The best time to respond to a data breach is before it happens
No matter how well you train your people, and no matter how carefully you safeguard sensitive data and information, a data breach can happen.
If you already have a solid Incident Response Plan (IRP) in place, there is no need to panic. It will tell you what to do to get things under control again. If you do not already have such a plan, form one now. Contact experienced, certified professionals immediately and let them guide you through the proper steps.
If you have a plan in place, you know that step one is to notify your company’s operations professionals and business stakeholders immediately when a breach occurs. The next step is to follow your company’s IRP. The plan will enable you to:
- Preserve evidence involved in the breach
- Stop the leak of data
- Return to a normal state of operations as soon as possible
The Incident Response Plan
Security risks and legal requirements triggered by a data breach differ from industry to industry, state to state and country to country. That’s why preparation is vital; a “one size fits all” approach will not work. A solid IRP will take into account your organization’s specific needs and operations as well as legal compliance issues unique to your industry and your location.
Your IRP needs to outline specific steps so your business can best cope with any legal actions that might result from the data breach, whether it was the result of theft, hacking or human error.
Your Response Team
A proper Incident Response Plan will spell out exactly who is on the response team and what their roles are. Lining up the team in advance — before you have an incident — will assure you are able to act immediately. Everyone will already know what to do. This is crucial, because every second counts.
The team should include security experts, whether on staff or on retainer; IT managers; marketing leaders to protect your brand’s reputation; lawyers who know the specifics of due diligence and regulatory compliance in your industry and location; business stakeholders; contractors and third-party providers, if appropriate.
Preserve The Evidence
You’ll need to know exactly what happened and when —not to mention how — to prevent a recurrence. That is why it is crucial to document and preserve the evidence in a forensically sound manner to assure a successful post-breach audit.
Much of the evidence you need to preserve will be time-sensitive, so swift action is necessary. At minimum, you will need to document the following:
- Network connections
- Timestamps for important data files
- Packet captures
- Memory dumps
- Process lists
- User accounts
- Access privileges
- Network traffic
The needs of your specific organization or legal requirements in your area may add to this list. For instance, Payment Card Industry Data Security Standards apply to some industries; health care providers must follow Health Insurance Portability and Accountability Act requirements. You will need to know what is required for your organization and be prepared to act swiftly to preserve the proper digital artifacts.
All of these artifacts must be documented so the audit can reveal unusual behavior or weaknesses in your IT network. Was someone logged in beyond his usual working hours? Did an employee fail to follow security protocol? Was there an unusual spike in network activity? Forensically sound documentation of the evidence and a thorough post-breach audit will suggest viable investigative avenues and help you prevent such incidents from happening again.
Plug The Breach
In order to stop data from being leaked, it may be necessary to shut down some applications or processes temporarily to prevent further exfiltration of data. You also need to correct whatever weaknesses were exploited to gain access to your data.
Once you believe you have stopped the bleeding, it is important to continue monitoring the situation. Don’t assume things are fixed; continued vigilance is needed to assure you’ve covered all important steps.
After the breach is stopped and vulnerabilities are addressed, there still are some remaining steps before you get back to business as usual:
- Update software to assure all applications are up to date.
- Re-image endpoints to eliminate vulnerabilities.
- Examine user accounts and survey access permissions to assure data and network privileges are not available to employees who do not need access.
- Review security practices and policies with all employees and enforce them.
- Review your organization’s Incident Response Plan in light of lessons learned while addressing the incident. Update the plan and revise team membership if necessary.
The best time to consider a data breach is before it happens. Have a detailed Incident Response Plan in place, have all your team members’ roles identified in advance and respond quickly to keep damage to a minimum. Know your organization’s reporting regulations and comply diligently. And if you have a breach, assess what you learned in responding to it and apply that to your IRP to prevent future incidents.