Preparing for a data breach
Five steps to take now
In 2014, approximately 75 percent of data breaches worldwide happened to American organizations, and the overall cost to the U.S. economy was estimated at close to $300 billion. From November 2013 to December 2014, 348.16 million records in the U.S. were compromised – enough to affect every U.S. citizen.
These statistics make it clear that it’s increasingly important for organizations to plan and prepare for a breach. Unfortunately, while many organizations are implementing technologies to defend against cybercrime, most aren’t actually prepared for a breach should it happen.
A data breach is the intentional or unintentional release of an individual’s personally identifiable information or other valuable information, such as intellectual property to an untrusted environment. This type of information is extremely lucrative for cybercriminals, and they will do whatever it takes to obtain it.
When cybercriminals are successful and a data breach occurs, it can be a chaotic and confusing time for many organizations, particularly those that fall short of putting the right security measures in place. Many organizations will expect their IT team to handle all aspects of a breach response. However, there is more to responding to a breach than just containment.
Here are five steps to take to mitigate the potential impact:
• Assemble a dedicated response team: Build a team with defined responsibilities and delegate authority to them. If a data breach does occur, don’t fall into the trap of micromanaging the response team. Let them do what they were trained to do and remember that the team members were selected because of their competency at a time when panic and confusion did not rule the moment.
• Tap key experts for help: To understand your company’s legal and compliance requirements, get your legal counsel involved early. Review your business, E&O and cyber insurance coverage to ensure you are covered for a breach. Look to your public relations team to help with communication and, if necessary, involve a computer forensics firm, as some breaches are too big and complicated to handle on your own. Contact your finance and insurance companies as well as any vendors and/or business partners who may be instrumental in dealing with a breach. Finally, contact local authorities and, if applicable, regulatory boards to notify them of the crime.
• Provide clear communication: Sometimes the containment plan (disconnecting servers, shutting down Internet access or phone systems, taking down websites) can disrupt normal communication paths. Your data breach response strategy should consider a backup plan to communicate with employees, customers or anyone who needs to be involved. Choose the person who will collect and disseminate information, and have them be the single point of contact for all communications. Then, make sure you know with whom you are communicating, what you are telling them, when the right time to make an announcement is, and how it should be communicated.
• Don’t wait for perfect information: While you may want to have all the facts, it is rare that this will happen during a data breach event. Typically, a breach may contain bits of information, but not enough to paint a full picture. Decisions may need to be made based on the imperfect information you have in front of you. Sometimes waiting too long could make the situation worse. It’s an imperfect process.
• Plan and practice: If you have a plan, blow the dust off and update it, or start one if you don’t. It doesn’t have to be perfect the first time out, but make sure to have one in place. Also, practice it! Get a third party to help you role-play to see how effective it is and where the holes might be. If the situation does arise, your organization will be in a much better position to endure it.
As organizations build their response team and create their plan to respond to a data breach, they also need to be developing a comprehensive security foundation to protect against the numerous techniques cybercriminals use, such as spear phishing, exploiting system vulnerabilities or even social engineering over the phone (also known as vishing). At Systems Engineering, we use the National Institute of Standards and Technology Cybersecurity Framework as a reference for improving critical security infrastructure.