% internal theft; 6% lost.
Average time to discovery of breach: 69 days (114 days in health, and 46 in all other sectors)
43 days is average duration of external Forensics investigation.
40% of suspected breaches were investigated by BakerHostetler required Notification of consumers.
53% of Breach Notifications included an offer of Credit Monitoring, which was taken up by 10% of those consumers.
 
Return Path - 14 pgs - Analysis of 1,000 brands in 33 countries - February 2016
DMARC can significantly reduce instances of phishing or spoofed emails.
24% increase in DMARC implementation in last 12 months, but 71% of brands still don't use it.
The sectors that care most about preventing Phishing are in Social Media & Tech, where >50% of firms use DMARC.
The sector that cares least about preventing Phishing is Healthcare, where <20% of firms use DMARC.
Germany seriously lags in using DMARK to protect consumer email accounts from spoofing and phishing.
 
Rail Cyber Security - Guidance to Industry (UK) Department for Transport (DfT) - 39 pgs - February 2016
Effective cyber security is reliant on full engagement at all levels of an organisation.
DfT may hold some governance over cyber incident handling, dependent on the size and nature of the event.
UK Government wants to encourage use of US NIST cyber security framework with critical infrastructure.
Railway systems are becoming vulnerable to cyber attack due to the move to Commercial Off The Shelf (COTS) components.
The PERA model provides a reference model for understanding cyber systems at an enterprise level.
Failure to make systems secure might contravene regulatory safety requirements.
Priorities in the event of an attack: safety of people is the highest priority. This overrides all other considerations.
We recommend that you put in place a regular exercising programme for cyber related incidents.
 
IT Security Spending Trends SANS Institute - Survey of 169 staff involved in IT and security budgets- 23 pgs - February 2016
Main drivers to spend in InfoSec: Protect sensitive data (63%); Regulatory compliance (56%); Reduce breaches (31%).
Most effective justifications for InfoSec budgets: ensure regulatory compliance, enable business objectives.
Financial Services companies tend to give largest share of IT Budget to Security (7% to 12%).
Education organisations tend to give smallest share of IT Budget to Security (1% to 4%).
The most effective area of InfoSec to invest in is "Access and Authentication".
Global spend on InfoSec was $75.4 billion in 2015, up 4.7% over 2014.
Only 22% of the companies benchmark their security effectiveness.
 
Critical Security Controls your IT Director should have implemented SANS Institute - mapping the 20 layers of IT Defense - January 2016
 
How To Run A Data Breach Fire Drill Law360 - 4pgs - January 2016
 
Data Protection Laws of the World DLA Piper - 425 Pgs - January 2016
 
EU General Data Protection Regulation Final Compromise on new law for data breach etc - 209 Pages - December 2015
 
Data Breach Response Webinar BABC - Bradley Arant Boult Cummings - 1 hour - December 2015
 
Report on National and International Cyber Exercises ENISA - 32 pgs - December 2015
"Twice as many large cyber exercises in 2015 vs 2013"
 
2016 Global Privacy Handbook - Laws Baker and McKenzie - 832 pgs - December 2015
 
Proposal for European Cybersecurity Flagship European Organisation for Security (EOS) - 9 pgs - November 2015
Call to support strategy for a "Smart & Secure Digital Europe”
Market for Cybersecurity is €70 billion, with €24 bn in North America growing at 8% pa, & €18 bn in EU growing at 6% pa.
Aims to address 4 challenges in cyber activities across EU: information sharing, standards, trusted entities and industrial base.
 
Using Cyber Insurance as a Risk Management Strategy SINTEF - 24 pgs - 11th November 2015
Cyber-insurance products are still relatively immature.
"Products are untested, pricing appears arbitrary and experimentation in contract writing is commonplace."
There were in Europe in 2012 only nine insurers with specialized cyber-insurance, compared to 30-40 in the US.
52% of businesses that don't plan to buy cyber insurance say its because “Premiums are too expensive”
44% of businesses that don't plan cyber insurance because “Too many exclusions, restrictions & uninsurable risks.”
"Actuarial data for the cyber-insurance market is missing and unlikely to be available in the near future."
Major cost items in the Ponemon study seem not relevant for the claims payouts surveyed by the NetDiligence study.
 
Training on Cyber Response Corpress - 16 pgs - November 2015
 
Cybersecurity Incident Response - Planning is just the beginning Grant Thorton and FERF - 8 pgs - November 2015
 
How to Prepare for a Breach Rapid7 - 6 Pgs - November 2015
 
PR Case Study on TalkTalk PR Week - 1 Pg - November 2015
 
Data Breaches - What is the Marketers Role Liisa Thomas - Winston and Straw - 18 Pgs - November 2015
 
Unprepared pay more for cyberattacks Grant Thornton - 4 pgs - November 2015
 
Global Cyber Security Ecosystem ETSI - Anthony Rutkowski & Carmine Rizzo – Version 1.1.1 - 54 Pgs - 17th November 2015
Lists 850 organisations promoting 5 cyber security actions (Identify, Protect, Detect, Respond, Recover).
Highlights 70 standards bodies, 36 developer forums, 15 information hubs, 9 centres of excellence.
Describes the national cyber security system in 64 countries.
 
Digital Security Risk Management OECD - 74 pgs - October 2015
 
Breach Response - Making the right choice NPC Immersion - 10 pgs - October 2015
 
Data Breach Preparedness Study Experian - Ponemon - 38 pgs - Oct 2015
 
Best Practices for Cyber Response Lifars Cyphort - Video - 55 mins - November 2015
 
Guidance to 25m breached Federal Employees US Government OPM - Cybersecurity Resource Center - October 2015
 
Cyber Crime - Help the Police TechUK - 28 pgs - October 2015
Of the 248,200 cyber crimes reported to Action Fraud last year, 28% are investigated, and 5% lead to judicial action.
Two thirds of small and medium sized businesses (SMEs) do not consider themselves to be vulnerable to an attack.
TechUK recommends that Diagnostic Question Sets are developed for police officers to use with victims of cyber-crime.
The UK National Cyber Security Programme (NCSP) allocates £30m per year to combating cyber-crime.
 
Guide to developing a data breach response plan Australian Government - 8 Pgs - October 2015
 
Cyber Security Playbook FireEye - 19pgs - October 2015
 
Making DDoS Mitigation part of your Incident Response plan Akamai - Denial of Service - 5 pgs - October 2015
 
Plan now to use offband communications during Incident Response DLA Piper - 3 pgs - October 2015
"Do you mind if the attackers follow along with your Incident Response Plan playbook?"
 
The Top 10 Tips for Building an Effective Security Dashboard Tripwire - on-line resource - 23rd Sept 2015
(1) Make It Relevant to the Audience. (2) Sell Success, Not Fear. (3) Be Brief. (4) Use Visualizations. (5) Allow Data to Be Drilled. (6) Show Trends. (7) Make it customisable. (8) Keep it Web-Based (9) Check the Information Before It Is Presented. (10) Benchmark Yourself to Your Peers in the Industry
 
Incident Response - Brochure BoozAllen USA - 2 pgs - Sept 2015
 
7 Things To Do If Your Biz Is Hacked Rapid7 - 2pgs - Sept 2015
 
Responding to a Data Breach PCI Security Standards Council - 3 pgs - Sept 2015
 
Annual Privacy Governance Report IAPP - EY - 142 pgs - September 2015
 
Cyber Claims on Insurance Study NetDiligence - 48 pgs - September 2015
The 160 cyber claims analysed for this report represent about 5% of all cyber insurance claims in 2012-2015.
Having access to preferred vendor panels with pre-negotiated rates... significantly reduces the cost of breach response.
The median (mid-point) claim on cyber insurance is $76,984, while the mean average claim is $673,767.
For each data record lost, the median cost is $13, while the mean average is $964.
Of the $75.5m claimed, 78% went on Crisis Services, 8% on Legal Defense, 9% on Legal Settlements, & 4% for Fines.
The Crisis Services most often claimed for: Legal (73%), Forensics (59%), Notification (46%), Credit Monitoring (42%) & PR (9%).
 
Achieving Cyber Resilience AIG - 6 pgs - September 2015
 
Cybersecurity Guide for Directors Dentons - 12 pgs - September 2015
 
Incident Response Capabilities Needed McAfee - 21 pgs - August 2015
 
Cost of Phishing & Value of Employee Training Ponemon – Wombat – Survey of 377 IT and IT security practitioners in USA - August 2015
95% say Phishing compromised credentials (eg cryptographic keys & certificates) in last 12 months
Return on Investment in Phishing Training is Fifty Fold, ($184 per $3.69 spent on each employee)
1.6% likelihood of business disruption due to weaponized malware in next 12 months
0.9% likelihood of business disruption due to credential compromise in next 12 months
0.4% likelihood of data exfiltration due to credential compromise in next 12 months
64% reduction in employees who would fall victim to phishing scams after training
 
Incident Response Survey of 500 IT Professionals SANS - Alienvault - 22 pgs - August 2015
 
Theres a breach, now what? RSA - 25 pgs - July 2015
 
Reputation & Crisis Management for the Enterprise Sprinklr - 19 pgs - July 2015
Very often, in a crisis, people will add fuel to the fire by filling in gaps with rumors, suspicions, or what they think went wrong.
People want to hear from people, not brands. This is especially true in the event of a crisis.
Activate the key audience segments that care about your brand to defend you.
Guide your employees in their effort to speak up for the company.
There are two types of crises: Flash Fires and Rolling Disasters.
In a Rolling Disaster crisis, [pre-scheduled] tweets can be deemed inappropriate.
 
Cyber Security Logging and Monitoring Guide Crest - 60 pgs - July 2015
 
Cloud Service Security - Assume Breach Microsoft - 47 pgs - July 2015
 
Cyber Insurance - Considerations when buying Keeling Law - 27 pgs - June 2015
To buy $1m cyber insurance costs $5k to $25k for a medium sized company
The number of companies buying cyber insurance has grown about 30% per year since 2012
Cyber policies might not pay out if: claim is delayed, breach actually occurred before cover purchased, employee negligence, failure of insured to adhere to minimum required security practices.
 
Cyber Security Training for Procurement Professionals HM Government (BIS & DCMS) and CIPS - 2 hours - June 2015
"Assess your suppliers' cyber security stance meets your needs"
 
CFO Role in CyberSecurity GrantThornton - 24 pgs - June 2015
 
CSIRT - Academic Review of Response Teamwork Pfleeger - 38 Pages - June 2015
 
CSIRT - Academic Review of Response Teams Skierka - 28 Pages - May 2015
 
Cost of Data Breach - Impact of Business Continuity Management Ponemon and IBM - 19 pgs - May 2015
 
In A Flash - A Training Lesson in CyberSecurity DLA Piper - Trailer - May 2015
 
In A Flash - A Training Lesson in CyberSecurity DLA Piper - 38 Pgs - May 2015
 
PR - Managing Customer Perceptions in an Information Security Crisis Waggener Edstrom - 20 pgs - April 2015
 
Confronting Complexity in Managing a Cyber Crisis BoozAllen - 12 pgs - April 2015
 
Cyberdata breach response checklist DLA Piper - 11 Pgs - April 2015
 
Cyber Insurance - How much do Universities in USA buy University Risk Management and Insurance Association - 3 pgs - April 2015
 
Breach Readiness eBook RSA EMC - 12 pgs April 2015
 
Cyber incidents - Victim response and Reporting Cybersecurity Unit of DoJ USA - 15 pgs - April 2015
 
Cyber Readiness - Breach Response Simulation Exercise Pinsent Mason - 8 pgs - April 2015
 
CSIRT - Maturity Toolkit Dutch Government Recommendations - 18 Pages - April 2015
 
Insurance 2020 & beyond PWC - Includes survey of 806 insurance industry participants from 54 countries - 20 pgs - 23rd March 2015
Annual gross written premiums for Cyber Insurance was around $2.5 billion in 2015.
Annual gross written premiums for Cyber Insurance will be around $7.5 billion in 2020.
The insurance industry’s global cyber risk exposure was around $150 billion in 2015.
Lloyd’s is concerned that cyber risk may not be being properly priced for, nor the exposures adequately quantified.
In the UK in 2015, only 2% of companies had standalone cyber insurance.
A cyber breach has a long and unpredictable tail.
Some common conditions, eg state-of-the-art data encryption or 100% updated security patch clauses, are difficult for any business.
 
Guide to Data Protection ICO - Information Commissioners Office UK 131 pgs - March 2015
 
Cyber Threat Defense Report CyberEdge Group - 41 pgs - March 2015
 
Notification of PECR Security Breaches for Telcos and ISPs ICO UK - Information Commissioners Office - 13 pgs - March 2015
 
Cyber Security Report Francis Maude - UK Government and Marsh - 32 pgs - March 2015
81% of large businesses & 60% of small businesses suffered a cyber security breach in the last year
52% of CEOs believe that they have cover, but less than 10% actually do
Cyber insurance is priced to reflect type of activity, # of personal records and staff, turnover, & IT maturity
>60% of cyber incidents reported to insurers are accidental, but >50% of high-severity losses stem from attacks.
 
Insights into Incident Response FireEye [Subscription needed] - Webinar - 43 slides - March 2015
 
Overview of Digital Forensics ISACA CSX - 14 pgs - March 2015
 
Data Breach Response Readiness - Husch Blackwell - 5 pgs - March 2015 "There are 10 activity channels for Breach Response."
 
Sensitive Data Handling Toolkit Workflow Data Breach Response for Universities in USA - 4 pgs - Feb 2015
 
Strategies to Mitigate Targeted Cyber Intrusions Australian Government - Department of Defence - 3 pgs - February 2014
At least 85% of the targeted cyber intrusions could be prevented by following the Top 4 mitigation strategies listed:
1. use application whitelisting to help prevent malicious software and unapproved programs from running
2. patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office
3. patch operating system vulnerabilities
4. restrict administrative privileges to operating systems and applications based on user duties.
 
Data Breach Response Workflows King Spalding - 35 pgs - Feb 2015
 
Data Breach Notifications Guide Liisa Thomas - 776 pgs - February 2015
 
Cyber Crime Overview and Sources of Support RISCAuthority and CRIF - 14 pgs - February 2015
 
Data Breach Readiness Guide Online Trust Alliance OTA - 40 pgs - February 2015
 
Executive Breach Response Playbook HP - 12 pgs – Jan 2015
 
10 Steps to Cyber Security CESG - GCHQ - UK Government - 16th Jan 2015
Defining and communicating your Information Risk Management Regime mapping is central to your cyber strategy.
 
What to do if compromised - Credit Card Acquirers and Issuers Visa Europe - 30 pgs - Jan 2015
 
Breach Preparation - Plan for the Inevitability of Compromise Bit9 - 10 - pgs - Dec 2014
 
Cyber risk challenge and the role of insurance CRO Forum - 48 pgs - December 2014
 
Incident Response AlienVault - 48 pgs - December 2014
 
Cyber Crisis Cooperation and Management ENISA - 60 pgs - November 2014
 
The Breach Combat Manual HB Litigation Conferences - NetDiligence Cyber Risk - October 2014
 
How to Tell Data Leaks from Publicity Stunts Krebs on Security - 2pgs - October 2014
 
Incident Response Playbook AlienVault - SANS - Webinar - 60 minutes - August 2014
 
Data Breach Best Practices LifeLock - 3 pgs - August 2014
 
Restoring Trust in IT Systems after a Data Breach TripWire - 21 pgs - July 2014
 
Cyber Risk Oversight - Director's Handbook ISA NACD AIG - 64 pgs - June 2014
 
Data Breach Preparedness InsureTrust and Fletcher Media - 57 pgs - June 2014
 
Protecting personal data in online services ICO - Information Commissioners Office UK - 47 pgs - May 2014
 
Make Denial of Service Mitigation part of your Incident Response plan Akamai - DDoS - 6 pgs - April 2014
 
Three Phases of Securing Privileged Accounts CyberArk - 8 pgs - April 2014
 
Guide for Managers of e-Crime Investigation ACPO (UK Police) - 117 pgs - April 2014
 
Guidelines for Computer Evidence ACPO (UK Police) - 72 pgs - April 2014
 
Cyber incident response - Are business leaders ready Economist - EIU - Arbor - 27 pgs - March 2014
 
Online Training for Legal & Accountancy Professionals ICAEW - March 2014
 
After a data breach - are credit monitoring services worth it for consumers? These are basically PR vehicles for most of the breached companies who offer credit report monitoring.
They only give consumers limited help with a very small percentage of the crimes that can be inflicted on them.
 
Cyber Threat Intelligence with Structured Threat Info eXpression STIX - February 2014
 
Incident Response Maturity Journey RSA EMC - 15 pgs - December 2013
 
UK Cyber Security Sector - Competitive Market Analysis Pierre Audoin Consultants -UK Government BIS - 94 pgs - July 2013
 
Insurance Coverage for Cyber Attacks - Advice for buyers Gates - 10 pgs - June 2013
Insurers will continue to argue that cyber risks are not covered under CGL or other “traditional” policies.
New insurance forms seek to exclude electronic data from the definition of “Covered Property”.
Some insurers insert exclusions in Cyber Policies based on purported shortcomings in security measures.
Losses that Cyber Policies may cover include: data breach response & legal defence, regulatory fines, theft of intellectual property, business interruption due to denial of access, data recovery, extortion.
 
Cyber Security Crisis Management PWC - 20 pgs - May 2013
 
Responding to Targeted Cyberattacks EY and ISACA - 88pgs - May 2013
 
Data Incident Notification Toolkit Confluence - 10 pgs - May 2013
 
Top Ten Tips for Companies Buying Cyber Security Insurance ACC - Association of Corporate Counsel - 3 pgs - December 2012
 
Computer Security Incident Handling Guide NIST (National Institute of Standards and Technology) - 79 pgs - August 2012
 
Notification of data security breaches to UK ICO Information Commissioners Office - 6 pgs - July 2012
 
Incident Handler's Handbook SANS Institute - 20 pgs - 5th December 2011
 
Personal data security breach management in UK WLG LLP - 5 Pgs - June 2009
 
 
Commandments for a de-perimitized future Jericho Foundation - 2 pgs - May 2007
"All devices must be capable of maintaining their security policy on an un-trusted network"
"Data privacy requires a segregation of duties/privileges"
"By default, data must be appropriately secured when stored, in transit, and in use"
 
Data Breach notification procedure Yale University - 1 pg - August 2006
 

Membership gives unlimited access to the Cyber Rescue curated library of expert advice on cyber attacks, including:

 
Cyber Risk Oversight - Director's Handbook NACD (National Association of Corporate Directors) - 12th Jan 2017
80% of black-hat hackers are affiliated with organized crime
48% of cyber breaches result from criminal or malicious attacks
38% of IT organizations lack a defined cyber breach response plan
48% of IT security professionals do not inspect the cloud for malware
53% of cyberattacks are first identified by third parties while 47% internally