Back in November 2020, Prestige Software, a hotel reservation platform used by Hotels.com, Booking.com, and Expedia, left data belonging to “millions” of guests exposed on a misconfigured Amazon Web Services (AWS) S3 bucket. Over 10 million individual log files were exposed. Each of these records exposed sensitive and personally identifiable information (PII), including names, email addresses, national ID numbers, phone numbers, reservation information, and credit card details, including CVV and expiration date. Website Planet reports that the S3 bucket contained over 180,000 records from August 2020 alone, despite global hotel bookings being at an all-time low for this period.
SC Magazine spoke to SureCloud’s Craig Moores, Practice Director, Risk Advisory for his expert insight into data breaches. Here are his full comments:
When such a breach happens, what should a CISO do to manage the crisis? How do you communicate this news to staff, to the board, to the public?
The first and most important aspect of any incident is to manage the messaging behind it and ensure that it is based on a thorough triage and is factual. Providing some information (a high-level overview of the incident) to all the aforementioned stakeholders in a timely fashion is paramount to influencing internal communication and external media reporting in the most positive light. It is always recommended that the organization have a designated media spokesperson that will be responsible for all external information requests surrounding an incident and it is imperative that staff and critical third parties are instructed not to make external communications surrounding the incident – this is to ensure that one consistent message is being communicated by the organization. The CISO, along with the crisis management team, must quickly define the incident timeline and set out objectives for each upcoming deadline (such as the 72 – hour deadline for notifying the ICO if applicable).
Read our blog ‘CISO Under Pressure’ to learn about more stress-busting communication tips, here.
What measures do you take with your suppliers who’ve landed you in trouble?
Avoid the ‘bull in a china shop’ approach at all costs. Supplier relationships are indeed based on contractual agreements, however, are delivered on trust and mutual respect – therefore, It is vital that the root cause of the situation is established and that the supplier, with multiple customers potentially in the same situation as yourself, does not side-line you. In most cases, providing there is a strong relationship with the third party, they will form part of the triage and containment activities, therefore, working cooperatively to manage the incident. The key point here is that you as an organization have chosen your suppliers; this is not an ‘us’ and ‘them’ issue, rather a ‘we’ problem – especially in the eyes of your customers. Set out clear expectations and timeframes for updates from the supplier throughout the incident management process and ensure that thorough root cause analysis is conducted post-incident. Ultimately, the best outcome to demonstrate would be that a risk assessment is conducted to establish the appropriate actions to carry forward with the supplier.
Discover SureCloud’s third-party risk management solution, here.
What else?
All eyes will be fixed upon the CISO, and questions will be poised about how this managed to happen. The organization has limited to no control over the individual actions of its suppliers; however, there is a significant amount of damage limitation that can be taken from the robust third-party supplier due diligence activities. For example, the reputation of the supplier and previous history of incidents; scrutinizing contracts, defined SLAs and NDAs and other due diligence documentation during the procurement phase; conducting regular service reviews; testing and right to audit clauses; and, regularly enforcing those testing and right to audit clauses. Whilst this would not be a ‘get out of jail free card’ by any stretch, it would allow the CISO to demonstrate that they had acted diligently within all aspects of the supplier onboarding and management activities that were within the control of the organization.
Any other comments?
High profile incidents are regularly occurring. Learning about control deficiencies directly resulting in an incident, or from the mistakes of others and using those examples to reduce the likelihood of your organization being next in the queue is vital. Do not solely focus on your own organization and work towards implementing a zero-trust model that factors in all the entities within your sphere of influence.
About Craig Moores
Craig is responsible for SureCloud’s Risk Advisory Practice including engagement scoping, consultancy delivery and client relationships. Craig was most recently part of the senior delivery team within a global cybersecurity consultancy, responsible for leading and delivering complex cybersecurity solutions aligned to strategic business objectives. Craig has broad cybersecurity experience including a strong technical, software development and project management background, with strengths in the areas of information risk management, PCI DSS, strategic planning and business auditing. Craig is a certified CISSP, Lead Auditor and PCI DSS QSA.
About SureCloud
SureCloud provides cloud-based, Governance Risk and Compliance products, and Cybersecurity & Risk Advisory services, which reinvent the way you manage risk. SureCloud connects the dots with Integrated Risk Management solutions, enabling you to make better decisions and achieve your desired business outcomes. SureCloud utilizes a highly configurable technology platform, which is simple, intuitive, and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to fit your current business processes without forcing you to make concessions during implementation, meaning you get immediate and sustained value from the outset.