[BreachExchange] What Not to Do After a Data Breach

[Destry Winant]

http://www.pcmag.com/article/354410/what-not-to-do-after-a-data-breach

Thousands of words have been written about how to prevent cyberattacks
and what to do if you've been targeted. You're probably already
familiar with terms such as endpoint protection and data backup and
recovery. These solutions and services are great for protecting you
and helping you get back up and running once an attack has been
resolved. Unfortunately, there's no standard playbook for a data
breach and your actions during a disaster could be as harmful as they
are helpful.

In this article, I will discuss what companies should avoid doing once
they realize their systems have been breached. I spoke to several
experts from security companies and industry analysis firms to better
understand the potential pitfalls and disaster scenarios that develop
in the wake of cyberattacks.

1. Do Not Improvise

In the event of an attack, your first instinct will tell you to begin
the process of rectifying the situation. This may include protecting
the endpoints that have been targeted or reverting to previous backups
to close up the entry point used by your attackers. Unfortunately, if
you hadn't previous developed a strategy, then whatever hasty
decisions you make after an attack could worsen the situation.

"The first thing you should not do after a breach is create your
response on the fly," said Mark Nunnikhoven, Vice President of Cloud
Research at cyber security solution provider Trend Micro$44.95 at
Trend Micro. "A critical part of your incident response plan is
preparation. Key contacts should be mapped out ahead of time and
stored digitally. It should also be available in hard copy in case of
a catastrophic breach. When responding to a breach, the last thing you
need to be doing is trying to figure out who is responsible for what
actions and who can authorize various responses."

Ermis Sfakiyanudis, President and CEO of data protection services
company Trivalent, agrees with this approach. He said it's critical
that companies "do not freak out" after they've been hit by a breach.
"While unpreparedness in the face of a data breach can cause
irreparable damage to a company, panic and disorganization can also be
extremely detrimental," he explained. "It is critical that a breached
company not stray from its incident response plan, which should
include identifying the suspected cause of the incident as a first
step. For example, was the breach caused by a successful ransomware
attack, malware on the system, a firewall with an open port, outdated
software, or unintentional insider threat? Next, isolate the effected
system and eradicate the cause of the breach to ensure your system is
out of danger."

Sfakiyanudis said it's vital that companies ask for help when they're
in over their heads. "If you determine that a breach has indeed
occurred following your internal investigation, bring in third-party
expertise to help handle and mitigate the fallout," he said. "This
includes legal counsel, outside investigators who can conduct a
thorough forensic investigation, and public relations and
communication experts who can create strategy and communicate to the
media on your behalf.

"With this combined expert guidance, organizations can remain calm
through the chaos, identifying what vulnerabilities caused the data
breach, remediating so the issue doesn't happen again in the future,
and ensuring their response to affected customers is appropriate and
timely. They can also work with their legal counsel to determine if
and when law enforcement should be notified."

2. Do Not Go Silent

Once you've been attacked, it's comforting to think that no one
outside of your inner circle knows what just happened. Unfortunately,
the risk here isn't worth the reward. You'll want to communicate with
staffers, vendors, and customers to let everyone know what has been
accessed, what you did to remedy the situation, and what plans you
intend to take to ensure no similar attacks occur in the future.
"Don't ignore your own employees," advised Heidi Shey, Senior Analyst
of Security & Risk at Forrester Research. "You need to communicate
with your employees about the event, and provide guidance for your
employees about what to do or say if they asked about the breach."

Shey, like Sfakiyanudis, said you may want to look into hiring a
public relations team to help control the messaging behind your
response. This is especially true for large and expensive
consumer-facing data breaches. "Ideally, you'd want such a provider
identified in advance as a part of your incident response planning so
you can be ready to kick off your response," she explained.

Just because you're being proactive about notifying the public that
you've been breached, it doesn't mean that you can start issuing wild
statements and proclamations. For example, when toymaker VTech was
breached, photos of children and chat logs were accessed by a hacker.
After the situation had died down, the toymaker changed its Terms of
Service to relinquish its responsibility in the event of a breach.
Needless to say, customers were not happy. "You don't want to look
like you're resorting to hiding behind legal means, whether that's in
avoiding liability or controlling the narrative," said Shey. "Better
to have a breach response and crisis management plan in place to help
with breach-related communications."

3. Do Not Make False or Misleading Statements

This is an obvious one but you'll want to be as accurate and honest as
possible when addressing the public. This is beneficial to your brand,
but it's also beneficial to how much money you'll recoup from your
cyber-insurance policy should you have one. "Don't issue public
statements without consideration for the implications of what you're
saying and how you sound," said Nunnikoven.

"Was it really a 'sophisticated' attack? Labeling it as such doesn't
necessarily make it true," he continued. "Does your CEO really need to
call this an 'act of terrorism'? Have you read the fine print of your
cyber-insurance policy to understand exclusions?"

Nunnikhoven recommends crafting messages that are "no-bull, frequent,
and which clearly state actions that are being taken and those that
need to be taken." Trying to spin the situation, he said, tends to
make things worse. "When users hear about a breach from a third party,
it immediately erodes hard-won trust," he explained. "Get out in front
of the situation and stay in front, with a steady stream of concise
communications in all channels where you're already active."

4. Do Not Close Incidents Too Soon

You've closed your corrupted endpoints. You've contacted your
employees and customers. You've recovered all of your data. The clouds
have parted and a ray of sunshine has cascaded onto your desk. Not so
fast. Although it may seem as if your crisis has ended, you'll want to
continue to aggressively and proactively monitor your network to
ensure there are no follow-up attacks.

"There is a huge amount of pressure to restore services and recover
after a breach," said Nunnikhoven. "Attackers move quickly through
networks once they gain a foothold, so it's hard to make a concrete
determination that you've addressed the entire issue. Staying diligent
and monitoring more aggressively is an important step until you're
sure the organization is in the clear."

Sfakiyanudis agrees with this assessment. "After a data breach is
resolved and regular business operations resume, do not assume the
same technology and plans you had in place pre-breach will be
sufficient," he said. "There are gaps in your security strategy that
were exploited and, even after these gaps are addressed, it doesn't
mean there won't be more in the future. In order to take a more
proactive approach to data protection moving forward, treat your data
breach response plan as a living document. As individuals change roles
and the organization evolves via mergers, acquisitions, etc., the plan
needs to change as well."

5. Do Not Forget to Investigate

"When investigating a breach, document everything," said Sfakiyanudis.
"Gathering information on an incident is critical in validating that a
breach occurred, what systems and data were impacted, and how
mitigation or remediation was addressed. Log results of investigations
through data capture and analysis so they are available for review
post-mortem.

"Be sure to also interview anyone involved and carefully document
their responses," he continued. "Creating detailed reports with disk
images, as well as details on who, what, where, and when the incident
occurred, will help you implement any new or missing risk mitigation
or data protection measures."

If your company is too analog to conduct this analysis on its own,
you'll probably want to hire an external team to conduct this
investigation for you (as Sfakiyanudis mentioned earlier). Take notes
on the search process as well. Note what services you were offered,
which vendors you spoke to, and whether or not you were happy with the
investigation process. This information will help you determine
whether or not to stick with your vendor, choose a new vendor, or hire
in-house staff who's capable of conducting these processes should your
company be unlucky enough to suffer a second breach.