← Back

Does Your Breach Incidence Response Plan Have Holes?

The headlines say it all:

  • Chipotle warns of data security breach.
  • Palo Alto Unified School District student data exposed in breach.
  • Scottrade Bank data breach exposes 20,000 customer records

These are just a few examples of the many data breaches reported in April 2017, affecting nearly 10 million records. According to Identity Theft Resource Center (ITRC) and CyberScout, in 2016, the number of data breaches in the United States reached a record high of 1,093, a 40% increase over the number reported the previous year. Victims included high-profile organizations such as Wendy’s and the Democratic National Committee, with stolen data ranging from individuals’ social security numbers to user account log-in names and passwords.

The three most common types of data breach incidents, in order of frequency were:

  • Hacking/skimming/phishing attacks (55.5%)
  • Accidental email/internet exposure (9.2%)
  • Employee error (8.7%)

If these statistics seem bad, the actual situation is likely to be even worse. “We are extremely confident that breaches are undiscovered and under-reported, and we don’t know the full scope,” said Eva Casey Velasquez, CEO of ITC. “This isn’t the worst-case scenario we are looking at; this is the best-case scenario.”

Analysts expect the frequency and severity of data breaches to continue to grow. This will mean increasing costs to businesses. A recent study by IBM/Ponemon found the average cost of a data breach for a U.S. company is $7.01 million.

The study also reported the most important thing an organization can do to reduce the cost resulting from a data breach is to have a breach response plan in place and a team to implement it. Once a plan is established, it should be examined and tested periodically, and revised if necessary. According to a recent study by Experian, 35% of enterprises haven’t reviewed or updated their breach response plan since it was implemented.

If your company doesn’t have an incident response plan in place, now’s the time to start. We’ll examine best practices for creating and auditing a breach incidence response plan.

The Response Team
Your organization should have a response team in place before a breach incident occurs. The response team must be able to make decisions without having to waste time getting authorization from management. The team should include:

Incident Response Officer (IRO)
The IRO can be the Chief Privacy Officer or some other senior management executive. In large organizations, the IRO facilitates communication between the incident response team and senior management. The IRO will also serve as the liaison to external partners. The IRO shouldn’t be a member of the IT staff, since they will be involved with restoring the company’s IT infrastructure. A backup person should be designated in case the IRO is unavailable.

IT Personnel
IT personnel who should be part of the response team include employees in the information security and/or IT departments. These team members can assess and contain the damage, perform forensics, recover data, and mitigate the effects of the breach to end users.

Security Personnel
The security team member is concerned with physical security relating to the data breach. This individual will determine any physical damage, examine physical evidence, and secure the area while a forensics investigation is underway.

Legal Counsel
The attorney’s responsibility is to determine if specific evidence can be used if the company decides to take legal action. The attorney can also delineate legal issues relating to the effect the data breach may have on customers and venders.

Human Resources
The HR department provides advice if an employee is found to be involved in the breach.

Public Relations
The public relations team member will reach out to the media and handle crisis management duties.

Incident Reporting
Employees should have regular reminders of who to contact if they notice suspicious activity. Notification instructions should specify the preferred method of contact. Since the company’s email system could be compromised in the event of a data breach, contact should be via phone, messaging, or in person.

Documentation
The response team must document the data breach. This should include the dates and times of suspicious events and all communications with outside parties regarding the incident. The following information should be recorded:

  • Which computer systems were affected
  • The origin of the breach
  • Any malware used in connection with the incident
  • The location of remote servers that data may have been sent to
  • The identity of any other known victim organizations
  • Which users are logged on to the system
  • What is connected to the system
  • A list of running processes
  • A list of open ports and connected services and applications

Data Breach Remediation
Written policies should be in place to address IT actions that will be necessary in the event of a data breach, including:

  • Monitoring suspicious activities
  • Disconnecting and blocking services
  • Confiscating affected workstations and devices
  • Physically securing the site
  • Contacting external cybersecurity resources
  • Contacting the company’s Internet Service Provider, who can help discover the source of the attack and block it

Outside Partners
Forensic and cybersecurity companies can help restore systems and remove threats. These should be documented in the response plan. Creating a pre-breach agreement that specifies a partner’s role in the response plan will ensure the partner is prepared if you need them. Resources should also include legal counsel and applicable law enforcement agencies.

Communications
Once a data breach has been confirmed, the IRO should inform management and explain the steps being taken to repair the damage. Once the breach has been contained and systems are restored, communications should be sent to staff explaining the incident and specifying personnel authorized to respond to inquiries by the public.

Communications should outline:

  • An explanation of the event
  • Steps the company has taken to fix the situation
  • Steps the company will take to prevent future incidents

Clients and business partners may also need to be included in the communications process. Templates addressing the various types of incidents can be prepared in advance.

Testing
Your company’s data breach response plan should be reviewed every six months and modified when necessary. One way to test the effectiveness of the response plan is by conducting a breach simulation exercise that replicates the issues that will arise during a breach. This drill will uncover any problems that need to be tackled.

All members of the response team should be involved with the simulation exercise, as well as outside partners previously defined.

Following the Plan
Following the best practices outlined above will ensure the company is adequately prepared in the event of a data breach. It will allow the business to recover quickly, minimize the effects of the incident, and save money.