Does Your Breach Incident Response Plan Have Holes?

In 2016, the number of data breaches in the US reached a record high of 1,093, according to a study by the Identity Theft Resource Center and CyberScout. That was a 40% increase over 2015.

These statistics may seem frightening, but the reality is likely much worse. According to the researchers, the untold numbers of breaches that go undetected and unreported keep us from seeing the full scope of the problem.

These attacks take a toll on businesses. A recent study by IBM/Ponemon placed the average cost of a data breach for a U.S. company at about $4 million. The most important thing an organization can do to avoid such losses is to have a breach response plan in place, and a team trained to implement it.

If your company doesn’t have an incident response plan, there’s never been a better time to establish one. We’ll examine some best practices for creating a breach incident response plan.

Create a Strong Response Team

No plan can be effective without vigilant employees tasked with specific responsibilities. A CIO should be closely involved in the formation of a team of members who each know his or her role in responding to a breach.

Such a team should include:

Establish a Reporting Structure

Employees across departments must know whom to contact if they notice suspicious activity. To do that, CIOs must ensure that staffers are educated on what constitutes suspicious activity they may come across.

Document the Breach

Documenting the breach is essential to address the attack and respond to fallout. It should also help the company learn where to improve security in the future.

Documentation should include:

● The system affected

● The origin of the breach

● Any malware used

● The location of remote servers where data may have been sent

● Which users were logged on

● A list of running processes

● A list of open ports and connected applications

Communicate Effectively

Once a data breach has been confirmed, the IRO should inform management of the steps being taken to repair the damage. Once the breach has been contained, communications should be sent to staff outlining an explanation of the event, steps being taken to fix the situation, and resulting policy changes.

Establish a Remediation Process

Written policies should be in place to inform IT actions in response to a breach, including:

● Monitoring suspicious activities

● Disconnecting/blocking services

● Confiscating affected workstations and devices

● Contacting external cybersecurity resources

● Contacting the Internet service provider

Test Your Response Plan

The best way to test the effectiveness of the response plan is by conducting a breach simulation exercise that replicates an attack. This drill will allow your team to see how a breach unfolds in real time, and it will uncover any problems that need to be tackled.

Establishing a plan is great, but it’s only a first step. Once a plan is established, it should be examined and tested periodically, and revised if necessary. More than a third of companies that have a plan have never done this, according to a study by Experian. Don’t learn this lesson the hard way.

{image 1}

With 20 years of experience in the enterprise space, Xuyen Bowles now oversees one of the most successful cyber security firms in San Diego. Sentek Cyber (a division of Sentek Global) offers a wide array of cyber security protection from penetration testing, consultancy, and training advance threat detection.