Every business needs a data-breach response plan

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.azcentral.com/story/money/business/tech/2014/10/09/every-business-needs-data-breach-response-plan/17001833/

"What do we do next?"

Picture this: Your small business has been hacked and you are now asking
yourself, your business partners or your management team that question.

If the question characterizes the state of your ID-theft preparedness, the
painful answer I have is: It's already too late.

You need to be ready before your data is hit and immediately launch your
data-breach incident response plan. In case you're not ready, let me give
you the essentials I provide to my business and civic audiences so you can
be prepared.

The first priority for your business is to understand the three primary
data-breach risk factors: people, processes and technology. The people
factor includes current and former employees, customers, associates,
vendors and independent contractors.

Processes include information technology, enterprise risk management,
marketing, sales and human resources.

The technology that you rely on to conduct and grow your business also is
being used by cybercriminals to identify vulnerabilities of your business.

Your second priority is to complete a data assessment of all types of
information that your business collects, uses, stores and transmits.

• What type of data (on employees, customers or patients) is in your files?

• What type of personally identifiable information is in your business data
(for example, name, address, Social Security number, driver's license, bank
account, credit/debit card, medical plan information)?

• What aspects of your business are performed within and outside your
business?

• What would be the value of your data assets if they were stolen and made
public?

• What would be your overall financial risk if your data was breached?

• In which states does your business conduct business and in which what
states are your customers/employees/patients living?

• Does your business insurance include cyber/network liability?

Your third priority is to include the following five components in your
small-business data-breach incident-response plan:

• Determine breach source. Make sure the data compromise is isolated and
access is closed. You may need a forensic investigation company.

• Breach assessment. Determine the scope of the data breach and privacy and
data-security regulatory requirements.

• Response plan. Include internal employee education and talking points;
public relations, customer education and resources; business or consumer
solutions to be considered; and the content and timely release of
notification letters.

• Protection plan. Determine what protection services will be offered to
the compromised record group and confirm professional call-center and
recovery advocate-support services.

• Breach-victim resolution plan. Provide access to professionally trained
and certified identity-fraud recovery advocates who will work on behalf of
the victims to mitigate and resolve the issues caused by breach.

Templates are freely available online to assist with the creation of your
data-breach incident response. Also, consider contacting your insurance
broker and professional trade associations to which your business belongs.
They often have good resources.

Mark's most important: Promise yourself today that you will have a
data-breach response plan in place by the end of the month.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!