Over the last couple of years, there has been an optimistic increase in company breach-preparedness levels. For example, from 2013 to 2015, the percentage of organizations with data breach response plans increased from 61 percent to 81 percent – a significant (and necessary) surge given today’s landscape. Additionally, the involvement of senior leadership in data breach preparedness increased from 29 percent in 2014 to 39 percent in 2015. However, within that same time period, some of the largest, most destructive breaches took place. Think Facebook, LivingSocial, Hilton, Neiman Marcus and JP Morgan. Sadly, that’s only to name a few.
This contradiction between increased preparedness levels and the occurrence of mega-breaches begs the question – if more organizations are aware of security risks and are taking steps to address the issue, but large breaches are continuing at breakneck speed, are businesses going about preparedness the wrong way?
Long answer short: while most companies have preparedness plans and understand the basic procedures for responding to an incident, the actual execution of a plan during a crisis (even a well-developed plan) can present a challenge.
Simply having a plan on a shelf to implement in times of crisis is no longer enough. Companies must consider several different angles and possibilities when managing a live incident. A thoughtful response will not only prevent further data loss and financial fallout, but also preserve brand reputation and customer loyalty. However, there are many nuances companies continue to overlook that cause significant harm. The good news? They are largely avoidable when known.
Below are five of the top “fails” companies often make when preparing for or responding to a data breach and suggestions for how to tackle them.
1) Not practicing or incorporating “worst-case scenarios” in data breach preparedness plans
While many organizations understand the importance of practicing their data breach response – in fact, 83 percent believe more fire drills should take place within their organizations – this precaution is often overlooked. Simulations are typically done as simple tabletop exercises around a conference room, which is a good first step, but it doesn’t test the team under realistic circumstances and may give some part of the response team a false sense of confidence for managing and responding to security incidents.
Companies could greatly benefit from pressure testing their plan with convincing, worst-case scenarios specific to their unique security risks and with more realistic life-conditions. This could include calling surprise response drills instead of scheduling them in advance, or pulling key members of the response team out of a drill to see how the rest of the group manages in their absence.
From a planning perspective, many companies only have a basic plan that is not updated regularly. According to Experian's Third-Annual Preparedness study (Editor's note: Bruemmer is VP of the Experian Data Breach Resolution Group), only 25 percent of organizations update their plan once or twice a year, and 35 percent haven’t updated or reviewed their plan since it was put in place. Companies must instead view response plans as living documents that need to be updated on an ongoingbasis to be adapted to address the latest and most damaging threats facing the organization. For example, companies should consider incorporating a response in their plans to a widespread ransomware attack or an action by a nation state that causes significant business risk. While companies may think that some of these risks are unlikely to happen to them, time and time again attackers have proven to be unpredictable in who they target and the methods they use.
2. Not identifying and getting to know local regulators and law enforcement prior to an incident
A crucial component of responding to a data breach is working with the appropriate regulators, including attorneys general, local law enforcement and FBI, who have authority and influence over a security incident. However, many companies wait until an event actually occurs to contact these stakeholders, which adds extra pressure and time to an already stressful situation and often leads to greater scrutiny from regulators. If companies identify and establish relationships with these partners before an event occurs, it is easier, quicker and more comfortable for them to reach out to law enforcement for assistance or have an open dialogue with regulators who may be interested in response.
To get ahead of this, there are two immediate steps companies should take before a breach occurs. First, they should set up a meeting with their local FBI contact to build a relationship and learn from them about the latest threats they are seeing companies face. While it may come as a surprise, the FBI and other law enforcement are typically open to these types of meetings and can be very helpful and informative on the data breach landscape. Second, companies should identify state attorneys general and other relevant regulators and compile a contact list to reference during a crisis, updating as necessary.
3. Not properly collecting and maintaining forensic evidence during an incident
Properly collecting and maintaining the right technical information and evidence needed to determine the size and scope of a security issue is a major challenge for many organizations. Ultimately, not having the proper evidence can make it much more difficult to understand the severity of an issue. It can also lead to scrutiny by regulators when reviewing how effective a company was in handling an incident.
Unfortunately, many companies fail to preserve data of the systems that were targeted during an attack. In some cases, in the interest of maintaining business continuity and quickly remediating the issue, internal IT departments react by immediately wiping and re-imaging affected systems. The idea being that it will quickly stop the bleeding, but if this is done before copies of these systems can be gathered, they are often inadvertently destroying valuable information. Another way that evidence gets destroyed is by not collecting the right networking and other logs from security systems before they get overwritten with new information. These logging systems are typically over-ridden with new information and if not collected fairly quickly, get lost.
Companies must develop a security procedure for containing a compromised system and incorporate this step in response plans so that the team and IT professionals are equipped to preserve the valuable chain of evidence.
4. Not properly communicating about the breach to all key audiences
When an incident occurs, companies commonly – and rightfully so – focus on notifying affected individuals and managing media inquiries, but neglecting to thoughtfully plan and notify other key stakeholders can cause significant damage.
If stakeholders such as employees, the customers’ customers, and business partners are not aware of a breach, it can lead to the loss of reputation and customer loyalty. Companies must account for these audiences in disclosure plans and not only identify the best communications strategy and tactics to announce the breach to such stakeholders, but also equip them with the materials they need to respond.
For employees, companies should develop internal communications to inform them on the situation and organize internal meetings or webcasts for employees to ask questions. They should also provide them with guidance and the information they need to understand if and when they should communicate and how to properly engage. If the company is business-to-business, it’s critical that customers are notified of a breach so that they can share the appropriate information with their customers as well, which could include a public Q&A and remedies if affected. Lastly, business partners who have a stake in the company must be kept in the loop during times of crisis. To address their needs, the breached company should share information on how they are managing the security incident as well as appropriate talking points to use on the company’s behalf if need be.
5. Not properly debriefing and sharing intelligence with industry peers.
Lastly, companies are often quick to move on from an incident without taking the time to debrief. Unbeknownst to many, this is one of the most important steps to take following an incident, in order to better manage and respond to a future attack.
Beyond reflecting internally on how the response went, what was successful and what could have been improved, industry-wide collaboration is key. Companies should take advantage of each other’s experiences and the wealth of resources available to help manage security incidents, including sector-based Information Sharing and Analysis Centers (ISACs), security and privacy events, and industry studies and guides on data breach preparedness.
Sharing insights and learnings from security incidents, and gathering this information from other organizations that face the same threats, can only help improve and inform a company’s response and plan.
All in all, companies should sincerely consider these fails the next time they meet with their response teams, to ensure that they are addressed and accounted for in data breach preparedness plans.
If you want to comment on this post, you need to login.