Breach Response: Building a Better Strategy

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/breach-response-building-better-strategy-a-6841

Even in the aftermath of the high-profile Target Corp. data breach and
other recent major incidents, many organizations still aren't developing
and testing breach response strategies, security experts say.

"There are more organizations this year with pre-breach response plans in
place," says Michael Bruemmer, vice president of Experian Data Breach
Resolution. "But at the same time, there are many retailers, manufacturers
and small businesses that are lagging behind."

Among the reasons why some organizations don't have even the basics of a
plan in place, Bruemmer says, is because they lack the resources or aren't
aware of regulatory requirements for risk assessments and breach
notification. Plus, some are over-confident that an incident isn't going to
happen to them, "which is simply pretty foolish," he adds.

Security experts say the basic components of an effective breach response
strategy that many organizations still, unfortunately, lack include:
creating a competent response team; devising a well-documented strategy
that covers discovery, forensics, response, and notification and reporting;
implementing effective training; and testing and auditing the plan to
continuously improve it.

Developing a Team

A key to successful breach response is ensuring that an organization has an
adequate team in place to handle the incident every step of the way, says
attorney Ronald Raether of the law firm Faruki Ireland and Cox PLL.

"While each element [of breach response] is critical, I cannot stress
enough the importance of a team that is staffed with people with the
leadership capability and support of management to act decisively when it
comes time to manage a response," Raether says.

He also recommends that an attorney be a part of the team to deal with
liabilities associated with a breach and the need to deal with regulators.

In too many cases, breach response teams are inadequately staffed, the
attorney says. "In other words, the plan is written but the incident
response team responsible for managing and revising the plan are not
competent or maybe do not have sufficient authority to get things done."

Well-Defined Strategy

A successful breach response plan requires a well-documented strategy. The
plan, at a minimum, should address the steps the response team needs to
follow to assess a breach, stop it and mitigate harm, Raether says.

Ideally, the plan should be written by individuals who have past experience
in breach response, says Alan Brill, senior managing director at security
advisory firm Kroll Solutions. "The difference between a model of incident
handling and the complexities of a real incident can be significant," he
says.

Also, the plan must be regularly updated, Raether stresses. "The problem,
of course, is that the business continues to grow in size and complexity
around this stagnant policy," he says. "New business partners, data
sources, technologies and maybe even more business units complicate the
data infrastructure. Likewise, each new element brings one or more
additional obligations under the incident response plan."

Ellen Giblin, an attorney at Ashcroft Law Firm specializing in privacy and
data security, says that too many organizations lack the technology to
adequately respond to a breach. For example, many rely too heavily on the
use of spreadsheets to document incidents. "It's not really dynamic," she
says. "Spreadsheets won't process information and get you the type of
reporting you'd get from a platform."

The lack of an enterprise platform that enables all stakeholders to view
up-to-the-minute reports on the number and types of breaches can affect the
work of the breach responders and privacy professionals within an
organization, Giblin says. "The detriment to that is it prevents those who
do the root-cause analysis from trying to fix the processes that led to the
breach ... and mitigate them as soon as possible," she says.

Notification and Reporting

When it comes to notification and reporting of an incident, how a company
communicates externally is often a point of failure, Raether says.
"Companies must carefully and methodically plan for the messaging to
consumers, other businesses, media and the regulators," he says.

For public announcements, organizations need to have a "Plan B" in place,
Bruemmer says. "Every breach plan should have a provision in the event that
the news media gets ahold of it and pre-empts normal notification," he says.

The Plan B should involve coordinating with forensics firms and law
enforcement as to what information can be provided in an early
announcement. "In many cases, law enforcement will use evidence during the
forensics process to catch and convict hackers that are responsible for
exploiting or exfiltrating data," Bruemmer says. "It's important to follow
the guidelines of forensics firms and law enforcement people beforehand,
and wait until you have the information to notify people with the correct
information."

Training

Giblin says the implementation of basic training around detecting,
reporting and managing breaches is critical. "Training is the lowest cost,"
she says. "You don't have to have the Rolls Royce of training. You can use
a lot of the good resources that the Federal Trade Commission has provided."

Giblin says adequate training helps to ensure that "you're not bringing
people up to speed in the middle of a breach."

A company can have its reputation harmed if all staff members don't
understand the company's breach response plan, Raether says. He describes
one incident when an account representative received a call from a customer
about a breach. "The account representative, not knowing about the incident
response plan, worked on their own to 'fix' the customer's problem. When
the event finally did get to the response team, we had a much harder task
in addressing all the moving parts of a breach response, having to undo
much of the effort of the good-intentioned account representative."

Testing the Plan

For organizations to build a better breach response strategy, they need to
continually audit and test their plan, Bruemmer says. "You need to audit
back that plan and continuously improve [it] at regular intervals," he says.

Too many organizations fail to conduct live practices of their plan, which
can aid in identifying any gaps in process that need to be filled. "It's no
good to develop a plan, check the box and stick the binder on the shelf,"
Bruemmer says. "That doesn't do you any good."

A recent survey conducted by HealthcareInfoSecurity found that 49 percent
of healthcare organizations have not tested their breach response plan to
see if it works.

"There are many who think they have a viable plan but haven't tested it,
and may be in for some surprises when they do," Brill says.

Involving Board of Directors

Another essential component to building a better breach response strategy
is involving senior management and the board of directors. After all,
mishandling a breach can affect a company's financial viability. "We're
seeing that firms in the private equity and venture capital spaces are
taking very hard looks at cybersecurity as they recognize that data
breaches can put their investments at - often preventable - risk," Brill
says.

The need for C-level involvement is evident following the Target breach,
Raether stresses. "Target's communication strategy immediately following
the event shows a lack of C-level involvement," he says. "The messaging
showed a slow recognition by Target's top management of the messaging and
media outlets that must be used to successfully communicate in the wake of
an event.

"While Target eventually used social media and improved its talking points,
the delay in getting to that point signals to me a gradual education of the
executives as to what is required rather than an immediate understanding."

Organizations may also want to consider cyber-insurance to offset the costs
of data breach response, "which can be extensive in both time and money,"
Raether says. "Some policies include value-add services, such as a breach
coach."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!