Data breach: How to react in the crucial first 24 hours

[Inga Goddijn <inga () riskbasedsecurity com>]

http://realbusiness.co.uk/article/32050-data-breach-how-to-react-in-the-crucial-first-24-hours

You’ve been hacked. Despite all of your preparation and investment your
business has lost mission critical data, leaving your customer details and
brand reputation at risk. What should you do in the first 24 hours?

While it’s clear no organisation is safe, that’s no excuse for not having a
response plan in place.

In this situation, you need to act quickly to not only meet various
compliance regulations, but also to limit the scope of the damage caused by
the breach.

In a recent report, Juniper Research predicted that the cost of data
breaches will amount to £1.3tn by 2019, showing just how costly data
breaches are becoming and the importance of having a contingency plan in
place.

If a breach happened right now, would you be prepared? Would you know what
to do and how to act? If the answer is no, then you need to create a
robust, clear policy.

This plan should be well-defined, concise and rehearsed. Much like a fire
drill, all employees of your organisation should be aware of the procedures
and how to act almost instinctively.

So, what does such a plan look like? While levels of urgency will depend on
the severity and scale of the breach, here’s some advice for what you need
to do in those crucial first 24 hours.

*Hours 1-2: Triage – Assess the situation*

When a patient is admitted to A&E, the first thing the doctor will do is
determine the severity of the injury. This is the perfect analogy for what
a business needs to do in the immediate wake of a breach.

Someone in the business with sufficient training should take a step back,
assess the situation and classify it accordingly: Has a device been stolen?
Has your server been hacked? Have you been hit by a denial of service
attack?

Once the threat has been identified, this would be the time to enact
automated controls. For instance, in the case of a stolen laptop, a company
would activate any underlying embedded technology solution to either
remotely delete the data, track the stolen device or cut the network
connection.

*Hours 2-8: Legal and containment *

This is the stage where roles need to be assigned amongst your team. Once
you have identified the severity of the breach, your legal team can advise
on the best course of action.

Your company must also appoint somebody with sound communication skills and
a thorough knowledge of the problem to interact with the relevant
authorities (dependent on data regulations in your region). You should also
use this time to make sure that your automated controls have worked and
confirm that the threat is contained.

*Hours 8-18: Analysis and investigation *

Documentation is everything, and you must make sure that you have all of
the facts at hand. Depending on the type of data that has been compromised,
your customers and the authorities will want the full picture.

Evidence has to be properly collected and logged; not only for these
reasons but so that the root of the cause can be properly identified, and
prevented from happening again.

Once established, you should ensure that you have several people in the
organisation that can liaise with anyone who may be concerned about the
breach, be that business partners, worried customers, or the press.

*The first 24 hours is just the beginning. Find out what steps you need to
take following the breach, such as how to issue breach notifications to
your customers and how to educate your staff to prevent another breach.
Continue reading on page two.*

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!