Top 10 data breach survival tips after eBay, Spotify and Office breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.v3.co.uk/v3-uk/news/2347211/top-10-data-breach-survival-tips-after-ebay-spotify-and-office-breaches

With eBay, Spotify and even shoe seller Office all having suffered data
breaches in the past few weeks it is clear hackers' interest in corporate
data is growing all the time.

These firms can't plead ignorance of the threat either, as recent research
from security firm Symantec reported hackers managed to successfully
compromise 552 million web users' identities over the past year, so the
risk has already been well documented.

Not only can a breach result in the victim losing customer trust and future
business, the Information Commissioner's Office (ICO) can hit organisations
with fines as high as £500,000 for data loss incidents. All in all, data
breaches can be costly affairs.

In light of all these recent incidents the need for IT managers and
businesses as a whole to know how to handle a data breach is more essential
than ever. So V3 has put together a survival guide that could help save the
day. Read on.

10. Don't alert hackers you're on to them too quickly

The temptation whenever you spot an intruder on your network is to act
immediately and kick them out straight away. But, as noted by numerous
security providers, including BAE Systems, this approach is fairly
short-sighted.

By acting rashly you can alert the hackers that you're on to them too
early, meaning they can adapt their tactics to dodge your defensive
measures. A rushed strike can also make it more difficult to understand the
full extent of the breach as it gives the hackers time to hide their tracks
and makes it harder for IT managers to do key things, like finding and
fixing the attackers' point of entry.

9. Contact the relevant government bodies

The Information Commissioner's Office (ICO) could well end up fining you
for a data breach, but the organisation is far more likely to look
favourably on you if you fess up and co-operate over an incident, rather
than trying to cover it up.

Furthermore, if your organisation is of critical importance to the UK, like
a utility company for instance, it is definitely worth letting the relevant
government departments know, so they can help you and warn others in the
sector, with the necessary secrecy.

It's never easy admitting you've done something wrong or made a mistake,
but usually the repercussions of not doing so are far worse.

8. Talk to your security provider

Despite efforts by the government to encourage disclosure, many companies
enter into a shame spiral after a data breach and try to talk to as few
people as possible about their predicament.

Some even go so far as to freeze out their security providers, which
considering the vast sums of money most spend with them, seems slightly
bizarre.

The days when security providers simply set up a firewall or
antivirussolution and walked away are done. In today's threat landscapes,
security providers act as experts and guides full of handy tips and advice
about how to deal with a data breach after the worst has happened.

So, contacting your security service provider should be one of your first
actions following any successful attack on your networks.

7. Take advantage of government help schemes

Security providers aren't the only sources of help out there when it comes
to data breaches.

Thanks to the UK's ongoing Cyber Security Strategy there are a wealth of
government-sponsored initiatives that can help offer guidance and support
following a data breach.

These include the UK's newly launched Computer Emergency Response Team
(CERT), which manages the country's large Cyber Security Information
Sharing Partnership (CISP) and the ongoing Cyber Streetwise campaign.

Make sure you take advantage of whatever help is out there. You pay your
taxes, so you have every right to reap the benefits.

6. Honesty is the best policy

Unless you’re absolutely certain you don’t need to go public, or for some
legal or security reason, can’t go public, then fessing up and talking
about what’s happened is the best policy.

Letting users know what has happened, when, how and why, and what you’re
doing about it not only shows a level of humility that businesses sometimes
forget people like to see, but helps customers assess the situation for
themselves.

If you’ve been targeted by highly skilled hackers who went after your core
data and can say you’ve contacted the police and the ICO, and are doing all
you can to gather more information, people will be much more understanding.

A company that tries to cover up a breach, or drip-feeds information slowly
and without much clarity, will only exasperate and anger users, leading to
more negative press coverage that could have easily been avoided.

5. Learn from your mistakes

There are many lessons that can be learned from a security breach, and
companies would be wise to take them on board and absorb them.

You do not want to make the same mistake again, so shore up and fix your
systems. Apply any and all patches that are available. Your customers need
to trust you, give them two-factor authentication, earn their respect, and
keep them informed about what happened and why.

While eBay may not have immediately reacted to its password problems in the
best way, it did react when users and industry told it things could be
better, so at least it showed that it is willing to accept it did not get
everything right straight away.

4. Make it easier for customers to change details

When you do alert customers and partners to an incident, making sure they
can easily follow the advice you give them is a must. The eBay incident
showed that this is easier said than done.

The firm was late sending out emails urging password changes and then its
own information on how and where to change passwordswas confusing and hard
to follow.

If you’re going to advise users on changes they need to make, make it easy.
Have a prominent ‘change password’ button on the front page of the website
and ensure your systems have enough capacity to cope with the surge in
demand this will create.

Anything less than a hassle-fee experience will leave users all the more
concerned and questioning whether they want to do business with a company
that can’t make such a simple, everyday requirement easy to carry out.

3. Share attack data and best practice with other firms

Not talking about data breaches only helps hackers. By taking a 'mum's the
word' approach to data loss companies effectively give hackers free rein to
reuse their hack tools and exploit the same vulnerabilities across a wide
range of targets.

As a result the need to share attack data with other companies is more
important than ever as it can stop single attacks turning into wider
campaigns.

While the practice won't directly help you following a data breach, it can
help entice other firms to take a quid-pro-quo approach in the future and
give you a heads up about a new threat you may otherwise have missed,
meaning in the long run, it's worthwhile.

2. Do a full systems check

Hackers are a little like rats - and no we don't mean remote accesstrojans.
Once inside your network hackers don't stay still, they spread like
wildfire and will get into any system they can, even if it's not
necessarily of direct use to them.

This means you cannot afford to simply assume the hackers were only in the
part of the network or system you initially spotted them in and should do a
full systems scan and forensics work to understand exactly how far they got
before being caught.

If you don't you may soon find yourself falling victim to a second,
potentially more dangerous attack from the same group.

1. Assume you will breached and have a strategy

If the eBay breach has showed one thing it’s this: have a plan for dealing
with the fallout from a hacking incident or breach, and make sure your
staff know it by heart. The confusion and lack of clarify from the firm
only made the situation worse.

Everyone in the company, from the CEO to marketing, from the web team to
the sales bods, should know what the strategy is for dealing with an
incident.

This way, when such a situation occurs everyone will know their role and be
able to act effectively.

For eBay this could have meant that emails urging password changes were
sent out promptly, and that finding and changing passwords could have been
made far more straightforward.

As eBay, Target and countless other incidents have shown, assuming you
won’t be attacked is naive and potentially dangerous. It may seem paranoid
to get the whole company thinking about how they’d react to a breach, but
just because you’re paranoid doesn’t mean they’re not out to get you.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!