When an incident occurs, with the amount of technology involved, it’s easy for one to forget the human element. Incident Response is largely a human matter.
Typically, someone has done something malicious, did not perform some task, or was unaware of an event. For clients, this is often a frightening event, as an incident could lead to lost client revenue, lost confidence in your organization, and close scrutiny by state and federal regulators. Let’s face it; we’d all like to keep our names out of the newspapers, where our organization’s incident is smeared across the front page.
To handle an incident, it is critical for the organization to work closely and openly with their Incident Response team. This may include interviews, confidential documents, and the release of very-sensitive and highly-embarrassing information. Fraud, sexual harassment, data theft, and questionable data content downloads are all actions performed by individuals. Often, there is a perpetrator and a victim. The threat may be internal or external to the organization. Also, the act may be malicious or unintentional.
An Incident Response investigator or team member cannot assume any facts when starting an investigation. You learn quickly that in some cases, your client is aware of the situation. In other cases, the organization does not understand what happened or what was lost. However, in nearly all cases, the client is not aware of the full picture, depth, or specifics of the entire incident. The role of the Incident Response team is to provide timely and accurate information, so that management may make the best decisions, help speed remediation, and provide trusted guidance in difficult times.
One of the most difficult aspects for an organization beyond remediation is notification – how to notify customers, partners, and regulators of a data breach, data loss, or incident. Any notification should be heavily considered prior to release – is a notification necessary, required by law, by contract, or in “good faith.” If a notification is required, the organization should release the notification relatively swiftly, after the details of the event are well-defined. We should highlight that we have a strong technical grasp of the event, that the organization accepts responsibility, and has already worked to correct or remediate the root cause. Never hide the truth – use a breach to show strength by acknowledging the cause and demonstrating the organization’s resolve to protect customer privacy and proprietary information.