A lot is written these days about best practices for preventing data breaches – practices such as keeping critical systems up to date with patches, ensuring firewalls and AV scanners are updated with signature files, educating employees about the risks of phishing attacks, and so on.
These guidelines often note that the odds of a data breach are high – and they are. Pick your survey: anywhere from 43% to 76% of enterprises suffered a data breach in 2014. Whatever the percentage, data breaches are far too common.
Along with working to prevent a data breach, organisations should work to develop incident response plans for what actions to take after a breach. If data breaches are likely, then it makes sense to be able to act quickly and effectively once a breach has occurred.
> See also: Top ten things you need to know about data breaches
Ideally, an incident response plan should address all the relevant facets of a breach, including technical requirements, regulatory responses, and forensic analysis.
First, there is the technical matter of containing the breach and preventing further data loss. IT engineers may need to isolate infected systems, close certain network ports, or temporarily shut down vulnerable services. Putting procedures in place ahead of time helps engineers to perform these steps expeditiously.
Second, there is the matter of understanding how the breach occurred so that IT systems can be reconfigured to detect and prevent a similar attack from taking place. The enterprise may want to bring in a breach forensics expert to help with this work.
Most likely, engineers will want to make copies of infected file systems and preserve as much evidence as possible. Analysis from this phase may need to be delivered to the organisation’s legal team and compliance officers.
Third, there are corporate and regulatory reporting responsibilities to be fulfilled. Affected stakeholders – which may include consumers – will need to be notified. Depending on the nature of the enterprise’s industry, regulatory organisations may need to be notified as well.
The company’s communications team may want to consider the types of announcements it would need to make in the eventuality of certain types of breaches. By having a crisis communications plan in place with responses crafted ahead of time, the organisation is more likely to arrive at the most judicious phrasing and the most effective communication in the timeliest manner.
Ultimately, the organisation’s reputation may depend on honest and prompt communication that gives any affected parties time to take relevant actions to protect their personal information.
Finally, there’s the matter of applying lessons learned. This goes much further than shutting down the affected systems, services, and ports. Instead, the breach should be thoroughly examined so that existing practices and systems can be improved. For example:
If the breach was the result of a lost or stolen mobile device, what steps can be made to improve the security of these devices? In many industries, mobile devices are a leading cause of data breaches.
For example, in healthcare, 68% of data breaches are due to lost or stolen mobile devices storing unencrypted data. The organisation may want to review its mobile security policies and practices.
If the breach was the result of a cyber attack, the organisation will want to review how the hackers got in. Were systems insufficiently isolated? Where intrusion detection alerts incorrectly dismissed as false positives?
Was malware from a phishing attack able to access internal content and systems? Looking ahead, could AV scanning and the use of secure containers for business content on mobile devices prevent a similar attack?
If the breach was the result of unpatched systems being exploited, the organisation will want to assess the state of its patch installations. Are critical systems up to date? Does the organisation have an effective plan for keeping systems up to date?
> See also: What will your next data breach do to your business?
If the breach was the result of data being carelessly shared on public cloud services – a very common practice in a BYOD world – the IT organisation may want to provide employees with more secure private-cloud solutions, or they may decide to deploy a security solution that applies security best practices – such as access controls, encryption, and logging – to public cloud services that were designed for convenience, rather than security.
As cyber security professionals and organisations who have suffered a breach will tell you, a cyber attack is not a question of 'if' but rather 'when'. As a result, data security is ultimately a cycle in that lessons learned after a breach can be applied to preventing the next one.
The best incident response plan minimises the repercussions of the current breach and helps reduce the odds of another breach in the future.
Sourced from Hormazd Romer, senior director of Product Marketing, Accellion
