SecurityScorecard Helps Scientific and Educational Non-Profit Prepare for Information Security Incidents

The Challenge

This worldwide non-profit organization has been promoting environmental and historical conservation since 1888. It supports science, exploration, education, and storytelling to inspire change and protect our world.

With millions of people around the globe participating in, and benefiting from its programs, the organization needed to be prepared to maintain continuity in the event of an information security incident. To ensure this could be achieved, it set out to test how well its Incident Response Plan (IRP) would perform if it was activated during a cybersecurity event.

General Info

The Solution

SecurityScorecard conducted executive information security incident exercises with the main objective to assess the organization’s preparedness. The first of these exercises covered ransomware, and the identification, containment, eradication, and recovery stages of incident response.

The scenario revolved around the compromise of the organization’s systems by a threat actor who deployed ransomware and exfiltrated data. The exercise itself focused on how the organization would react and respond to this threat, and the decision of whether it would pay a ransom for the return or deletion of its data.

With SecurityScorecard’s help, the organization was able to test its IRP. Although participants from the organization competently and effectively implemented the plan and demonstrated a good understanding and technical knowledge of their environment, SecurityScorecard found key areas for improving the plan itself.

The Results

During the exercises, SecurityScorecard found that participants were decisive in treating three or more devices encountering the same issues as a potential cybersecurity incident, but this trigger or threshold is not reflected in the IRP.

SecurityScorecard recommended revising the IRP d to ensure it lays out specific triggers for its activation. Specifically, this should specify when senior leaders are informed of a potential incident, what information is provided, and how this information will be conveyed.

Additionally, SecurityScorecard recommended the organization should carefully consider the timing of communication with the threat actor. The IRP should outline who will be consulted and engaged in the decision to open communications with the threat actor in the case of a ransomware incident.

SecurityScorecard helped the organization strengthen its security awareness program by including measures that users would be expected to take in the event of an incident. Examples of these measures include:

1. Refraining from sharing, posting any material, or commenting publicly during such incidents.
2. Steps to disconnect their laptops from networks if suspected of being infected.
3. How information will be communicated in the event of a significant outage or incident, including how and when the organization will communicate to a user’s private email account.

The incident response exercises revealed the organization did not have documentation of its most sensitive data, where it is located, and who owns it. To bolster ransomware awareness, SecurityScorecard advised completing a revision of the organization’s data classification policy to ensure users apply data classification labels to files and folders, denoting the sensitivity of the information they contain.

For a long term solution to protecting data with isolated backup storage, SecurityScorecard suggested migrating data to Google Workspace, which has enhanced data loss prevention policies that help prevent threat actors from exfiltrating data. The security and IT team could then layer on more granular access controls on top of Google Workspace, as needed.

The organization had a mature understanding of how a ransomware incident could impact operations and incur costs, however, it did not have a documented process to quantify the cost of an incident. SecurityScorecard helped to amend its business continuity plan to establish a cost-benefit analysis process for determining whether to pay a ransom. This analysis is based on whether business continuity arrangements could manage and mitigate the costs associated with an incident.