In 2016, the number of data breaches in the US reached a record high of 1,093, according to a study by the Identity Theft Resource Center and CyberScout. That was a 40% increase over 2015.
These statistics may seem frightening, but the reality is likely much worse. According to the researchers, the untold numbers of breaches that go undetected and unreported keep us from seeing the full scope of the problem.
These attacks take a toll on businesses. A recent study by IBM/Ponemon placed the average cost of a data breach for a U.S. company at about $4 million. The most important thing an organization can do to avoid such losses is to have a breach response plan in place, and a team trained to implement it.
If your company doesn’t have an incident response plan, there’s never been a better time to establish one. We’ll examine some best practices for creating a breach incident response plan.
Create a Strong Response Team
No plan can be effective without vigilant employees tasked with specific responsibilities. A CIO should be closely involved in the formation of a team of members who each know his or her role in responding to a breach.
Such a team should include:
- Incident Response Officer (IRO). The IRO should serve as the liaison to external partners involved in combating a breach.
- IT Personnel. IT personnel should assess and contain the damage, perform forensics, recover data, and mitigate the effects of the breach to the company and end users.
- Legal Counsel. An attorney’s responsibility is to determine if specific evidence can be used if the company decides to take legal action. The attorney will also advise on any legal issues that may arise if a data breach impacts customers, shareholders, or vendors, who could pursue legal action.
- Public Relations. The public relations team will assume crisis management duties in the public eye.
- Outside Partners. Forensic and cybersecurity companies can help restore systems and remove threats. These partners, including exactly what they do and the point of contact, should be documented in the response plan.
Establish a Reporting Structure
Employees across departments must know whom to contact if they notice suspicious activity. To do that, CIOs must ensure that staffers are educated on what constitutes suspicious activity they may come across.
Document the Breach
Documenting the breach is essential to address the attack and respond to fallout. It should also help the company learn where to improve security in the future.
Documentation should include:
● The system affected
● The origin of the breach
● Any malware used
● The location of remote servers where data may have been sent
● Which users were logged on
● A list of running processes
● A list of open ports and connected applications
Once a data breach has been confirmed, the IRO should inform management of the steps being taken to repair the damage. Once the breach has been contained, communications should be sent to staff outlining an explanation of the event, steps being taken to fix the situation, and resulting policy changes.
Establish a Remediation Process
Written policies should be in place to inform IT actions in response to a breach, including:
● Monitoring suspicious activities
● Disconnecting/blocking services
● Confiscating affected workstations and devices
● Contacting external cybersecurity resources
● Contacting the Internet service provider
Test Your Response Plan
The best way to test the effectiveness of the response plan is by conducting a breach simulation exercise that replicates an attack. This drill will allow your team to see how a breach unfolds in real time, and it will uncover any problems that need to be tackled.
Establishing a plan is great, but it’s only a first step. Once a plan is established, it should be examined and tested periodically, and revised if necessary. More than a third of companies that have a plan have never done this, according to a study by Experian. Don’t learn this lesson the hard way.
With 20 years of experience in the enterprise space, Xuyen Bowles now oversees one of the most successful cyber security firms in San Diego. Sentek Cyber (a division of Sentek Global) offers a wide array of cyber security protection from penetration testing, consultancy, and training advance threat detection.