Disclaimer: The company and scenario depicted in the presentation are fictitious. The events represent realistic circumstances but are not based on real-life events.
Our presenters used a fictional case of a cybersecurity breach to discuss how cybersecurity is much more than an issue for your information technology (IT) department – cybersecurity impacts your organization at just about every level. The flow of the discussion included mention of the scenario and timeline, the real-world response, and identified controls and processes, including what the company did and could have done better.
The presented scenario included a Software-as-a-Service (SaaS) company offering solutions for small to medium-sized healthcare providers, providing back-office solutions, electronic healthcare management, remote care management, and payments processing. The SaaS is subject to PCI, HIPAA, BSA/AML and other related financial regulatory requirements. Recent customer contracts have increased security and regulatory compliance scrutiny on the business.
In the scenario, a backend engineer realizes that client data has been uploaded to a publicly accessible AWS S3 bucket and immediately files an incident response ticket once he discovers his mistake. After resolving the issue of the publicly exposed S3 bucket to the internet, the company must now involve its Security and Compliance Director and its lead of General Counsel for legal purposes.
The chain of events that occurs includes the following:
- DevOps must pull AWS events and access logs for analysis.
- Security and Compliance drafts a root cause analysis of the breach.
- General Counsel must review client contracts to understand requirements regarding communication of HIPAA and security breaches.
- After discovering that logging was not established to capture S3 access logging on the bucket because the backed engineer did not follow standard operating procedures, DevOps reviews the data in question to determine the record count a potential exposure, while General Counsel and the CTO meet with Public Relations and the CEO to discuss a communication plan about the bad news, particularly to regulators, the client and affected patients.
- In the meantime, an active attacker is identified and blocked. The CTO now considers the need to contact their cyber liability insurance provider.
- Human Resources is consulted regarding the discipline of the backend engineer.
- Security and Compliance must now review and update all related policies and procedures to ensure they are sufficient for use during another live incident.
- General Counsel reviews the cyber risk insurance reporting requirements and determines a process needs to be included in the Incident Response Plan for reporting incidents to the insurance company.
Proactive Tips
- Review policies and procedures regarding cybersecurity and regularly update employees with security awareness training regarding these policies and procedures.
- Review and update the company’s Incident Response Plan.
- Perform an annual cybersecurity risk assessment to help identify any assets in your company that could be affected by a cyberattack, including infrastructure, systems, laptops, and customer data, and develop plans to manage the risks
