What to do When a Data Breach Occurs
Modernizing Authentication — What It Takes to Transform Secure Access
Data breaches are inevitable these days, which is why having a well-defined incident response plan and team in place is a necessity.
By David Barton
While information security risks have existed for a long time—several U.S. Civil War battles, for instance, were decided by military details secretly obtained by the opposing side—today they bring with them challenging complexities and costly ramifications for businesses.
U.S. consumer cyber-attacks in 2013 had a price tag of $38 billion, according to the 2013 Norton Cybercrime Report by ZDNet and USA TODAY. Hackers today have become savvier, and are always learning new ways to infiltrate public and private networks. In the corporate realm, employees have ready access to company information and are frequently uninformed about how to detect security threats and prevent data breaches because of a lack of training. That often means a successful cyber-attack of your company is no longer a question of if but when.
As a result of the 2013 data breach at Target, first the CIO, followed by the CEO, resigned in the aftermath of the multi-million dollar disaster that potentially put some 110 million people—a third of the U.S.'s population—at risk of credit risk, financial losses and identity theft. Neiman Marcus, eBay, Snapchat and Sony PlayStation Network are just some of the bigger brands that have recently made headlines due to large-scale data breaches, but countless small and medium-sized businesses have fallen victim to breaches. One result is the conversation in IT is shifting from averting a successful cyber-attack to what to do when a data breach occurs.
Preparing for the Worst
According to the 2014 Cost of Data Breach Study: United States conducted by the Ponemon Institute, the appointment of a Chief Information Security Officer and the involvement of business continuity management in the incident response process decreased the costs of a data breach per compromised record by $10 and $13, respectively.
However, the most significant cost reductions for organizations came from having a strong security posture, which reduced the average cost of a data breach by $21 per compromised record, and an incident response plan, which cut the cost by $17 per compromised record. These findings emphasize the financial importance of being prepared for a breach.
The starting point in planning for a data breach is having an incident response plan (IRP) in place to ensure appropriate action when needed. An effective IRP will address preventative controls, timely detection of potential problems and rapid response to a data breach. The key components of a well-defined IRP include:
1. Incident Response Team
Select individuals from different departments that will be involved when a data breach occurs, such as executive management, IT, HR, public relations, legal and operations. Identify the roles each incident response team member will play and ensure they have the authority to execute the required actions.
2. Data Classification
The organization’s incident response strategy takes into account the type of data compromised by the breach in determining its response efforts and activities. Categorize data so employees know how to handle various types of information. Levels can include “public/non-classified,” “internal use only” and “confidential.” Next, focus on protecting the most confidential data.
3. Communication Plan
A comprehensive communication plan involves more than maintaining a current contact list of incident response team members, system support personnel and external service providers. The organization should also plan what message it wants to convey and to whom it will communicate internally and externally after a data breach. Include an alternative plan when the normal notification process is pre-empted.
Incident preparedness training ensures that all company personnel are ready to handle data breaches before they occur. Incident response team members should be well versed in how to appropriately evaluate, respond and manage security incidents. Even if not directly involved in the incident management process, all staff should understand the company’s overall breach response plan so that their actions support, not hinder, breach response efforts.
The IRP should be thoroughly and continuously tested in advance of an actual data breach to help identify process gaps and provide assurance that the plan will be effective when needed.