Privacy concerns may not be the first issue that comes to mind when building an enterprise cyber resilience plan. However, you should expect them to gain prominence. For perspective, consider for a moment that the NIST Privacy Framework is a relatively new tool. It was only first deployed in January 2020.

Even ISO only released its new standalone standard in August 2019. As part of the 27000 family, ISO/IEC 27701:2019 “specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.”

Now get this: the technical team responsible for its development is called ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection (emphasis added).

Let’s up the ante to emphasize the connection to cybersecurity resilience just a little bit more. Want to know what NIST did? They developed a very handy crosswalk tool, which maps controls from the Privacy Framework to the Cybersecurity Framework and vice-versa.

Therefore, the interplay between the two issues, cybersecurity and privacy, really begs the question: does a strong cybersecurity program begin in a strong privacy program?

See how all of a sudden privacy issues really do tie into your overall resilience? There are a few areas in particular that privacy issues could really test your organization. Keep in mind reputation, disclosure, compliance and financial cost.

How Much Is Your Reputation Worth?

Gossip, rumor, and yes, even legitimate bulletins and news blaze across the world at record speeds. Managing your reputation at warp speed is critical to your organization’s cyber resilience. Largely thanks to social media, a negative story can cause major damage to your reputation and brand. It can happen even within a matter of minutes.

Yes, minutes.

As a publicly traded company, you could see massive dips in your market cap. Think about it. Trading has become less about ‘boring’ things like EBITA, Price-to-Book ratio or quarterly earnings. It has become more speculative, with an emotional flare to it.

So what is the link to privacy, then? Well, if we’re still riding that emotional flare, candidly speaking, people take their personally identifiable information (PII) pretty darn seriously. It is an emotional reaction that triggers what happens next, not necessarily a deliberate, well-thought-out course of action.

Keep Your Customers’ Faith

Keep in mind that no matter how common breaches become, or the growing awareness in the general public that they are happening, few things can frustrate people more than spending time to set up credit alerts, chasing down possible fraud and living with that feeling of being violated somehow. That ‘contract’ or bond between the customer and the organization breaks.

And if you think losing part of your customer base does not impact the organization’s cyber resilience, I have a bag of beans to sell you, magic not included.

One perspective that ties together privacy, security and reputation is an intangible issue: your organization’s goodwill. How much is that worth to you?

I can make you a promise: standing up your applications, spinning up new instances, loading up backups and getting all your transactional capabilities up and running means nothing if your customers no longer have faith or confidence in doing business with you. You have reached bust. Kaput. The end.

That’s one of the reasons privacy matters to cyber resilience: it’s keeping an eye out on the hidden cost.

Time Is Not Your Friend When it Comes to Cyber Resilience

Now let us look at a couple of the tangible issues: disclosure and compliance. Or, put another way, time and money. If you have been following what the Security Exchange Commission (SEC) has been up to regarding cybersecurity disclosures, the message is pretty blunt: provide timely and quality disclosures related to breaches. All the more reason your crisis communication planning needs to have these close partnerships with external bodies all ready to go.

Think about it like this: in a crisis situation, you want to drive the message as much as possible, because that is one of your control levers. If somebody else drives the message (or knocks on your door asking why you haven’t disclosed in time) you’re losing and you’re looking for a bruising.

Let’s look at part of a privacy breach scenario for a moment:

  1. Word leaks (who cares how, or if it is even true) that your organization has suffered a breach and PII has made it out into the wild.
  2. That information makes it to social media, and a couple of major news organizations or security influencers pick up the story and amplify it.
  3. Every day people start to digest the news item and begin to worry (e.g., is their information exposed?).
  4. Other stakeholders, namely shareholders, start to panic because there are signs of a sell-off happening.
  5. Phone calls are being made at the board level to contain this looming disaster.

See how this is going? We’re not even at the SEC “ahem” call yet!

This is an extreme example, right? Perhaps it is. But there is something larger going on here: if you are not planning and preparing for extreme, you may as well be faking it.

Cyber Resilience: Ride the Storm

Have you perhaps noticed that the cybersecurity issue is becoming more difficult to manage and not easier? Perhaps you have noticed breaches are also becoming costlier? Let’s do a quick rundown of IBM’s Data Breach Report 2021 is as follows:

  • Highest average cost in 17 years
  • Remote work increasing the cost
  • Compromised credentials are the main source of breaches
  • Security AI has the biggest cost-mitigating effect
  • Zero trust approach helps reduce cost
  • Cloud migrations impacted cost containment.

Okay, so what does it all have to do with privacy? What impact will it make on organizational resilience?

Simple: privacy is both amplifier and sleeping giant. That is why preparing for the extreme event is required. What happens when you lose the confidence and faith of all your customer base? You may be able to survive the fines, the penalties, the downed operational time and even the rebuild costs.

But the reputational hit? Perhaps not. Do what you can to ensure that the unspoken contract between you and your customer is not broken: protect their privacy.

Next in the journey, we look at security-by-design. Or as I like to call it: break it while you build it.

More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…