In 2017, Forbes conducted a survey at PwC in which 87% of the people expressed that they would shift their business to a competitor if they do not trust a company to handle data responsibly. Data is important because it contains sensitive information about individuals, organizations, and business plans which if leaked can lead to identity theft, fraud, heavy monetary losses, and sometimes, even loss of lives.
Security or a data breach is a security incident in which information is accessed without authorization, thereby violating its confidentiality. A data or security breach can be done by anyone including an employee, a rival organization, or just a malicious agent. The motive can be any fraudulent activity like defamation, corporate espionage, disruption, or financial gain for the attacker.
So how can organizations respond to such a Data Breach or Security Breach?
It is very important to act immediately, even if you don’t know the cause of the breach or full damage. The battle against the threat must be fought at multiple fronts simultaneously.
Firstly, the organization should secure all its operations. This means one data breach should not lead to further attacks. The goal is to limit the damage. Affected equipment like servers should be made offline right away and organizations should quickly remove any improper information posted online. The organization should disconnect any accounts or shut down the infrastructure of the affected department immediately to contain the attack.
Simultaneously, the organization should isolate any system which has been compromised to block the spread of the attack to the entire network. Care must be taken to clean any malicious code introduced by the attacker in the systems. Furthermore, the organization should ask all its employees and customers to change their passwords without any delay. This can effectively contain the threat.
Along with this, the organization must deploy a team to fix vulnerabilities. The organization must review all the data on the system and verify if all its customers and clients are adhering to the security norms. Understanding the root of the issue is very important. Cybersecurity experts can use forensics to analyze traffic and instantly determine the root cause of the attack. They could capture all the traffic and look for signs of anomalies. This step also involves blacklisting any IP addresses from where anomalous traffic was detected.
Keeping this in mind, communication is essential and key to retaining your customers. Internal communication should include teams from legal, finance, IT, human resources, public relations, and others. External communications must include notifying law enforcement and affected parties like clients and business partners. This is essential as the earlier you involve law enforcement, the more effective they can be. The organization must enlist external forensic experts to handle the ongoing investigation which will help the organization to investigate the cause without bias, understand the impact, and start fixing the problem.
If the incident is not reported then it will lead to a serious distrust in the organization which will further lead to a loss in revenues, lawsuits, and hefty fines. Also, as per the law, the organization must report such breaches to its clients and partners. Organizations can issue the notification of a breach through email, press releases, social media, or customer portals. This is the time for transparency so report the breach as soon as possible, even if you do not have all the facts at hand. It is imperative to keep your clients, business partners, and customers in the loop if there are any updates.
The organization must be honest and provide key details of the problem in its official message. It must take responsibility if it was the organization’s fault. Next, the organization must assess the damage done and conduct a review on what data was breached and how sensitive was it. Questions like how the attack was carried out, how much information was compromised, if any encrypted data was cracked must be documented.
A full report must be made, and appropriate recovery plans must be put into motion.
Lastly, the organization must take corrective measures to avoid such ugly situations in the future. This can be done by drafting a comprehensive incident response plan which gets revised after regular intervals. So, what should this plan contain?
- Identify teams and appoint team leads in each department to contain and recover from a security incident.
- Identifying the key stakeholders in the organization who should be involved in case of a breach. This may include department managers, senior executives, legal teams, partners, and customers.
- Ensuring IT resources are allocated to key departments like Information Technology, Legal, Public Relations, and Executive.
- Ensuring legal and public relations are ready with necessary training about reporting such incidents.
- Keep the plan simple. Make sure it is not too complex but at the same time comprehensive enough to limit damages. The plan should be feasible enough to work in real-time. It should not just be a complex plan that looks good in theory.
- Educate employees about breaches. This should include employees from all departments and make them aware of threats. Training sessions and cybersecurity drills may prove useful in this regard.
- Finally, talking of drills, make sure this response plan is put to the test. Conducting cybersecurity drills will not only test the effectiveness of the response plan but also help identify any loopholes that might have been missed.
An example of an incident response plan by Carnegie Mellon University can be found at the following link: https://www.cmu.edu/iso/governance/procedures/docs/incidentresponseplan1.0.pdf
Every organization will have different approaches for an incident response based on their domain and IT environment and needs. It is strongly recommended that organizations read guides by organizations like NIST for their incident response planning and solutions.