How to Respond to a Data Breach
Despite all of the advice on preventing data breaches, such breaches will inevitably happen. The right preparation will help you respond quickly and contain the damage.
According to the results of a recent Ponemon Institute study commissioned by Solera Networks, the average cost of a malicious data breach has risen to $840,000, with the average cost per record at $222. Still, only 40 percent of organizations surveyed say they have the tools, personnel and funding in place to track down the root causes of a breach.
And most breaches remain undetected for a long time. The Ponemon study found that it takes an average of 80 days to discover a malicious breach -- and one third of malicious breaches aren't uncovered by the company's own defenses. They're only discovered when the company is alerted by law enforcement, a partner or a customer, or they're simply uncovered by accident.
As a result, Yo Delmar, vice president of GRC solutions at MetricStream, says it's crucial for companies to become more proactive about planning for a data breach. "As companies become aware they've been attacked, they start to develop some sophistication around the processes -- but when it first happens, it's just devastating, because the whole internal organization isn't calibrated to respond to these kinds of breaches," she says.
It's important not only to plan for a breach, Delmar says, but to go one step further by testing that plan in tabletop exercises. "You can't do this with siloed systems; you need an end-to-end set of interconnected processes around incident management, crisis management and case management, tracking those communications right out to the regulators as you're reporting what happened," Delmar says.
Determining Cause of a Data Breach
Rodney Smith, director of information security and field engineering guidance at Guidance Software, says the most important thing to do following a breach is to stay calm and take your time. "Take the system that you've determined to be breached, and if at all possible make a forensic image of it so that you can analyze it after you get back online. If you don't determine what happened, you'll pay for it in the long run. You could be attacked again from that same vector because you didn't take the time to analyze how you were attacked and how you can prevent it," he says.
Particularly for smaller companies, Smith says, it can be tempting to rush that analysis in the effort to get things back up and running. "For the folks with limited resources, where it's a one-man shop from an IT perspective, that one guy's already pretty strapped and everybody's telling him, 'Hey, we need to get back online and get to work.' So the smaller folks tend to overlook the need to analyze what actually happened so they can prevent it in the future," he says.
The point is that it's much more constructive to see a breach as a learning experience than simply to view it as a failure that's best forgotten. "Sure, you're going to take some lumps, but you're going to come out ahead if you document what you did each time, and learn from each incident going forward so you're not repeating mistakes over and over again," Smith says.
Preparing for the Inevitable Breach
Sophos senior security advisor Chester Wisniewski says keeping extensive logs will make it infinitely easier to recover from a breach. "When I talk to folks, they say, 'If we were to have an incident, what would be the most important thing?' And I say, 'Well, do you have, say, the last four years' worth of firewall logs?' And they look at me like I'm a space alien," he says. "But realistically, that's what you need."
When a breach is first detected, Wisniewski says, you'll need those logs in order to determine when the breach started and what was accessed. "You may have regulatory obligations, you may have financial obligations if you're a public company -- and you need to be able to definitively assess what intellectual property was impacted and what customer data may have been stolen," he says.
And with different data breach notification laws now in place in almost every state, Wisniewski says, it can be extremely complicated to determine what your notification requirements are. "So generally, what organizations do is they choose the strictest, and they just apply that to everyone -- rather than trying to sort out what they're going to do for their customers in Missouri instead of Idaho," he says.
Encouraging Breach Reporting and Getting Help
Most importantly, Wisniewski says, all employees should be made to feel comfortable coming forward to report a possible breach. "Inform your employees that if they think something's wrong, there's no shame involved; make sure you report it so we know right away," he says. If and when an employee does so, the IT team should immediately step in and assess the situation, keeping management informed as they go.
And Wisniewski says having a clearly laid out plan for breach response will ensure that the initial process goes as smoothly as possible. "Who do you call? Do you unplug the systems? You need to have a plan in place so that when you discover that you have a problem, everybody doesn't go into a panic," he says. "You should have an organized list of steps that you’re going to take, and know who's responsible for the different parts of the plan."
Finally, Wisniewski says, don't assume you can handle it by yourself. "Unless you're a really large organization, you probably should call in an incident response team if you have an incident that you believe may affect customer or employee information, because the forensic skills required to do the job properly are a lot more than almost any average IT guy has," he says.
Summing It up: 5 Key Steps
Develop an end-to-end set of interconnected breach-response processes around incident management, crisis management and case management -- and test them regularly. Spell out who is responsible for handling all of the specific steps in your plan.
Don't rush your analysis. Try to see it as a learning experience, and realize you can use what you learn to avoid future breaches. If you can, get a forensic image of the damage.
Maintain extensive activity logs, which will help you meet regulatory obligations.
Encourage your employees to report any suspicious activity. Make sure the IT team follows up and checks out each report.
Call in an incident response team for incidents that may affect sensitive employee or customer information.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at firstname.lastname@example.org.