Sekhar-Bio

Data Breaches: Incident Response Planning – Part 2

Incident Response Planning – Part 2

Continued from Part 1… As an estimated 50 million consumers were yet to be informed more than a month after the breach discovery, a Senate health committee had to intervene. But that wasn’t the end of Anthem’s missteps — it took customer's days after calling a dedicated phone line to receive a call back…

What Post-Breach Response ‘Should’ Have Looked Like

As Verizon so aptly observed in its soldier analogy, it’s challenging to defend your perimeter if you don’t know what to expect. There’s no doubt that some of the incident-response scenarios that played out in the public eye would have been different if the companies had been better prepared to not just address a breach but also plan for the right type of scale.

In eBay’s case, for example, knowing that there is no such thing as a foolproof security might have led them to an “assume compromise” philosophy. Which means having a clear understanding of where the data resides, and what risk each category of data is exposed to, based on what systems are compromised. Refusing to give an estimate a week after a breach is the first ingredient in the recipe of a PR disaster.

Socil Media

(Image Source: Shutterstock)

Social Media Voice

The second ingredient in that recipe is ignoring your own social media channels — eBay’s reaction should have been immediate in urging customers to change passwords, with a promise of more information to come as soon as details were available. One component of a communications plan in a crisis like a data breach is a handful of pre-approved templates, with ready-to-go messaging, that can be immediately disseminated to stakeholders. These messages need not alarm customers but should be transparent in stating that a potential breach was being investigated and that as a precaution customers should change passwords for their protection.

Another channel that eBay should have quickly used was its own website — and not by posting confusing, hard-to-see banners. That same collection of templates in the crisis communication plan should have had a succinct but transparent message about a potential breach and what the company was doing to secure the customer’s information.

The great thing about a well-thought-out plan is that it involves various internal and external teams, not just IT or PR but everyone from legal to risk. In the heat of the moment, it’s hard to know which teams should be activated — but with advance planning, this “all hands on deck” scenario will unfold much smoother.

Basic Elements of an Incident-Response Plan

Even with the increased awareness about cybersecurity risk at the BOD and C-suite level, organizations are still lagging in planning for breaches. In its an annual Global Information Security Survey, EY found that of the 1,755 executives who responded, only 43 percent had formal incident response programs for their organizations. Worse yet, only 7 percent of those that had plans integrated a comprehensive approach that included third-party vendors, law enforcement and playbooks. Much work remains to be done in this regard.

hacks

Let’s look at some basic components of a plan and rewrite the Anthem response scenario to show how things could have played out differently.

  1. Start with an inventory of data — what types of data your company collects, processes and stores; where it’s stored and how it’s transmitted; who has access both in-house and at third-party contractors, and so on. In our Anthem scenario, with a precise inventory, the insurance provider would know immediately that among the impacted stakeholders are third-party customers, and the risk would be communicated to stakeholders accordingly.
  1. Outline your procedures for monitoring access and conduct regular audits. While monitoring may be mostly an IT concern, it should be spelled out in your plan because it involves cross-company functions and it’s one of the steps that determines the extent of your breach.

Take advantage of the built-in cybersecurity capability of vendors like Salesforce, which not only offers robust security but also provides training for your employees.

  1. Secure the infrastructure. This goes hand in hand with inventorying and monitoring. It should already be part of your daily IT routine but should also be integrated into the master response plan, with additional post-breach steps such as contacting outside forensic investigators.
  1. Create your crisis-communications plan. As previously discussed, this plan should include exact messaging, pre-approved and ready to go with a few “fill in the blank” areas, for different types of incidents. This should also include the categories of recipients for the communications, the delivery schedule and dissemination vehicles (typically more than one channel).

Based on this plan, in the case of the ideal Anthem response, a process would be in place to reach not only its 80 million employees and customers but also its various associates, like Blue Cross and Blue Shield, who were also compromised. Additionally, the digital media team would go all-hands-on-deck to update website and social media information, monitor social channels and respond to common questions and concerns. Plus, an external vendor would be activated temporarily to fill a 24/7, designated customer service center fielding calls related to the breach and signing up customers for credit monitoring.

  1. Assess the legal risks. These are not just based on government regulations and other legal obligations. The possibility of lawsuits is very real, and your post-breach actions can add fuel to the fire if not properly executed. It’s a good idea to engage not just your regular counsel but an outside firm that specializes in breaches, and begin that engagement in the planning stage. This will allow you to begin your public disclosure and mitigation immediately instead of waiting to start a process.

This list is just a basic starting point. Incident-response plans are highly tailored to the individual organization, but best practices should be used when developing them. Not unlike a marketing plan or HR hiring manual, this plan is an important tool that helps address your organization’s success. When a breach happens, you’re likely not going to be less stressed with a plan in hand, but you will know exactly how to proceed without second-guessing your actions and missing critical steps.

By Sekhar Sarukkai

Sekhar Sarukkai

Sekhar Sarukkai is a Co-founder and the Chief Scientist at Skyhigh Networks, driving the future of innovation and technology. He has more than 20 years of experience in enterprise networking, security, and cloud services development.

View Website

CONTRIBUTORS

What the Dyn DDoS Attacks Taught Us About Cloud-Only EFSS

What the Dyn DDoS Attacks Taught Us About Cloud-Only EFSS

DDoS Attacks October 21st, 2016 went into the annals of Internet history for the large scale Distributed Denial of Service (DDoS) ...
Countdown to GDPR: Preparing for Global Data Privacy Reform

Countdown to GDPR: Preparing for Global Data Privacy Reform

Preparing for Global Data Privacy Reform Multinational businesses who aren’t up to speed on the regulatory requirements of the European ...
How Big Data Can Empower Native Ads

How Big Data Can Empower Native Ads

Empower Native Ads The realm of big data is expanding an astonishing rate, and its presence can be felt across ...
Why ‘Data Hoarding’ Increases Cybersecurity Risk

Why ‘Data Hoarding’ Increases Cybersecurity Risk

Data Hoarding The proliferation of data and constant growth of content saved on premise, in cloud storage, or a non-integrated ...
Cyber Security Tips For Digital Collaboration

Cyber Security Tips For Digital Collaboration

Cyber Security Tips October is National Cyber Security Awareness Month – a joint effort by the Department of Homeland Security ...
Safeguarding Data Before Disaster Strikes

Safeguarding Data Before Disaster Strikes

Safeguarding Data  Online data backup is one of the best methods for businesses of all sizes to replicate their data ...
What’s Next In Cloud And Data Security For 2017?

What’s Next In Cloud And Data Security For 2017?

Cloud and Data Security It has been a tumultuous year in data privacy to say the least – we’ve had ...
Cloud Services Are Vulnerable Without End-To-End Encryption

Cloud Services Are Vulnerable Without End-To-End Encryption

End-To-End Encryption The growth of cloud services has been one of the most disruptive phenomena of the Internet era.  However, ...
The Five Rules of Security and Compliance in the Public Cloud Era

The Five Rules of Security and Compliance in the Public Cloud Era

Security and Compliance  With technology at the heart of businesses today, IT systems and data are being targeted by criminals, ...
What You Need To Know About Choosing A Cloud Service Provider

What You Need To Know About Choosing A Cloud Service Provider

Selecting The Right Cloud Services Provider How to find the right partner for cloud adoption on an enterprise scale The ...

NEWS

U.S. IT Sector Employment Expands by 8,100 Jobs in November, CompTIA Analysis Reveals

U.S. IT Sector Employment Expands by 8,100 Jobs in November, CompTIA Analysis Reveals

DOWNERS GROVE, Ill., Dec. 8, 2017 /PRNewswire-USNewswire/ -- New hiring in computer and electronics manufacturing and technology services and custom ...
Hackers shut down infrastructure safety system in attack: FireEye

Hackers shut down infrastructure safety system in attack: FireEye

Hackers shut down infrastructure safety system (Reuters) - Hackers likely working for a nation-state recently penetrated the safety system of ...
Deloitte TMT Predictions: Machine Learning Deployments, On-Demand Content and Live Events Will Continue to Drive Growth

Deloitte TMT Predictions: Machine Learning Deployments, On-Demand Content and Live Events Will Continue to Drive Growth

NEW YORK, Dec. 12, 2017 /PRNewswire/ -- Deloitte forecasts double digital growth in machine learning deployments for the enterprise, an increasing worldwide ...