A couple of weeks ago you received an email from the IT team who wanted you to urgently log in to your Microsoft account so they could check something or other. What you didn't realise is that the email address isn't one your IT team usually use. Two weeks later, the real IT team get in touch about unusual activity in your mailbox. Yep, you fell for a phishing attack. Not to worry, you have now changed your compromised password – job done!
Actually that's not the end of it at all ………
What some organisations are failing to realise is that a successful phishing attack, where malicious parties gain access to a mailbox or other systems where personal information resides, is most likely a GDPR 'personal data breach'.
This means that as well as putting a stop to further harm ASAP as a result of the incident, organisations that are 'controllers' for the data, urgently need to assess whether the breach is sufficiently serious to require notification to data protection regulators and possibly also impacted data subjects.
The clock starts ticking at the point the organisation is aware of the breach. If it turns out to be notifiable to data protection regulators, the GDPR only allows 72 hours to get the notification submitted - unless there is very good reason for not doing so. Not having realised this was necessary or lack of preparation resulting in a sluggish investigation, are not good reasons. In fact, the opposite.
If a personal data breach incident response is planned, prompt and co-ordinated there is a much better chance of avoiding action being taken following a notification. On the flip side, organisations can easily dig themselves into a hole when notifying a breach by revealing not only weaknesses in security but lack of preparation for handling personal data breaches.
Here are our five top tips based on lessons learned from security breach enforcements so far by regulators in Europe and on what we in Fieldfisher's cyber security team regularly see behind the scenes:
Tip 1 – Prevention is better than cure and two factor authentication is top trumps
There is never going to be a cure for ever evolving security breaches but there are some powerful 'vaccines' that all organisations should be deploying as a matter of BAU. Top trumps is two factor authentication to thwart successful phishing attacks. Systems accessed via two verification means – for example password + security token are much more resilient against phishing attacks. Time and time again we see data protection regulators refer to two factor authentication - or rather the lack thereof!
Tip 2 – Train, and train again
Phishing messages, by their sheer design, are easy to fall victim to. To give your staff a decent chance of recognising a phishing email when they see one, they need to be trained. The most effective way of doing this is a combination of guidance, training and mock phishing attack exercises to test what they have learned.
Tip 3 – Special measures for finance and invoicing
Malicious parties trying to get into your systems will usually be motivated by money and getting their hands on it. A common way to do this will be to get into a system and then through deception trick people into diverting monies into the phisher's account. Robust measures should be in place for billing and payments practices within an organisation, designating responsibility to a select few. If an authentic-looking invoice is received (or an invoice containing a veiled threat for urgent payment), robust processes for verification of any new account details can reap rewards.
Tip 4 – Big Red Button
Some email providers include an added phish alert button in their arsenal. This is something an organisation should consider as a quick and easy way to flag suspected phishing incidents, immediately directed to the relevant IT/security teams. This is particularly important given the short timescales for notifying personal data breaches to regulators.
It is also important to make sure that once notified to IT/security, their triage processes include a prompt assessment of what personal data may have been compromised and an escalation path to the personal data breach team.
Tip 5 –Personal data breach team – have one and train them
It sounds obvious, but among our top tips is to have a personal data breach team. Many organisations have incident response plans and people to execute them but do not have a specific team trained in responding to incidents that involve personal data. Put in place a toolkit and training for this team so they are not put in the position of working out what they need to do in the midst of a crisis.