Savvy directors are demanding more points of proof when cyber incidents occur

Organisations large and small continue to experience damaging cybersecurity incidents and breaches. To prevent such attacks, enterprises are starting to rely more on preventive measures, but also realise how vital their response to a breach might be. More and more, a response team is what makes the difference when returning a business to standard operating conditions.

Some directors and executives might struggle with understating their own role when a major incident takes place — especially when the environment is extremely technical by nature. In rare cases, a board of directors might elect a technically capable individual within the company as a ‘safe pair of hands’ to bear the responsibility of remediating the situation.

But in Australia, where the board of directors can and has been held liable for cyber resilience, the tendency is to want to build skills and capability in cybersecurity, such that they can ask the right questions of the CISO or domain experts and independently assess their comfort level with current protections or — more critically — with the actions taken for an internal incident response.

Aside from personal liability, directors today are increasingly aware of the costs that a cyber incident can pose to business operations and want further clarity on such costs in this regard.

As a former detective that has since done a lot of expert witness work, I’ve sometimes experienced deeper and more strenuous cross-examination by board members than I have by lawyers. Boards intuitively understand the weight of evidence needed to justify a certain course of action.

In incident response, the first reaction of tech teams is often to switch off or isolate substantial IT assets out of an ‘overabundance of caution’, but responders may not understand the full weight of that business decision. Boards, on the other hand, tend to know the full cost of an hour, or a day, of downtime and want a weight of evidence, to their standard, that the course of action taken is justified.

A ‘need to know’ basis for cyber decision-making

In any serious incident, there are certain things that are valuable to know. For starters, the way evidence is deduced and presented is important, depending on its intended use. Whether it is to inform lessons learned and future directions internally or to be handed off to policing agencies to pursue a threat actor, it will need to meet a certain evidentiary standard.

For example, when police are investigating an alleged criminal offence, they collect evidence, interview the suspect(s) and prepare a brief that contains certain ‘points of proof’ that need to be covered off for the brief to be accepted by the court and then ultimately shown to the jury.

The onus of proof is obviously quite different in a non-court setting such as a private, inwards-focused forensics investigation. But the need for proof — for answers — is no less important.

Boards overseeing internal investigations, as well as the organisations conducting them, often face a significant challenge: forensic efforts frequently lack clear guidance, or points of proof, on the specific evidence points they should aim to uncover.

There is a lack of clarity around what forensics need to prove, to whom and in what format. There may also be no internal consistency around what the outcome of a cyber incident investigation should look like: with the board, CEO, security team or independent assessors having varying goals and visions for the final output.

Before an incident occurs, several things should happen. Primarily, it’s important for everyone to get on the same page about what a ‘status update’ or ‘incident report’ should look like. This should be simple enough to agree on.

Second, regular ‘pre-mortems’ and workshops with all stakeholders are valuable. These are opportunities for everyone to get across the details of the organisation’s incident response plan. In the case of a pre-mortem, these should also be psychologically safe settings for cyber teams to highlight gaps or failures in risks and controls: an opportunity to openly discuss and fix weaknesses in advance, rather than having the discussion after an incident, which is a much more challenging start point and setting for that conversation.

Finally, incident response and forensics should be practised and well versed in a ‘tabletop’ exercise ahead of time so that everyone is clear on the objectives and how to execute when the time comes.

The answers you seek

Boards can further their own capability around cybersecurity, and temper the potential for misunderstandings, by seeking clarity in two key areas:

1. Through multi-stakeholder discussions, pre-mortems and tabletops, directors should be clear about roles and responsibilities in a cyber incident — in particular, what their role is and what they may need to lean on third-party services to provide.
2. Absolute answers may not always be available. Boards tend to ask high-level questions, like How did an incident happen? How long has it been active? Such questions can be difficult to answer early in an ongoing incident response. This is sometimes based on a misunderstanding that computers immutably log every interaction and activity; were this true, digital forensics would not exist.

In cyber incidents, rarely is there a full, easy-to-consume course of (malicious) conduct available. Assurances sought by the board on whether data has been accessed or stolen get bogged in technical detail quickly; while technical artefacts may provide part of the story, sophisticated attackers are often able to act stealthily without leaving much of a footprint.

To combat this increasingly prevalent approach, a board of directors must be well prepared for a cyber incident, understand the right questions to ask, the limitations of forensics and the weight of evidence needed to justify a course of action. They should be well practised in how to approach an incident, and what the outcome needs to be.

Image credit: iStock.com/SeventyFour