The Right Way to Respond to a Data Breach

Image

Cybersecurity has become a board level discussion, and worries about cybersecurity breaches are part of what keeps C-suite execs and BOD members up at night. So much so that many organizations have started to adopt the mentality that they’ve likely been breached already and they just don’t know it yet. It’s what’s known as the “assume breach” mentality, which treats a data breach not as an “if” but “when.” It’s clear that cybersecurity is no longer solely in the domain of IT departments—it’s a business-critical part of an organization. This was most evident in the aftermath of the Sony hack, as employees found it impossible to do their day-to-day jobs due to the depth of the breach. As the frequency and severity of breaches have grown, so have their cost. In IBM/Ponemon’s 2016 Cost of Data Breach Study, it was reported that the cost per stolen record increased from the previous year, with the real cost coming in the form of lost business. The study found the average cost of a breach to be $7.1 million for U.S companies and $4 million globally. Interestingly, the report discovered that having an incident response plan and a team to handle incident response decreased the cost per lost record by $16, from $158 to $142, which was the top factor in mitigating the cost of a data breach.

INCIDENT RESPONSE PLANNING IS NO LONGER OPTIONAL

The last thing an organization needs when they’ve experienced a breach is to frantically try to perform damage control amidst the chaos that usually follows such events. Those organizations who aren’t prepared to respond to a breach will compound the damage and eventual fallout. For this reason, organizations need to thoroughly document the steps and identify the teams that will be activated when a breach is discovered. The teams will be responsible for, amongst other things, how and when to inform affected parties, what to tell reporters and regulators, and how to remove the intruder and patch the vulnerability that caused the breach. Just looking at the scale of the data breaches, like the one Target experienced a couple of years ago, should be a reminder of why organizations should have an incident response plan that includes practice runs and drills. Unfortunately, incident response planning is still something that’s lacking in a lot of organization. In Ernst & Young’s 2015 Global Information Security Survey, only 43% of respondents said they had a formal incident response program, while only 7% stated that they had a comprehensive plan that included third-party vendors, law enforcement and tabletop exercises.

LESSONS LEARNED FROM PAST MISTAKES

Target has the unenviable position of being the poster child for suffering a massive data breach and having a less-than-stellar response. The mistakes made by the mega retailer have been parsed and analyzed over the years, with some arguing that a few things should have been done differently. When it comes to data breach response, open, honest/accurate and timely communication is key. Target could have saved itself a lot of pain had it been the first one to break the news to its customers. Instead, investigative journalist Brian Krebs ended up breaking the news when he noticed a cache of credit card numbers for sale on the darknet with one thing in common: they had all been used at a Target recently. Target, however, should be credited for having had cybersecurity insurance. Anthem was another breach that could have used accurate and prompt communication. It waited too long to alert its customers and had to increase the estimated number of records breached from 37.5 million to 78.8 million. Anthem is a good case study that highlights the sheer difficulty of having a successful incident response. Early communication, though a cornerstone of a solid incident response, must be accompanied by accurate assessment of the scope of the breach—something that can prove impossible to achieve. On the flip side exist companies who earned high marks for their data breach response. Adobe is one such company that faced a unique kind of breach and got away relatively unscathed. Unlike most breaches that aim to steal consumer data to sell to the highest bidder, Adobe had both its customer information and portions of its product source code stolen. This posed a difficult challenge in that Adobe had to scour its product to make sure there weren’t any zero-day vulnerabilities that could be exploited. According to Adobe CEO Brad Arkin, Adobe spent months doing forensic investigation of its product and held meetings “every four hours for forensic updates.” Adobe was quick to notify its customers of the breach and sent out several password-reset emails to its user base. Home Depot also earned high marks for its breach response. Home Depot’s breach had a lot in common with the Target breach. Both retailers had their customer’s credit card information stolen as customers swiped their cards at the checkout stand; both were hacked through a third-party vendor that installed a malware; and both were targeted during the most important shopping season for their industry (spring and summer for Home Depot and holiday season for Target). Home Depot didn’t face nearly the same amount of criticism as Target, in large part because whereas Target waited a week to inform customers, Home Depot notified its customers even before they had fully confirmed the breach.

WHAT ARE SOME OF THE BASIC ELEMENTS OF AN INCIDENT RESPONSE PLAN?

There are a few must-haves in an incident response plan:

1. Data inventory

Know what type of data is being collected, processed and stored, as well as where it’s being stored and who has access to it. Categorize the data according to the level of sensitivity and the applicable internal and external compliance requirements that apply to it. Migrating to the cloud? Know where sensitive data will be stored and who will have access to it, along with other best practices around cloud security when migrating data to the cloud.

2. Monitor access and audit

While monitoring usage falls in the domain of the IT department, the incident response plan should include an outline of the procedures for monitoring access and conducting regular audits. It’s not uncommon to find organizations who fail to delete accounts of users who no longer work at the company or who give the same level of access to sensitive documents across a large swath of internal/external users.

3. Be aware of compliance requirements

The healthcare (HIPAA) and financial services (PCI-DSS, SOX, GLBA) industries are two of the most regulated industries when it comes to data privacy and security. But there are other regulations that may impact others, such as the education sector (FERPA) or federal government (FISMA, FIPS). It’s important to know the requirements for each and the steps they recommend to take in the case of a data breach. HIPAA, for example, requires organizations to report a breach to the press if it impacts more than 500 patient records.

4. Assess legal risks

Most large data breaches inevitably lead to a drawn-out and expensive class-action suit. You should have a short list of legal agencies that specialize in data breach response and put in place contractual agreements, so that you can activate these agencies at a moment’s notice.

5. Build a crisis communication plan

This is likely the most important part of incident response. The plan should include teams and assigned team leaders from each department (PR, legal, marketing, etc.) that will be responsible for communicating the incident both internally and with outside stakeholders. It might also help to have contractual agreements with outside agencies specializing in data breaches who will handle communication, including drafting/mailing letters, speaking with press and contacting law enforcement authorities. The key to a successful plan will be team members and third-party partners knowing what they need to do ahead of time. For this reason, crisis communication should be practiced regularly. About the Author: Ajmal Kohgadai is an associate product marketing manager at Skyhigh. He combines product marketing, database marketing, content creation, advertising, and analytics. He generally splits time between finding new ways of educating the business community about mobile marketing, while trying to understand the profound and irreversible impact mobile technology is having on society. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.