Planning for the inevitable cyber breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

*http://www.insidecounsel.com/2014/05/20/planning-for-the-inevitable-cyber-breach
<http://www.insidecounsel.com/2014/05/20/planning-for-the-inevitable-cyber-breach>*

Look out over the ramparts of cyber defense and you’ll see that there are
barbarians at the firewalls, an ever-diversifying lineup of hackers,
corporate spies and foreign agents hell-bent on compromising the data of
your corporation. Add to that the increasing scrutiny that regulatory
agencies are applying to those who “allow” their sensitive information to
be compromised, and you’ve got a recipe for cyber disaster.

While outright prevention of attacks is impossible, mitigating the effects
of a data breach and the reputational damage associated with is something
that organizations can aspire to. That being said, it can take a
considerable effort to make it happen, and it also requires that
corporations embrace this challenging new reality.

At the 2014 SuperConference, the session “Primer to Cyber Security Incident
Response Plan” examined exactly what corporations were up against, and
tapped a number of industry experts to give their advice for developing
plans to combat the issues.

In the words of Scott Vernick, partner at Fox Rothschild LLP and moderator
of the panel, “looking at the 2013 statistics, 90 percent of companies
reported they’ve been hacked. There are only two types of companies, those
that have been hacked and those that don’t know they’ve been hacked.”

The first step to combatting a breach is putting together a preliminary
blueprint, but as Vernick pointed out, tactical plans can be as much of a
blessing as a curse. On the one hand, while they provide an actionable list
of instructions on what to do, on the other, they can be cumbersome or
restrictive when taken too literally.

For Gretchen Herault, deputy chief privacy officer at Nuance Communication,
ensuring that there is wiggle room within that plan is essential. “It
doesn’t have to be specific down to who does what and when, but if you’re
planning for battle you have to have a plan. Granted, when that battle
starts that all goes out the window and you do what comes naturally, but at
least you have a starting point,” she says. “People need a script to read
off of. As the situation evolved you might have to go off that script a
little bit, but you need that framework to give everyone the lanes to swim
in.”

Shannon Couffer, director, regulatory law, legal services and
administration for Walgreens, agreed that a level of flexibility is key to
a successful plan. “Breaches never happen when you have the luxury of time,
they happen in the instant and you have to respond in that instant. So
having a plan that anyone can pick up and run with is a strength,” Couffer
says.

Regardless of how succinct or illustrative the plan turns out to be,
Deitzah Raby , assistant general counsel & privacy officer, of Hill-Rom
Holdings, Inc., says that the whoever is responsible for overall cyber
protection needs to ensure that the key stakeholders are involved, “The two
most critical groups to me are legal and the IT security group,” Raby says.
“They’re most likely the ones who first become aware of the incident,
whether they find it themselves or hear from external parties.  If you’re
not already working closely with security, it’s wise to make sure you get
to know them and understand the things they work on. One you’ve confirmed
the breach, then I think you need to expand the group further to include
all the other stakeholders.”

But a plan of action alone is not enough to save the day from a data
breach. The group agreed that identifying where the information is, and
knowing inside and out what could potentially be affected is also a
critical component of breach mitigation. Those in charge of protecting
information should readily know, what info is where, whether or not the
information was stored electronically,  if it was encrypted, and whether or
not it could be acquired by an unauthorized user.

And when the inevitable breach does happen, the choice to alert users
should not be taken lightly, nor should offering compensation to those
affected. Herault says that at a previous employer, a massive data breach
resulted in the company shelling out millions to offer credit monitoring
software anyone whose information had been stolen. Only one person
ultimately signed up.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!