WEBVTT

1
00:00:00.000 --> 00:00:02.220
In this lesson, we are going to learn

2
00:00:02.220 --> 00:00:04.292
about communication considerations.

3
00:00:04.292 --> 00:00:07.739
Communication considerations include communication

4
00:00:07.739 --> 00:00:10.950
and reporting, both of which are crucial

5
00:00:10.950 --> 00:00:13.530
for effective security program management.

6
00:00:13.530 --> 00:00:16.740
Clear communication ensures that important information

7
00:00:16.740 --> 00:00:19.601
about security incidents, compliance status,

8
00:00:19.601 --> 00:00:22.590
and risk assessments is accurately shared

9
00:00:22.590 --> 00:00:26.371
with both internal teams and external stakeholders.

10
00:00:26.371 --> 00:00:28.774
Timely and well detailed reporting

11
00:00:28.774 --> 00:00:32.440
helps decision makers respond quickly to potential threats,

12
00:00:32.440 --> 00:00:35.446
make informed choices, and maintain compliance

13
00:00:35.446 --> 00:00:37.850
with regulatory requirements.

14
00:00:37.850 --> 00:00:41.004
By prioritizing strong communication and reporting,

15
00:00:41.004 --> 00:00:44.730
organizations can better protect their systems and data

16
00:00:44.730 --> 00:00:48.060
while keeping all relevant parties informed.

17
00:00:48.060 --> 00:00:51.480
In 2017, the Equifax data breach

18
00:00:51.480 --> 00:00:53.940
highlighted a significant failure

19
00:00:53.940 --> 00:00:55.875
in security program management,

20
00:00:55.875 --> 00:00:59.400
particularly in communication and reporting.

21
00:00:59.400 --> 00:01:02.850
Equifax, one of the largest credit-reporting agencies,

22
00:01:02.850 --> 00:01:06.190
experienced a breach that exposed the personal information

23
00:01:06.190 --> 00:01:09.810
of over 147 million people.

24
00:01:09.810 --> 00:01:13.260
The breach occurred due to an unpatched vulnerability

25
00:01:13.260 --> 00:01:14.880
in Apache Struts.

26
00:01:14.880 --> 00:01:18.390
Apache Struts is a web application framework

27
00:01:18.390 --> 00:01:21.870
used to build Java-based web applications.

28
00:01:21.870 --> 00:01:26.870
The Apache Struts vulnerability is known as CVE-2017-5638.

29
00:01:29.490 --> 00:01:33.390
Though a known vulnerability, Equifax did not apply a patch

30
00:01:33.390 --> 00:01:37.960
for over four months, resulting directly in the data breach.

31
00:01:37.960 --> 00:01:39.840
Once the breach was discovered,

32
00:01:39.840 --> 00:01:43.529
Equifax delayed notifying the public for six weeks,

33
00:01:43.529 --> 00:01:47.610
preventing affected individuals from taking immediate steps

34
00:01:47.610 --> 00:01:49.590
to protect their data.

35
00:01:49.590 --> 00:01:53.580
Additionally, a lack of timely internal communication

36
00:01:53.580 --> 00:01:57.210
meant that key decision makers were not informed promptly,

37
00:01:57.210 --> 00:02:00.420
further delaying the company's response to the breach.

38
00:02:00.420 --> 00:02:03.960
This failure in both communication and reporting

39
00:02:03.960 --> 00:02:06.660
not only worsened the impact of the breach,

40
00:02:06.660 --> 00:02:09.360
but it also damaged the company's reputation

41
00:02:09.360 --> 00:02:14.340
and resulted in a legal settlement of $575 million

42
00:02:14.340 --> 00:02:18.210
that included payment of up to 425 million

43
00:02:18.210 --> 00:02:21.090
to persons affected by the breach.

44
00:02:21.090 --> 00:02:24.090
Now, let's explore communication and reporting

45
00:02:24.090 --> 00:02:27.180
as they relate to security program management.

46
00:02:27.180 --> 00:02:29.760
Communication is a vital component

47
00:02:29.760 --> 00:02:32.870
of security program management because it ensures

48
00:02:32.870 --> 00:02:35.299
that crucial information about risks,

49
00:02:35.299 --> 00:02:38.940
incidents, and responses is efficiently shared

50
00:02:38.940 --> 00:02:42.780
throughout an organization and with relevant stakeholders.

51
00:02:42.780 --> 00:02:46.031
Clear, timely communication enables security teams

52
00:02:46.031 --> 00:02:49.739
and decision makers to take rapid, coordinated actions

53
00:02:49.739 --> 00:02:52.020
during security events.

54
00:02:52.020 --> 00:02:55.470
Let's consider an example of effective communication

55
00:02:55.470 --> 00:02:57.210
during a security incident

56
00:02:57.210 --> 00:02:59.700
at a fictitious financial institution.

57
00:02:59.700 --> 00:03:03.420
Upon detecting a phishing attack targeting their employees,

58
00:03:03.420 --> 00:03:06.145
the incident response team immediately notifies

59
00:03:06.145 --> 00:03:08.245
IT management, senior leadership,

60
00:03:08.245 --> 00:03:10.710
and all affected employees

61
00:03:10.710 --> 00:03:13.530
using established communication channels.

62
00:03:13.530 --> 00:03:16.950
Employees receive clear instructions on how to recognize

63
00:03:16.950 --> 00:03:20.550
and avoid future phishing attempts, while management

64
00:03:20.550 --> 00:03:23.365
is kept informed with regular updates on the status

65
00:03:23.365 --> 00:03:26.430
of the phishing attack and containment efforts.

66
00:03:26.430 --> 00:03:28.626
Meanwhile, the public relations team

67
00:03:28.626 --> 00:03:31.170
prepares for external communication

68
00:03:31.170 --> 00:03:34.320
anticipating the need for a public statement.

69
00:03:34.320 --> 00:03:37.349
This swift, organized communication strategy

70
00:03:37.349 --> 00:03:40.590
allows the phishing attack to be addressed promptly,

71
00:03:40.590 --> 00:03:43.740
minimizing potential damage to the organization

72
00:03:43.740 --> 00:03:46.530
and maintaining trust with stakeholders.

73
00:03:46.530 --> 00:03:49.380
Next, reporting is a critical aspect

74
00:03:49.380 --> 00:03:51.210
of security program management,

75
00:03:51.210 --> 00:03:54.870
ensuring that essential details about security incidents,

76
00:03:54.870 --> 00:03:57.870
risks, and compliance status are documented

77
00:03:57.870 --> 00:04:00.209
and shared with relevant stakeholders.

78
00:04:00.209 --> 00:04:03.079
Accurate and timely reporting helps decision makers

79
00:04:03.079 --> 00:04:05.849
act swiftly, address potential threats,

80
00:04:05.849 --> 00:04:08.820
and maintain regulatory compliance.

81
00:04:08.820 --> 00:04:10.918
Failure to provide thorough reports

82
00:04:10.918 --> 00:04:14.837
can lead to delayed responses and unchecked vulnerabilities,

83
00:04:14.837 --> 00:04:18.120
potentially worsening a security incident.

84
00:04:18.120 --> 00:04:21.900
For example, the Uber 2016 data breach

85
00:04:21.900 --> 00:04:25.380
is a clear example of a reporting failure

86
00:04:25.380 --> 00:04:27.480
in security program management.

87
00:04:27.480 --> 00:04:32.100
In 2016, malicious actors accessed the personal information

88
00:04:32.100 --> 00:04:34.786
of approximately 57 million users,

89
00:04:34.786 --> 00:04:38.166
including 600,000 customers and drivers

90
00:04:38.166 --> 00:04:39.870
in the United States.

91
00:04:39.870 --> 00:04:43.980
But instead of disclosing the breach, Uber allegedly chose

92
00:04:43.980 --> 00:04:48.950
to pay the attackers $100,000 to delete the stolen data.

93
00:04:48.950 --> 00:04:53.950
The breach wasn't reported until a year later in 2017.

94
00:04:54.060 --> 00:04:57.214
This delay in reporting led to significant fines,

95
00:04:57.214 --> 00:05:00.690
including a $148 million settlement

96
00:05:00.690 --> 00:05:04.080
with state attorneys general in the United States.

97
00:05:04.080 --> 00:05:07.650
Uber's failure to report the breach in a timely manner

98
00:05:07.650 --> 00:05:09.960
worsened the impact of the incident,

99
00:05:09.960 --> 00:05:13.320
leading to greater legal and reputational damage.

100
00:05:13.320 --> 00:05:16.350
So remember, communication and reporting

101
00:05:16.350 --> 00:05:20.460
are essential components of security program management.

102
00:05:20.460 --> 00:05:24.150
Clear communication ensures that information about risks,

103
00:05:24.150 --> 00:05:26.820
incidents, and compliance is effectively shared

104
00:05:26.820 --> 00:05:30.060
with internal teams and external stakeholders.

105
00:05:30.060 --> 00:05:32.490
Clear communication enables timely

106
00:05:32.490 --> 00:05:34.327
and a coordinated response.

107
00:05:34.327 --> 00:05:37.063
Accurate and timely reporting, on the other hand,

108
00:05:37.063 --> 00:05:41.400
helps decision makers assess threats, respond appropriately,

109
00:05:41.400 --> 00:05:44.340
and maintain regulatory requirements.

110
00:05:44.340 --> 00:05:47.040
If reporting failures are delayed,

111
00:05:47.040 --> 00:05:49.620
organizations risk delayed responses

112
00:05:49.620 --> 00:05:51.870
and increased exposure to threats.

113
00:05:51.870 --> 00:05:55.140
So prioritizing both communication and reporting

114
00:05:55.140 --> 00:05:59.760
allows organizations to quickly address security incidents,

115
00:05:59.760 --> 00:06:03.723
minimize damage, and maintain stakeholder trust.