Security professionals now face the extremely difficult task of protecting every potential point of access in an organisation (internally and externally) at all times. However, an attacker only needs to identify and exploit a single weakness at a single point in time to execute a successful attack. This often means exploiting the one thing that security professionals have the least amount of control over: employees. In fact, the latest Verizon Data Breach Investigations Report confirms that humans are the weak link in nearly 90% of all incidents (and the other 10% are kidding themselves).
The breach may be where the trouble starts, but what comes after and how they respond is the real source of pain for the overwhelming majority of breached companies. A comprehensive response strategy will help minimise the fallout. You’ll need to consider all of the potential outcomes by having a crisis communications strategy, retaining external legal counsel and a post-breach notification vendor and establishing a relationship with the relevant law enforcement agencies. Most importantly, you need to test and practice your response plan, over and over and over again until it becomes muscle memory.
One of the main concerns cited by organisations in the wake of a breach is around potential damage to their brand reputation, leading to loss of customer confidence, market share, stock price and overall valuation due to negative media attention.
A response strategy is the blueprint for how your organisation will respond during a cyberattack, helping you address all of these concerns. The individual components are (or should be) broken down into crisis communications, legal counsel, digital forensics and incident response, public relations and law enforcement. All of these must be combined in a way that their unique contributions form a coordinated, comprehensive response. It used to be the case that a computer security response plan (CSIRP) detailing the technical components of the overall response was enough. Now, a more comprehensive data breach response strategy (DBRS) extends into additional areas of the business. Oversight of the DBRS should belong to a member of the executive management team who has the authority to make tough decisions regarding the incident as it occurs.
After the breach response has concluded, there could be a regulatory or government inquiry into the cause of the breach and the organisation’s overall response. The organisation may also be the target of post-breach litigation centring on the data that was involved – what kind of data was put at risk, what data was extracted, and the length of time that data was exposed.
The choices you make following a breach will define how well your organisation comes out of it. That’s why it’s imperative for organisations to run through as many of these decisions as possible ahead of time. This will save valuable response time and help to minimise the damage from the fall out. A response strategy can be divided into five big areas that will have to be considered either before or during an incident.
Avoid speculating about unknowns such as what led to the incident and focus on the facts. Make sure that executive staff and board members know that responding to the incident is your highest priority and that you will provide regular updates during the investigation and remediation.
Regardless of the pressure people are placing on you, be honest about your estimated timeframes. Incident response and containment takes time and it’s important to manage these expectations appropriately. Your response to an incident be scrutinised by law enforcement, regulatory bodies and potentially the government. Cutting corners will only make things much worse later on.
One of the first things you should consider is whether or not you should be retaining external legal counsel. Lawyers who specialise in data breach cases can help you avoid many potential pitfalls, so find a trusted firm and lawyers who have worked on breaches in the past. By setting up a retainer with them, you will have the expertise at your fingertips, should a breach occur. Additionally, your legal counsel should be the ones to coordinate contracts with external digital forensics and incident response experts to maintain privileged communication during the investigation.
The next decision you should make following a breach is when to bring in external forensics experts. Due to the increasing number of breaches occurring, incident response teams tend to be difficult to contract at the last minute. Ensuring that you have a retainer with a team of experts before you ever need them will save your organisation money by avoiding last minute higher rates, and allow you to ensure the team you want is available.
It’s also imperative to have a plan in place considering responses to any media enquiries resulting from a breach. A poorly handled media response could cause irreversible reputational damage to your organisation. You must be timely in your response and consult your legal counsel before making any statements. It’s not only important to be genuine and candid, but also to avoid speculation and revealing any information that could compromise the investigation. Whilst the facts may be painful, being disingenuous or misleading could cause more brand damage than the breach itself. You only get one shot at this, and as the saying goes, you can’t un-ring the bell; so choose your words wisely.
Reaching out to law enforcement agencies such as the police and the ICO before a breach even occurs can only help matters when it comes to engage with them further down the line, once you have been breached. They can provide you with a wealth of knowledge about the current threat landscape as well as valuable advice on dealing with a breach. Knowing who to call and having an existing relationship with local law enforcement will make post-breach communication far easier and more efficient.
Nowadays, if you get breached, there is a high chance that you could have a lawsuit to contend with. Regulators in the UK have begun to focus on the steps that a victim organisation took beforehand to minimise the impact of the breach, how it has been evolving its response capabilities and what it was doing to test and strengthen its overall security posture. Organisations that cannot provide clear evidence of the measures they have taken in response to a breach can expect fines, adverse directors and officer’s action and, as a result, loss of market share, company valuation and customer confidence.
According to the 2016 Cost of a Data Breach Study by the Ponemon Institute, the average cost of a data breach in the UK is ?2.53 Million, representing a 6.5 percent increase in the last two years. In today’s threat landscape, if you have something worth stealing, you are a target, regardless of your company’s location, size or industry.
All organisations are faced with a simple choice. Either spend money upfront by preparing and performing realistic testing and training, or react, largely unprepared, to a data breach. The latter will cost you more than just revenue in the long run. It’s the choice between either bolstering your brand reputation, or risk destroying it irrevocably.