By Erik Leach, CISSP, SCF
Imagine coming home and finding your house broken into and some of your belongings missing. As you totter from room to room, you would probably feel anger, frustrated, disturbed and a little overwhelmed. At a vulnerable moment such as that, it probably would not be the best time to engage in critical decision making that would most likely prove reactionary. This analogy can be applied to the instance of a data breach.
The discovery of a breach involving personal data records or high value proprietary data can be devastating. How large is the breach? When should we alert those parties involved? How should we involve the media? Should we contact an attorney? These are but some of the questions that will be perpetually floated amongst management immediately following a severe cyber incident. Due to the pressure of the moment however, management sometimes does not make the best of decisions. Some recent examples include the following:
- Uber tried to cover up a data breach that involved 57 million records by paying the hackers $100,000 to delete the data they had confiscated
- Equifax initially charged a fee to freeze the credit of the nearly 150 million people whose information had been compromised by the company’s data breach. The company did later wave the fee into 2018 after outrage by the public at large.
- A number of companies such as Target, Panera Bread and the Security and Exchange Commission took far too long to disclose the breach that they incurred.
This is why it is so important to have an Incident Response Plan. An Incident Response Plan (“IRP”) can help prepare your company for a data breach situation and provide a preplanned strategy to best manage the situation at hand. By doing so, your organization has a complete blueprint that can be followed in a time in which emotions and confusion may run rampant. Here are four important steps to take concerning an IRP.
- Define what an “Incident” is
It may sound too rudimentary, but it is essential that you define and categorize what type of incidents your organization needs to respond to and how. Although any security incident constitutes a threat to the organization, the required response will vary based on the severity of the imposed threat. An incident could involve the detection of someone port scanning your network, suspicious activity detected by a honeypot, a ransomware notification on a desktop or an email from a hacker group informing management that it has stolen your company’s personal data records. You need to approach each situation differently from the outset, as each one constitutes a different level of attention and resources. A well-designed IRP will provide a systematic and documented method of approaching and managing each type of situation.
- Continually Update Your Plan
Cybersecurity is a dynamic science. Cyberattack strategies are continually evolving and new threats are constantly being introduced. For instance, prior to 2014, a company would not have created a strategy to contend with a ransomware attack, as these types of extortions were almost nonexistent. Too often, these types of documented strategies are generic and are made simply to check a box that one has been created. An IRP that lacks definition and clarity will not be especially effective in the case of an actual attack. It is imperative to update your IRP regularly for several reasons such as the discovery of new types of threats and risks to your organization as well as mergers and acquisitions that your company has recently been involved. Simple tasks such as updating personnel lists and contact information can eliminate potential confusion for times in which effective communication is essential.
- Define roles throughout and outside of your organization
Although the discovery of an unauthorized port scan may initially only involve a technical response, an incident response of a full-blown data breach does not rest solely on the backs of the IT and Security departments. The responsibility for a data breach goes all the way to the top levels of an organization and it is C-level management that will be the face of a company’s IR. There should also be a predefined IR Team that will know to go into crisis level management and begin overseeing the required steps outlined in the IRP. This team will be highly dependent on the efforts of IT and cybersecurity personnel to carry out the outlined strategies to determine the scope severity of an attack. The contact information and roles of any outside personnel such as public relation or legal teams must be included as well.
- Test, test and test again
Just as your last backup is no good unless you test it, your cybersecurity IRP is no good unless you test it as well. Running practice drills will help identify potential shortcomings that can then be addressed and reevaluated. Just as an NFL team prepares each week for a new opponent with effective practice sessions, your organization must test your IRP as changes and modifications are implemented. It is important that everyone involved in the IRP are comfortable with his or her role as the stress level and confusion experienced during the aftermath of publicized incident will make it more difficult to operate.
You only have one bite at the apple once a data breach has occurred so it is imperative to be fully prepared to act confidently, quickly and decisively. In the end, a data breach is no different from any other type of emergency – those who are prepared will best prevail.
HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on information security throughout the US.