What to do When a Data Breach OccursBy Guest Author
What to do When a Data Breach Occurs
By David Barton
While information security risks have existed for a long time—several U.S. Civil War battles, for instance, were decided by military details secretly obtained by the opposing side—today they bring with them challenging complexities and costly ramifications for businesses.
U.S. consumer cyber-attacks in 2013 had a price tag of $38 billion, according to the 2013 Norton Cybercrime Report by ZDNet and USA TODAY. Hackers today have become savvier, and are always learning new ways to infiltrate public and private networks. In the corporate realm, employees have ready access to company information and are frequently uninformed about how to detect security threats and prevent data breaches because of a lack of training. That often means a successful cyber-attack of your company is no longer a question of if but when.
As a result of the 2013 data breach at Target, first the CIO, followed by the CEO, resigned in the aftermath of the multi-million dollar disaster that potentially put some 110 million people—a third of the U.S.'s population—at risk of credit risk, financial losses and identity theft. Neiman Marcus, eBay, Snapchat and Sony PlayStation Network are just some of the bigger brands that have recently made headlines due to large-scale data breaches, but countless small and medium-sized businesses have fallen victim to breaches. One result is the conversation in IT is shifting from averting a successful cyber-attack to what to do when a data breach occurs.
Preparing for the Worst
According to the 2014 Cost of Data Breach Study: United States conducted by the Ponemon Institute, the appointment of a Chief Information Security Officer and the involvement of business continuity management in the incident response process decreased the costs of a data breach per compromised record by $10 and $13, respectively.
However, the most significant cost reductions for organizations came from having a strong security posture, which reduced the average cost of a data breach by $21 per compromised record, and an incident response plan, which cut the cost by $17 per compromised record. These findings emphasize the financial importance of being prepared for a breach.
The starting point in planning for a data breach is having an incident response plan (IRP) in place to ensure appropriate action when needed. An effective IRP will address preventative controls, timely detection of potential problems and rapid response to a data breach. The key components of a well-defined IRP include:
1. Incident Response Team
Select individuals from different departments that will be involved when a data breach occurs, such as executive management, IT, HR, public relations, legal and operations. Identify the roles each incident response team member will play and ensure they have the authority to execute the required actions.
2. Data Classification
The organization’s incident response strategy takes into account the type of data compromised by the breach in determining its response efforts and activities. Categorize data so employees know how to handle various types of information. Levels can include “public/non-classified,” “internal use only” and “confidential.” Next, focus on protecting the most confidential data.
3. Communication Plan
A comprehensive communication plan involves more than maintaining a current contact list of incident response team members, system support personnel and external service providers. The organization should also plan what message it wants to convey and to whom it will communicate internally and externally after a data breach. Include an alternative plan when the normal notification process is pre-empted.
Incident preparedness training ensures that all company personnel are ready to handle data breaches before they occur. Incident response team members should be well versed in how to appropriately evaluate, respond and manage security incidents. Even if not directly involved in the incident management process, all staff should understand the company’s overall breach response plan so that their actions support, not hinder, breach response efforts.
The IRP should be thoroughly and continuously tested in advance of an actual data breach to help identify process gaps and provide assurance that the plan will be effective when needed.
What to do When a Data Breach Occurs
Addressing the Human Element
Without a doubt, employees are the weakest link in the security chain. While businesses have done an excellent job during the last decade of improving the process and technology aspects of IT security, many of them have fallen short in properly training their own employees on how to protect company data.
The curious and fallible nature of humans demands that companies train their employees about the appropriate security concerns. Bring your own device (BYOD) also complicates matters as employees create new risks by accessing and storing company data via their own mobile devices including laptops, phones and tablets. Employees must be educated and motivated to think about and understand the possible security risks and consequences associated with their behavior, whether it's clicking on a link in a phishing email or wrongfully using a public Wi-Fi network.
Preparing for the Inevitable
It is critical that an organization be aware of new and emerging security risks and methods, if possible, to address them. Yet, even with all the standard precautions in place, data breaches will continue to happen. Organizations will always be vulnerable, but how they prepare for the inevitable breach can help ease the pain when it occurs. Preventative measures will minimize disruption to customers, operations and productivity, and aggressively managing through the security breach will yield a much more desirable outcome.
About the Author
David Barton is a managing director at UHY Advisors, and leads the Internal Audit, Risk and Compliance practice. He is an expert in information security and technology risk and controls. You can reach him at email@example.com and follow him on Twitter at @ITcontrolsfreak.