“Data breach is assured, just like death and taxes are.” John Stark, cybersecurity consultant, told FEI’s annual Current Financial Reporting Issues conference in New York on Nov. 17, 2015.

Stark is the president of John Reed Stark Consulting LLC and a former Chief of SEC’s internet enforcement office. He talked about today's data breach target, response workflow, along with steps to take now to insure adequate preparations at the conference. 

Attack Target.

Third party vendors are becoming more vulnerable in cyber-attacks, especially law firms and public relations. “Law firms are great targets [in data breach].” Stark said. “You can read the lawyers bios on the website, and you can pretend to be, maybe, the general counsel of the law firm through social engineering.”  

Internal threat is another huge area. When a breach happens, “you have to think it might come from somewhere internal. And you have to think about ‘bad leavers.’” “Bad leavers” are employees who “leave” a company on “bad” terms. One of his client companies fired its CIO, “the CIO grabbed the computer right after getting fired, and ran out of the door,” he said “Bad leavers” can cause deliberate harm before or after they exit.

Data Breach Response Workflow.

“When you are experiencing a data breach, everyone presumes it is your own fault even though you are the victim.” Stark said. “Data breaches don’t define victims. How companies respond to data breaches does.” 

It is important that companies respond to a complicated crisis and have multiple workflows in a highly compressed time period. Stark talked about the workflows when a data breach happens: 

  • Preservation—the first step should be preserving the data. Companies should find anything relevant to the investigation of the data breach, in an evidentiary manner, and make sure that the data get well preserved.
  • Digital forensics analysis—when there is a data breach, digital forensic investigators would come in and scan all the systems to find any of the suspicious files, until they find possible indicators of compromise (IOC). Investigators then would scan those suspicious files repeatly to look for more IOCs.
  • Logging analysis—logs are records of system activities. Companies should get the logs organized and look for suspicious activities.
  • Payment Card Industry (PCI) compliance—the PCI data security standard is a set of requirements designed to ensure that companies process, store or transmit credit card information maintain a secure environment. However, with Apple Pay and Google Wallet, the standard is less likely to be compromised.
  • Constituency notifications—companies need to make sure notify insurance carriers, board of directors, third party vendors, customer notification.  

Other workflows mentioned by Stark during the conference include:

  • Malware reverse engineering;
  • Surveillance;
  • Remediation;
  • Exfiltration analysis;
  • State and federal regulatory compliance; and
  • Law enforcement liaison.

Steps to Take.

Even though data breach is inevitable, Stark said companies should still reduce the threat. Having a top-down commitment to the cyber security and a training program for all employees to ensure that, not only IT people, but everyone in the organization realizes the importance of the cyber issue and how to respond when it happens. Having a flexible IT budget and incident-response plan so that when a data breach happens, companies can respond accordingly. And have cyber insurance, Stark said, “Although it is still something new, it can also mitigate cyber-attack losses.”