[BreachExchange] The Right Way to Respond to a Data Breach

Audrey McNeil audrey at riskbasedsecurity.com
Mon Sep 26 19:27:17 EDT 2016


http://www.tripwire.com/state-of-security/security-data-
protection/cyber-security/the-right-way-to-respond-to-a-data-breach/

Cybersecurity has become a board level discussion, and worries about
cybersecurity breaches are part of what keeps C-suite execs and BOD members
up at night. So much so that many organizations have started to adopt the
mentality that they’ve likely been breached already and they just don’t
know it yet. It’s what’s known as the “assume breach” mentality, which
treats a data breach not as an “if” but “when.”

It’s clear that cybersecurity is no longer solely in the domain of IT
departments—it’s a business-critical part of an organization. This was most
evident in the aftermath of the Sony hack, as employees found it impossible
to do their day-to-day jobs due to the depth of the breach.

As the frequency and severity of breaches have grown, so have their cost.
In IBM/Ponemon’s 2016 Cost of Data Breach Study, it was reported that the
cost per stolen record increased from the previous year, with the real cost
coming in the form of lost business. The study found the average cost of a
breach to be $7.1 million for U.S companies and $4 million globally.

Interestingly, the report discovered that having an incident response plan
and a team to handle incident response decreased the cost per lost record
by $16, from $158 to $142, which was the top factor in mitigating the cost
of a data breach.

INCIDENT RESPONSE PLANNING IS NO LONGER OPTIONAL

The last thing an organization needs when they’ve experienced a breach is
to frantically try to perform damage control amidst the chaos that usually
follows such events. Those organizations who aren’t prepared to respond to
a breach will compound the damage and eventual fallout.

For this reason, organizations need to thoroughly document the steps and
identify the teams that will be activated when a breach is discovered. The
teams will be responsible for, amongst other things, how and when to inform
affected parties, what to tell reporters and regulators, and how to remove
the intruder and patch the vulnerability that caused the breach.

Just looking at the scale of the data breaches, like the one Target
experienced a couple of years ago, should be a reminder of why
organizations should have an incident response plan that includes practice
runs and drills.

Unfortunately, incident response planning is still something that’s lacking
in a lot of organization. In Ernst & Young’s 2015 Global Information
Security Survey, only 43% of respondents said they had a formal incident
response program, while only 7% stated that they had a comprehensive plan
that included third-party vendors, law enforcement and tabletop exercises.

LESSONS LEARNED FROM PAST MISTAKES

Target has the unenviable position of being the poster child for suffering
a massive data breach and having a less-than-stellar response. The mistakes
made by the mega retailer have been parsed and analyzed over the years,
with some arguing that a few things should have been done differently.

When it comes to data breach response, open, honest/accurate and timely
communication is key. Target could have saved itself a lot of pain had it
been the first one to break the news to its customers. Instead,
investigative journalist Brian Krebs ended up breaking the news when he
noticed a cache of credit card numbers for sale on the darknet with one
thing in common: they had all been used at a Target recently. Target,
however, should be credited for having had cybersecurity insurance.

Anthem was another breach that could have used accurate and prompt
communication. It waited too long to alert its customers and had to
increase the estimated number of records breached from 37.5 million to 78.8
million.

Anthem is a good case study that highlights the sheer difficulty of having
a successful incident response. Early communication, though a cornerstone
of a solid incident response, must be accompanied by accurate assessment of
the scope of the breach—something that can prove impossible to achieve.

On the flip side exist companies who earned high marks for their data
breach response. Adobe is one such company that faced a unique kind of
breach and got away relatively unscathed. Unlike most breaches that aim to
steal consumer data to sell to the highest bidder, Adobe had both its
customer information and portions of its product source code stolen.

This posed a difficult challenge in that Adobe had to scour its product to
make sure there weren’t any zero-day vulnerabilities that could be
exploited. According to Adobe CEO Brad Arkin, Adobe spent months doing
forensic investigation of its product and held meetings “every four hours
for forensic updates.” Adobe was quick to notify its customers of the
breach and sent out several password-reset emails to its user base.

Home Depot also earned high marks for its breach response. Home Depot’s
breach had a lot in common with the Target breach. Both retailers had their
customer’s credit card information stolen as customers swiped their cards
at the checkout stand; both were hacked through a third-party vendor that
installed a malware; and both were targeted during the most important
shopping season for their industry (spring and summer for Home Depot and
holiday season for Target).

Home Depot didn’t face nearly the same amount of criticism as Target, in
large part because whereas Target waited a week to inform customers, Home
Depot notified its customers even before they had fully confirmed the
breach.

WHAT ARE SOME OF THE BASIC ELEMENTS OF AN INCIDENT RESPONSE PLAN?

There are a few must-haves in an incident response plan:

1. DATA INVENTORY

Know what type of data is being collected, processed and stored, as well as
where it’s being stored and who has access to it. Categorize the data
according to the level of sensitivity and the applicable internal and
external compliance requirements that apply to it. Migrating to the cloud?
Know where sensitive data will be stored and who will have access to it,
along with other best practices around cloud security when migrating data
to the cloud.

2. MONITOR ACCESS AND AUDIT

While monitoring usage falls in the domain of the IT department, the
incident response plan should include an outline of the procedures for
monitoring access and conducting regular audits. It’s not uncommon to find
organizations who fail to delete accounts of users who no longer work at
the company or who give the same level of access to sensitive documents
across a large swath of internal/external users.

3. BE AWARE OF COMPLIANCE REQUIREMENTS

The healthcare (HIPAA) and financial services (PCI-DSS, SOX, GLBA)
industries are two of the most regulated industries when it comes to data
privacy and security. But there are other regulations that may impact
others, such as the education sector (FERPA) or federal government (FISMA,
FIPS). It’s important to know the requirements for each and the steps they
recommend to take in the case of a data breach. HIPAA, for example,
requires organizations to report a breach to the press if it impacts more
than 500 patient records.

4. ASSESS LEGAL RISKS

Most large data breaches inevitably lead to a drawn-out and expensive
class-action suit. You should have a short list of legal agencies that
specialize in data breach response and put in place contractual agreements,
so that you can activate these agencies at a moment’s notice.

5. BUILD A CRISIS COMMUNICATION PLAN

This is likely the most important part of incident response. The plan
should include teams and assigned team leaders from each department (PR,
legal, marketing, etc.) that will be responsible for communicating the
incident both internally and with outside stakeholders. It might also help
to have contractual agreements with outside agencies specializing in data
breaches who will handle communication, including drafting/mailing letters,
speaking with press and contacting law enforcement authorities.

The key to a successful plan will be team members and third-party partners
knowing what they need to do ahead of time. For this reason, crisis
communication should be practiced regularly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160926/b47b7c9a/attachment.html>


More information about the BreachExchange mailing list