Interconnected and Interdependent Critical Infrastructure: Shared risk means building in shared responsibility
In today’s globally interconnected world, our critical infrastructure and American way of life face an array of risks that pose significant consequences. The recent attacks on our nation’s critical infrastructure have exposed its fragility and prompted greater efforts to protect public and private sector networks from future cyber breaches and ransomware attacks.
November is Critical Infrastructure Security and Resilience Month, a good reminder that if there is shared risk, there is also a responsibility to reduce that risk. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) stresses the importance of considering infrastructure security and resilience from design concept all the way through development and implementation. Incorporating infrastructure security throughout the organization design process is an essential way to reduce risk and prevent cyber breaches.
CISA is asking every organization to:
- Take responsibility to reduce shared risks.
- Reevaluate your agency or company’s preparedness plans for securing public gatherings and make sure they are current with the latest techniques and tactics.
- Consider ways to make resilience part of the design when upgrading or building new critical infrastructure.
- Help people understand and identify misinformation, disinformation, and conspiracies appearing online or other venues related to COVID-19, 5G, election security, or other infrastructure-related issues.
In today’s system-of-systems world, no single private or government entity possess all the information necessary to manage systemic risk. A breach in one system can also impact multiple cyber and physical systems that are connected or dependent on it to operate. Therefore, it is important to think about shared risk and how it can be prevented.
Data Breach Response Plan
One easy step to take is to create a data breach response plan. If data has been breached it is important to have a backup plan. Creating a data breach response plan helps decrease the severity of the breach. Here are some items to include in your plan:
1. Identify the Data
When a breach occurs, it is important to know what data exists and how it is used within your organization. Identification could help your organization put a stop to the breach entirely or prevent the breach just in time. Understanding the data landscape within your organization is vital to mitigate any damages from occurring in the future.
2. Have a Response Team Ready
If a data breach occurs or is identified, you will want to have a response team ready. Preparing a team of trusted professionals to respond to and stop a breach is proven to enhance the safety of an organization or business.
After the breach has occurred important decisions will need to be made. This is the time where the organization or business will make deciding factors, for example if they want to stay connected to the internet to see what happened or choose to disconnect.
4. Identify Potential Risks
Try to secure as much data as possible during the breach, then identify the potential risks facing your company that could cause a data breach to occur and what would be the result if one happened.
5. Do not Rush to a Decision
Have a plan in place to address the situation and potential consequences if a breach occurs. In most cases, it is advised not to release information about a data breach until your organization or business comes to a solution to fix the cause of the breach. Keep the information in the hands of the response team so it can be investigated and maintained.
6. Notify Appropriate Parties
Once the breach has been maintained make sure to notify affected individuals. Every US state and territory has requirements to notify security breaches involving personal information. Notify your local law enforcement for any possibilities of identity theft. For any incidents involving mail theft contact the U.S. Postal Inspection Service. If the breach involved personal health records check to see if you are covered by the Health Breach Notification Rule then contact the Federal Trade Commission. Your agency or company should also confirm if it is covered by the HIPAA Breach Notification Rule, if so, notify the U.S. Department of Health and Human Services. No matter the breach type, it is important to notify any businesses or individuals involved in the breach so they may take appropriate action on their end.
Infrastructure Security and Resilience should be acknowledged year-round to evaluate potential risks and to reevaluate your response plan. When it comes to shared risk, everyone has a responsibility to reduce the risk. There are many ways you and your organization can take part in our collective defense. Start today by visiting cisa.gov or reaching out to your CISA regional office.