The Data Breach Checklist Your Clients (Hopefully) Never Need

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://mspmentor.net/infocenter-cloud-based-file-sharing/data-breach-checklist-your-clients-hopefully-never-need

If your client has a cloud-based file sharing designed specifically for
business use, they probably won't need this checklist. For all others, this
checklist should serve as a wake-up call.

“Nobody would ever want to steal our data. Why would anyone do such a
thing?” Famous last words! These days, data breaches are occurring at a
dizzying pace and no one seems to be immune – from the federal government
right down to the smallest of small business.

As an MSP, you’ve strongly recommended a number of safeguards to ensure
that their private data remains private – notably through cloud-based file
sharing. But as you know, not all of your recommendations are acted on. So
for those clients who still don’t see the need for a business-class file
sharing solution with strong safeguards (e.g. end-to-end encryption),
here’s a trick that might help.

Below is a very basic checklist – and we do mean basic – of certain tasks
that will need to be completed in the event of a data breach. Hopefully, by
reading this, it convinces them to invest in a secure option for sharing
files between employees and third parties (or at least make them think
twice about it). Let’s take a look at some of the tasks:

- Investigate, identify and fix: A general rule of thumb in security is
that if it can be breached, it will be breached – and it will continue to
be compromised until it’s fixed. Worse yet, this process tends to uncover
additional security gaps, which will require additional resources. During
this step, someone will have to document the incident in great detail: who
discovered the breach, when did it happen, how much data was compromised
and what type of data was it? This will require several lengthy interviews
and weeks of investigation. Have fun with that.
- Inform the external authorities: When their data has been stolen or
compromised, they’ll need to alert various levels of law enforcement (FBI,
secret service, etc.) as well as their legal counsel. If the company has a
PR/crisis management team, this is their time to shine.
- Inform internal authorities: The company will need to hold several
meetings with the internal stakeholders directly affected by the breach.
This would likely include finance and accounting, HR, IT (i.e. you) and the
entire upper management team - not a very valuable use of anyone’s time.
- Inform the end users: Sorry, but if data was compromised, it’s best that
the customer hears it from you first. Aside from the written
communications, they’ll also need to bring their customer support team up
to speed on the issue so they can address a potentially huge spike in
inquiries.

Depending on the industry, the data breach checklist will vary in terms of
exact tasks, but these are pretty much universal. You’ve got to find it and
you've got t fix it - and you’ve got to let a number of parties know all
the messy details.

The real point here is that data breaches redirect resources away from
productive endeavors. So if you’ve tried everything and still can’t
convince your client to ditch the file-sharing solution intended for the
consumer, maybe this will do the trick.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.