WHEN an organization’s ability to provide information on its website or its electronic channels for service delivery is impaired, has that organization’s information system been hacked?
Filipino netizens are increasingly becoming aware of instances of hacking. When one is unable to access his email or social media account or fails to withdraw money through an automated teller machine, the immediate thought is hacking. The impact of hacking has become personal, experiential. It leads to worry, frustration, anger.
The recent incidents in the banking industry—glitches or instances of hacking attacks—demonstrate a more personal impact on the affected individuals.
Information systems operate not on their own but would sometimes require some form of human intervention. Controls have been put in place to avoid the possibility of errors in the execution of manual functions. But failure of those controls can happen. And, when it happens, the result may be catastrophic.
Information security professionals have long known that no matter what security protection measures are in place, an attack on an information system can happen. Malevolent actors will always find ways to attack a system and interfere in its normal operations. This has been demonstrated in the “ComeLeak” incident. Similarly, ATM skimming— a technique by which an attacker is able to harvest information stored in ATM cards and collect keystrokes by installing devices in automated teller machines and later using the information to clone depositors’ ATM cards—have victimized bank depositors.
Attacks do happen, and it is not a matter of “if” but “when”. And when it does happen, how should organizations respond?
The best option is for the organization to have a breach response process in place.
An organization must develop, if it hasn’t done so yet, a process to respond in order to resolve a glitch or an attack to its information system, restore normal operations at the shortest time possible, and let its stakeholders know what is happening and what is being done about it.
A breach response team must be in place and the team must be able to respond quickly, at a moment’s notice. It includes groups of individuals who will perform various emergency tasks. A group of individuals who have knowledge of the operations of the information system and the security measures that are in place is assigned to determine the type of incident and its scope and to restore normal operations. A separate group is assigned to handle communications with stakeholders and the public and issue appropriate notification to affected clients and, if necessary, to the regulatory agency. A group is assigned to handle help desk and customer care. A separate group will coordinate with vendors, if necessary. The plan should already include alternate ways of delivering services but a group should also be assigned the task of exploring other ways of serving clients considering existing conditions. There must be a group assigned to handle legal matters. A communication protocol must be established so that the various groups are able to coordinate. The team leader will orchestrate the operations of the various breach response groups.
Awareness of breach response planning and management has slowly crept into organizations since the National Privacy Commission (NPC) started pushing for compliance with the Data Privacy Act (DPA). The NPC’s focus is, of course, the protection of personal data. But breach response covers not only breaches in the security and protection of personal data but breaches in the security of information systems and information assets of an organization, whether automated or paper- based.
If the security breach involves personal information, the DPA requires that affected organization, public or private, notify the NPC and the affected individuals promptly. Legal nuances require that the term “promptly” be properly defined. Thus, in issuing the implementing rules and regulations (IRR), the NPC prescribed that notification be made within 72 hours of the discovery of the breach.
Not only is resolution of the incident at the core of the activities of the breach response team but notification of stakeholders is of primary importance.
It is best practice that the organization take cognizance that a security breach has occurred and inform its stakeholders of the fact and that updates will be made regularly. It is important that stakeholders be given the assurance that the organization is taking all the necessary actions to resolve the security breach and restore normal operations at the shortest time possible.
In the age of social media, reports of hacking spread like wildfire. Speculations arise if affected stakeholders are not informed and updated on what is happening. Customers and clients are likely to lose confidence in the organization. It is the task of the communications group to stem the tide of false information or fake news that spread in social media.
As organizations increasingly use and become dependent on information and communications technology in its operations and delivery of services, it is important to acknowledge that something can happen that will interfere in and interrupt the operations of the information systems. It is good for organizations to be prepared to respond when it happens. It is best for an organization to be visible, transparent and predictable in dealing with its stakeholders as it addresses the breach in its information systems and impairment of its operations.