Incident Response Planning – Part 2
Continued from Part 1… As an estimated 50 million consumers were yet to be informed more than a month after the breach discovery, a Senate health committee had to intervene. But that wasn’t the end of Anthem’s missteps — it took customer's days after calling a dedicated phone line to receive a call back…
What Post-Breach Response ‘Should’ Have Looked Like
As Verizon so aptly observed in its soldier analogy, it’s challenging to defend your perimeter if you don’t know what to expect. There’s no doubt that some of the incident-response scenarios that played out in the public eye would have been different if the companies had been better prepared to not just address a breach but also plan for the right type of scale.
In eBay’s case, for example, knowing that there is no such thing as a foolproof security might have led them to an “assume compromise” philosophy. Which means having a clear understanding of where the data resides, and what risk each category of data is exposed to, based on what systems are compromised. Refusing to give an estimate a week after a breach is the first ingredient in the recipe of a PR disaster.
(Image Source: Shutterstock)
Social Media Voice
The second ingredient in that recipe is ignoring your own social media channels — eBay’s reaction should have been immediate in urging customers to change passwords, with a promise of more information to come as soon as details were available. One component of a communications plan in a crisis like a data breach is a handful of pre-approved templates, with ready-to-go messaging, that can be immediately disseminated to stakeholders. These messages need not alarm customers but should be transparent in stating that a potential breach was being investigated and that as a precaution customers should change passwords for their protection.
Another channel that eBay should have quickly used was its own website — and not by posting confusing, hard-to-see banners. That same collection of templates in the crisis communication plan should have had a succinct but transparent message about a potential breach and what the company was doing to secure the customer’s information.
The great thing about a well-thought-out plan is that it involves various internal and external teams, not just IT or PR but everyone from legal to risk. In the heat of the moment, it’s hard to know which teams should be activated — but with advance planning, this “all hands on deck” scenario will unfold much smoother.
Basic Elements of an Incident-Response Plan
Even with the increased awareness about cybersecurity risk at the BOD and C-suite level, organizations are still lagging in planning for breaches. In its an annual Global Information Security Survey, EY found that of the 1,755 executives who responded, only 43 percent had formal incident response programs for their organizations. Worse yet, only 7 percent of those that had plans integrated a comprehensive approach that included third-party vendors, law enforcement and playbooks. Much work remains to be done in this regard.
Let’s look at some basic components of a plan and rewrite the Anthem response scenario to show how things could have played out differently.
- Start with an inventory of data — what types of data your company collects, processes and stores; where it’s stored and how it’s transmitted; who has access both in-house and at third-party contractors, and so on. In our Anthem scenario, with a precise inventory, the insurance provider would know immediately that among the impacted stakeholders are third-party customers, and the risk would be communicated to stakeholders accordingly.
- Outline your procedures for monitoring access and conduct regular audits. While monitoring may be mostly an IT concern, it should be spelled out in your plan because it involves cross-company functions and it’s one of the steps that determines the extent of your breach.
Take advantage of the built-in cybersecurity capability of vendors like Salesforce, which not only offers robust security but also provides training for your employees.
- Secure the infrastructure. This goes hand in hand with inventorying and monitoring. It should already be part of your daily IT routine but should also be integrated into the master response plan, with additional post-breach steps such as contacting outside forensic investigators.
- Create your crisis-communications plan. As previously discussed, this plan should include exact messaging, pre-approved and ready to go with a few “fill in the blank” areas, for different types of incidents. This should also include the categories of recipients for the communications, the delivery schedule and dissemination vehicles (typically more than one channel).
Based on this plan, in the case of the ideal Anthem response, a process would be in place to reach not only its 80 million employees and customers but also its various associates, like Blue Cross and Blue Shield, who were also compromised. Additionally, the digital media team would go all-hands-on-deck to update website and social media information, monitor social channels and respond to common questions and concerns. Plus, an external vendor would be activated temporarily to fill a 24/7, designated customer service center fielding calls related to the breach and signing up customers for credit monitoring.
- Assess the legal risks. These are not just based on government regulations and other legal obligations. The possibility of lawsuits is very real, and your post-breach actions can add fuel to the fire if not properly executed. It’s a good idea to engage not just your regular counsel but an outside firm that specializes in breaches, and begin that engagement in the planning stage. This will allow you to begin your public disclosure and mitigation immediately instead of waiting to start a process.
This list is just a basic starting point. Incident-response plans are highly tailored to the individual organization, but best practices should be used when developing them. Not unlike a marketing plan or HR hiring manual, this plan is an important tool that helps address your organization’s success. When a breach happens, you’re likely not going to be less stressed with a plan in hand, but you will know exactly how to proceed without second-guessing your actions and missing critical steps.
By Sekhar Sarukkai