[BreachExchange] The First 48 Hours - How to Respond to a Data Breach

Audrey McNeil audrey at riskbasedsecurity.com
Fri Mar 16 14:15:55 EDT 2018


https://www.lexology.com/library/detail.aspx?g=baec7c90-35bf-4cdc-b491-
0ed6e60d6dda

If you’ve discovered that your company has been hacked, the first 48 hours
are absolutely critical. A cybersecurity breach can be privileged client
data, business records, company design forecasts, or payment card customer
details. Every aspect of your company’s infrastructure could be
compromised. Knowing how to actively marginalize further harm and eliminate
cybersecurity vulnerability can be dealt with in the first 48 hours with an
incident response plan. The plan will determine what security protocols and
responsibilities will be implemented to manage risk and protect
confidential data.

Develop Incidence Response Plan

The Company’s security breach response plan will elaborate the roles and
responsibilities of all security, company officials and impacted
departments that must handle a security breach. The plan provides security
team members, and possible external security officials, with direct
procedures to be used in analyzing the degree of breach and level of
vulnerability regarding further security risk to the company’s
infrastructure. The plan should include periodic security breach “fire
drills” and “penetration tests” to prepare staff and security personnel on
how to anticipate actions or issues that may be overlooked during a
security breach.

Coordinate an Internal Response Team

Even if you have retained cybersecurity personnel to deal with day-to-day
security concerns, you should hire a professional external IT cybersecurity
company which have professionals trained in security breach detection and
can coordinate immediate measures to identify and contain the breach.

First 24 – 48 Hours

Identify the potentially affected businesses, clients, or customers
impacted and assess the degree of exposure. Coordinate the collection and
preservation of all metadata, including stolen and/or weak passwords,
malware breaches, social media attacks, and phishing. Segregate the
documentation without alteration. Maintain chain of custody on data breach
evidence and establish protocols for protecting privileged data.

Utilize internal and external counsel to assist in the evaluation of
possible civil or criminal regulatory concerns. Prepare an initial security
breach report for insurance companies, financial institutions and the board
of directors and stockholders if the company is a public company. Check
with legal counsel to determine what applicable laws in the country you are
operating in obligate you to report immediately to the regulator.

Coordinate Customer and Media Response

Activate company media and customer response center to handle media,
customer, and email and social media inquiries. Be honest and communicate
what is known, even if the degree of the breach is not verified. Manage
customer and client notification letters in addition to offering identity
theft monitoring and protection services to those impacted by the breach.
Preserve and verify key findings and facts for a post incident evaluation
meeting with staff, and relevant authorities and agencies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180316/feb8ffb8/attachment.html>


More information about the BreachExchange mailing list