[BreachExchange] You’ve been hit by a data breach – now what?

[Destry Winant]

https://www.techradar.com/news/youve-been-hit-by-a-data-breach-now-what

Although we’re told to prepare for the worst, very few of us do. Most
of us tend to approach worst-case scenarios with the same mindset. No
one thinks it’s going to happen to them. The same thinking applies to
data breaches even though these are becoming more and more frequent.
In August, a Risk Based Security report found that data breaches had
increased 54% in 2019 compared to this time last year. It’s not a
matter of ‘if’, but ‘when’.

While data breaches are the exception and not the rule, they pose a
genuine threat that, if realized, can leave a lasting impact on a
business going into 2020.  Businesses need to be well-prepared for the
possibility of a breach and have an established process that will
enable them to react quickly and appropriately. This means not being
reliant only on endpoint security with no plan for a breach. It also
means ensuring having full backups of all data for disaster recovery
as required.

Some businesses may already have policies and processes in place
outlining their response to a data breach, but these must be regularly
reviewed and amended. As the IT landscape shifts and hackers become
more sophisticated, best practice must evolve.

Preparing for the worst

First and foremost, businesses that recognize the threat of data
breaches will have an incident response plan in place. However, these
plans should be more than step-by-step guides on what to do in the
event of an issue. Every business is unique with its own set of market
conditions and specific challenges that must be factored in. Scenario
planning, based on an enterprise’s focus, solution and customer base,
is a good place to start.

That process should begin with a look at the data that could
potentially be compromised in a breach. Personally identifiable
information (PII), for example, requires additional consideration to
ensure customer data is protected and that businesses are complying
with GDPR and other privacy laws. Businesses need to understand what
kinds of PII is being held and where exactly it’s being stored within
IT infrastructure and what safety checks are in place. A thorough risk
assessment of these environments – possibly including penetration
testing – will uncover vulnerabilities.

A strong plan also involves installing a level of preparedness
internally. Every employee across the organisation should understand
best practice on data sharing and be made wary of social engineering
attacks – from simple email phishing through having poor antivirus
protection, right up to AI based scams that mimic c-suite
instructions.

A plan should also provide different defined response paths based on
the potential severity of breaches and engagement points. From there a
decision tree which includes a checklist and workflow can more easily
be created.

Assessing the situation

In the immediate minutes and hours after a breach, action needs to be
taken quickly. This doesn’t mean doing so before the facts are clear,
but it does mean doing so in an appropriately responsible and timely
manner. Here’s where that incident response plan can save critical
time. First, you need to understand the scope, quickly. This can often
require the help of third-party assistance, especially for businesses
that don’t have an in-house security team at their disposal.
Businesses that are well prepared for a breach will already know what
call they need to make in the event of a breach–the businesses that
aren’t prepared will waste precious time debating who’s best to call
for assistance.

Once this scope is established, some key questions can be answered.
Does law enforcement need to be called? Does the breach fall foul of
GDPR rules? If yes, then the business may have 72 hours to report the
breach to affected customers and/or employees or potentially risk
facing hefty fines. Businesses need a granular level of visibility to
understand how the breach occurred and therefore, how to mitigate its
impact. Was it down to a flawed security protocol or a faulty patch?

There are tools available for businesses looking to establish the
severity of a breach.  A good SIEM tool can help log data and capture
things like information flow, allowing the isolation of impacted
systems, the level of impact, and the type of data impacted. A breach
of music files, for example, isn’t good, but it’s an entirely
different story if somebody gets a hold of personally identifiable
information (PII), financials, etc. This also provides insights into
areas for improvement; e.g., if a patch wasn’t completed – why or why
not and how should processes change going forward?

All hands-on deck

In addition to being quick, breach responses call for a business-wide
effort. When data is breached, it’s easy for incidents to be
categorized as an IT security issue that only concerns a limited
number of employees. This is the wrong attitude as breaches can have
dire consequences for a business’ brand, revenue, or both. A breached
company will want to quickly assemble a tiger team that is
cross-functional so the business is able to respond as quickly as
possible and as transparently as possible at the right levels, while
simultaneously putting into steps that will help make amends for those
impacted. The rule is to fail fast; own it and communicate with
clarity and honesty.

Above All Else

In 2020, IT pros need to re-evaluate their approach to data breaches.
Maintaining best practice to make a breach less likely is important.
Beyond this though, IT pros need to expect and be fully prepared for a
breach to hit. A breach doesn’t have to be an extinction event. It can
be painful, but with the right preparation, it can be a whole lot
easier, and the impact can be significantly minimized.