The annual cyber security survey undertaken by the UK Government reported that that 39% of UK businesses had identified a cyber-attack in 2022. The most common cyber-attack was phishing. Cyber criminals try and trick employees of an organisation into actions like clicking a link that will download malware.
The survey found that having an enhanced cyber security posture generally leads to higher identification of attacks. Therefore, less cyber mature organisations could be underreporting. Furthermore, the report found that only 19% of businesses have a formal incident response plan.
The Information Commissioner’s Office (ICO) reports that only 21% of incidents recorded in 2022 were categorised as cyber security incidents. This suggests that incidents that have led to a data breach could be under-reported. Reasons could include immature governance processes, immature cyber security postures or misconceptions about organisations reporting incidents to the National Cyber Security Centre (NCSC) or the ICO, as discussed in a recent blog published by the NCSC.
These findings lead me to question how IT, cyber security and data protection processes are connected in the identification, management and the internal and external reporting of incidents. All processes are inextricably linked. Why could this be?
IT Incident Management
Some organisations will use incident management systems or manual logs for recording, managing and resolving issues. This means that IT departments will focus on ensuring stability of services to users and the wider business, rather than assessing whether the incident has a data protection or security implication.
An incident can often be identified by a particular user experiencing a problem. This can include issues connecting to an application, which will be investigated to discover what the cause is. What isn’t always apparent within the process is whether the incident has occurred because of a data protection or security implication that has led to a breach. This means that not adequately assessing the confidentiality, availability or integrity of a breach may have resulted in an undesirable effect. It also could have violated established policies due to the reactive nature of maintaining IT systems.
In larger organisations like the NHS, there will be a separate incident reporting system for clinical/operational incidents. These are managed within a governance, risk or compliance function but are not integrated with the IT incident management system. Due to this lack of digital integration, it isn’t always possible to link a clinical/operational incident that has occurred as a consequence of an IT system unavailability, for example. Both incidents are addressed separately without oversight from relevant stakeholders. This approach leads to missed opportunities to contain and manage the incident effectively unless appropriate communications and stakeholder management process are clearly established at the outset. To mitigate such risks, data protection expertise should always be considered as key stakeholders within incident response plans. Data protection not only relates to data loss/theft, but also would also be relevant if data has been destroyed, altered, unauthorised access and disclosure.
This could mean that the cause, impact and consequences of IT system unavailability as a result of a cyber-attack, for example, may not always realised or considered from an IT operational perspective, which is a risk as it’s not always obvious what has occurred.
A recent incident response exercise undertaken by Gemserv highlighted a number of gaps in an organisation’s incident response and, in particular, the importance of relevant stakeholder expertise to respond to IT incidents.
Risks of not having data protection involvement as part of Incident Response Plans
- Consequence of incident not fully identified if data protection is not considered as it isn’t always obvious.
- Potential breach of data protection principles that ensures data is protected in accordance with documented technical and organisational measures.
- Reputational damage if there is risk to the protection and freedoms of an individual if not managed in accordance with data protection legislation.
- Incident could reoccur if appropriate data protection controls are not considered.
- Non-compliance with data protection legislation if not reported to the ICO within 72 hours of identification.
Why is having an incident response plan important?
Effective incident response plans help reduce the effects of security events and, therefore, limits potential operational, financial and reputational damage. They also lay out key instructions for individuals to follow and contact if incidents occur that include data protection and security elements.
An incident response plan establishes the recommended actions and procedures needed to do the following:
- Categories and classify incidents to identify risk and impact.
- Establish clear escalation processes within your organisation.
- Holistic approach to IT incident management.
- Triage and assessment process that links relevant subject matter experts.
- Create governance process that links data protection and security experts to the incident process.
- Start review process to identify root cause of incidents.
- Establish clear process to notify relevant parties such as the ICO, NCSC, Supply Chain or interested parties where appropriate.
- Create clear process to inform data subjects (if appropriate) if there is a risk to the protection and freedoms of an individual.
What could we do to support our incident response planning?
- Review your IT incident response plans to ensure relevant stakeholders are clearly defined.
- Build external engagement with relevant bodies such as the NCSC or the ICO into your plans to enable you to access the right support if you need it.
- Review your escalation processes.
- Establish clear processes for learning to ensure incident does not reoccur.