When PwC’s Doug Bloom and Anthony Moeller convened at Relativity Fest in October for their session e-Discovery in Cyber Investigations, they didn’t mince words. Cybercrime might be old news, but preventing it from happening hasn’t gotten any easier.
“Ideally, any kind of breach is going to be prevented—but that perfect world doesn’t exist,” said Anthony. “Most companies have been hacked or will be hacked.”
Not exactly an uplifting message, but all hope is not lost. Throughout the session, Anthony and Doug focused on a few ways you can mitigate the risks of experiencing these attacks.
Step 1: Don’t Overlook Your Biggest Vulnerability
There are plenty of nefarious players in the cyber game, like individual “hacktivists” making a political statement, organized crime bosses, and nation-states with various agendas. But when you think of these shady characters, whom do you picture? Some anonymous figure, sitting in a dark room wearing a ski mask?
According to Doug and Anthony, that assumption is problem one.
“We spend a lot of time protecting ourselves against external threats, and when we focus our attention on the external, we end up ignoring the biggest risk—the people inside the organization,” said Doug.
In fact, in PwC’s Global State of Information Security Survey 2016, employees were an oft-cited source of compromise, accounting for 35 percent of security incidents in 2015. And their motives can fall into any of the usual buckets, from run-of-the-mill monetary gain to fulfilling political agendas.
“You will be hard-pressed to find some kind of cybersecurity event that doesn’t have either a current or former insider involved,” said Doug.
Step 2: Practice Access Control
Not all insider threats are malicious. Some are merely pawns and weak access points to the goods—similar to a well-meaning apartment dweller holding the front door open for someone who might not live in the building.
“The way people use social engineering to steal data is by manipulating somebody who has access to that data,” said Doug.
It’s a hard pill to swallow but, according to Doug, two little words can help: access control.
“Identify your critical assets. What would do the biggest damage to you if a breach occurred? And ask, ‘Who really needs to have access to that data?’” he suggested. “The smaller that population, the lower your risk.”
Your work isn’t done once you’ve narrowed that scope. You also need to carefully and repeatedly monitor employees with access via recurrent background checks and trainings.
“Review that access constantly. Maintaining and monitoring access is the best thing you can do,” Doug insisted.
Additionally, Anthony stressed the importance of data remediation, which—no matter how many times people preach about it—still isn’t done often enough.
“It’s not easy, and it involves a lot of data risk management, but getting rid of data that has no value goes a long way in reducing risk,” he said, adding that corporations aren’t the only ones who should be thinking about data deletion. Law firms in particular are keeping way too much—a big problem, considering they also tend to be a major target of cybercrime.
“[Law firms] want associates to have the ability to reference every motion so they’re not reinventing the wheel,” explained Anthony. “And that’s just a trade-off that’s going to have to come around. It’s a cost-benefit analysis, and [keeping everything] is too risky.”
Step 3: Be Prepared to Respond
We’ve talked about how to dampen the risk of a breach, but—as Anthony said—most companies will inevitably come under attack. So what do you do when that happens?
According to Doug and Anthony, being prepared to assess the damage and quickly respond is key.
“Once [a breach] is detected, it is likely that a vast array of information has already been accessed,” said Anthony. “All three [personally identifiable information, personal health information, and intellectual property] have critical implications in terms of notification, and that’s where Relativity can play a key role in finding out what’s been taken and how wide the damage from the breach is.”
Anthony noted that while using tools like keyword search and RegEx “isn’t particularly cutting-edge,” they are still helpful in identifying specific words or patterns that relate to confidential information, such as account numbers, social security numbers, or key client names. Analytics should also be used to further identify key concepts—such as code words that may otherwise be missed—as well as help prioritize and accelerate searches.
“We’ve used analytics a number of times, finding key documents and similar key documents, breaking documents into clusters as a starting point—that’s been very helpful,” shared Anthony. “We’ve had a number of investigations that involved spearfishing, where we had to put together a chronology of emails on how things stacked up. Having analytics capabilities is really helpful to leverage in these situations.”
Bottom line: companies can and should prepare for a breach before it happens, and they can do so simply by leveraging the tools, like e-discovery software, that they may already have.
“Data breach investigations are incredibly complicated,” said Anthony. “Even though [tools like] Relativity [are] not the baseline for doing data breach response, [they’re] valuable to have in the data breach response toolbox in going through massive amounts of data.”
To hear more thoughts and insights on cyber investigations from Doug and Anthony, watch the full recording of their Relativity Fest session.