2014 was a terrible, horrible, no good, very bad year for cyber attacks. Target’s point-of-sale attack in late 2013 proved to be a common breach theme in 2014, targeting retailers such as Michaels, Kmart, Home Depot, and Neiman Marcus. Attackers also began targeting cloud applications, from Apple iCloud to Salesforce (Zeus variant and Dyreza) to Office 365. The recent Sony Pictures breach also demonstrated attackers’ turn for the malicious, from sending threatening employee emails and demanding ransom to creating malware focused not just on exfiltration but on destroying data.
The costs of a data breach—lost business, damaged reputation or the risk of regulatory action—have never been higher. Yet, while successful breaches occur within minutes and 88% are exfiltrating within those minutes, the discovery of a breach can take weeks or months. Mandiant’s 2014 threat report cites an average of 243 days to discover a breach.
Given the near-certainty that some form an attack or data breach will happen in your organization, it makes sense to consider scenarios and plan for them when it happens. A data breach plan lays out the key steps and the key personnel to involve when a data breach happens, and needs to incorporate the following three elements:
Forensics and evidence collection
The earliest stage of any investigation is forensics. Having third-party forensics assistance on hand, or having those skillsets internally within the company is essential. Similar to trauma response, or crime scene investigations, this stage is the most critical. Preparedness, training and a well thought-of plan can contain the damage and determine the scope of the breach. The work by forensics teams can limit the damage before evidence is lost or compromised, and collect essential data required for the hard work of analysis. As information about the breach is collected, law enforcement agencies may need to be notified within a specific timeframe.
Forensics teams no longer serve just in post-incident response. As part of a continuous monitoring security framework, forensics teams can proactively look for possible risks in the network.
Identifying regulatory mandates impacted
In conjunction with step 1 above, it is critical to understand the regulatory compliance mandates that are impacted by the data breach. Almost every state in the US, and EU government entity has data privacy and regulatory compliance mandates, which typically requires appropriate disclosure when consumer information or corporate information is exposed.
This is where the legal teams within the organization become an essential part of the data breach plan. They are a required partner to the security team to navigate the myriad of laws, responsible disclosure requirements and any monetary compensation or fines due to the data breach. The laws differ greatly from state to state, country to country. In the United States, considerations are being made for a national data breach law to ensure consistency in disclosure of attacks.
Lawsuits relating to cyberattacks can drag on for years, and have already been filed for high profile breaches like in the case of Target.
Managing notification of breach
Any data breach leaves a bad taste in the mouth for all customers whether or not they are impacted. Part of the data breach plan must include the specific steps to notify anyone who may be impacted, but doing it in a way that adequately addresses their concern. This includes training call center personnel, creating a specific call center line to address calls related to the breach, and offering credit monitoring services.
Cybersecurity insurance may help not only to offset costs and liabilities from data breach incidents but also provide contracting services that address forensics, data breach notification, credit monitoring. A robust cybersecurity insurance provider may help promote the adoption of preventative cybersecurity measures that can reduce the number of cyberattacks. Of course, the key to preventing these data breaches is via continuous monitoring.
As Gartner advocates in their “adaptive protection process”, IT organizations should shift their mentality to a continuous response mentality where systems are assumed to already be compromised. If that’s the case, the creation of a robust data breach plan will become an even more critical arsenal for any IT organization.
Related: Preparing for the Inevitable Data Breach: Discussion
Related: All Data Is Not Valued Equally
Related: Understanding IT Risk from the Business Perspective