How to Deal Intelligently With Data BreachesBy Steve Durbin
How to Deal Intelligently With Data Breaches
Data breaches are happening with greater frequency and are compromising larger volumes of data than ever before. As data breaches continue, and the number of compromised records grows, organizations are being subjected to stronger financial penalties, greater legislative and regulatory scrutiny, and tangible reputational damage. For organizations that suffer an incident, responding in an intelligent and confident manner is essential.
Given today’s fully connected business environment, how can organizations protect themselves and their customers, while safeguarding or even increasing business value? Furthermore, what are some of the most significant obstacles they must overcome with data breach prevention and response?
The answer is simple. Organizations of all sizes need to plan, rehearse and modify their information security protection on a continuous basis, as we already see many companies doing with their business continuity plans. This will provide the opportunity to see what the organization is doing well, and how it can do better, as it prepares for the inevitable breach.
Preventing a Data Breach
Today's reality is that organized criminals, malicious hackers and disgruntled insiders pose the majority of threats to most private-sector organizations. It is also true that for preventing, detecting and responding to data breaches, implementing basic security measures will go a long way toward mitigating the majority of risks.
So how exactly do we define data breach prevention?
Data breach prevention is based on the premise that it is possible for an organization to increase an adversary’s "work factor" to such a degree that malicious activity becomes unprofitable, and attackers move on to easier targets. Basic technical preventative measures are popular because they scale easily and are more reliable than employing a person for the same task.
However, the human factor still has a role to play. There are a wide range of motivations for malicious actors, and without investment in measures such as threat intelligence, an organization could easily spend too much or too little time and money on prevention.
Some organized crime threat actors have capabilities that are equal to nation state intelligence agencies and will be capable of overcoming nearly any private sector attempts at information security. In addition, their ability to operate globally and have an ever-increasing range of targets continues to improve.
In my experience, supply chain security always rises toward the top of the discussions I have, and it is clear that weaknesses here are prevalent and persistent. This was demonstrated by the Target data breach in which attackers compromised vendor credentials to access the retailer’s internal networks. Such oversights in managing third parties—and the complexity associated with managing what can be many thousands of suppliers—are often beyond the ability of any individual or department to fully handle.
The Information Security Forum (ISF) has looked at supply chain security and offered guidance such as the Supply Chain Assurance Framework (SCAF) to assist our members in the procurement phase of a supplier relationship. These basic measures address the initial element of complexity, but not all procurement will be done with such rigor, and poor supplier security will continue to result in regular data breaches.
Responding to a Data Breach
Many organizations realize that incidents can occur regardless of precautions, so they seek to respond to breaches in a resilient and professional manner. However, these capacities can often be lacking, and the resulting disorganization damages customer trust, brand value and, ultimately, reputation.
Response is harder than prevention and detection because it forces interaction between a wide range of both internal organizational stakeholders and external stakeholders, such as shareholders, customers, vendors and regulators. This can create significant coordination and communication problems. In addition, these interactions take place in a high-pressured and time-poor environment, where the commercial and professional stakes are high and tolerance for error is low.
So how can information security demonstrate business value when responding to a data breach, and what are the key organizational capabilities to have in place: technical, procedural, people and political? Follow these three simple steps:
• Develop a plan.
• Practice the plan.
• Respond decisively.
How to Deal Intelligently With Data Breaches
Managing the Message
Due to the ever-increasing velocity of the 24/7 news cycle, it has become virtually impossible for organizations to control the public narrative around an incident. Responding to unwelcome information released on someone else’s terms is a poor strategy, and a defensive posture plays poorly with customers whose personal details have just been compromised.
Preparation is essential. This can be done through inter-departmental scenario planning that tests the organization’s media and customer response strategy. Creating and testing response plans may also attract interest from senior management, particularly if their organization, or a competitor, has suffered an incident where they suffered reputational damage. This is an opportune moment to demonstrate the business benefits of a coherent response plan.
This perspective—that disclosure will be more damaging than the data theft itself—is a guaranteed way to damage customer trust. However, advance planning is often lacking, as are the services of tech-literate public relations departments.
The lesson that we tell our members is to carefully consider how to respond, because your organization can’t control the news once it becomes public. This is particularly true as breaches are happening with greater frequency and as the general public pays greater attention to information security.
In the end, messaging should be about creating transparency, within the organization and with the public. The organization should be seen communicating in an ethical and trustworthy manner. This is not a time for using communication as either a PR opportunity or attempting to pull the wool over people’s eyes, nor is it time to pull down a veil of silence. Organizations need to communicate effectively throughout the incident (and afterwards) in an honest and transparent manner about the breach, the impact, what you are doing to address the impact and be clear about what the customer base should be doing.
Data breaches have become a regular feature of modern life, and one that will have affected most of us by now. This will continue as long as efficiency and ease of data access trump security—a state of affairs that makes economic sense for many organizations, at least until they suffer their own data breach. Once a breach happens, the value of security as a business enabler becomes clearer.
The real difficulty lies in acknowledging that breaches are inevitable, and that resources invested in advance can pay dividends when a crisis occurs. It takes maturity for an organization to recognize that it cannot control the narrative after a breach becomes public, and that leadership involves being honest and transparent with customers to maintain credibility in difficult circumstances.
A robust data breach response begins before things go wrong. It includes developing a plan, regular scenario planning, taking decisive action and managing the message. These actions will involve a wide range of internal stakeholders, and also may require the services of external crisis management and media experts. Once a breach happens, swift decision making requires accurate data.
For the individuals who have ultimate responsibility for dealing with data breaches (the chief information security officer (CISO), CIO or equivalent role), the primary challenge lies in setting expectations and establishing credibility. This comes through consistent and clear-headed action, in both the easy and difficult moments.
In a world where data breaches are becoming all too common, organizations that produce an imaginative and credible response will certainly have an advantage over those that are slow and confused, and this will translate to tangible business value. With the speed and intricacy of the threat landscape changing on a daily basis, far too often we’re seeing businesses being left behind, sometimes in the wake of both reputational and financial damage.
Organizations need to take stock now in order to ensure that they are fully prepared and engaged to deal with these ever-emerging security challenges—before it’s too late.
Steve Durbin is the managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber-security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was a senior vice president at Gartner.