Given the period of chaos that follows immediately after a breach, and the long-term ramifications, responding to an event without a plan is like treating an amputated limb with plasters – messy and ineffective.
The first few hours after a breach are critical in asserting control of the situation and, as such, businesses must have a comprehensive incident response plan in place that enables them to react immediately should the worst happen.
How not to respond
Target has become the high profile case study of how not to handle a data breach. The retailer experienced a massive breach in 2013 which resulted in up to 40 million customer payment cards being compromised. The world learned about the breach from Brian Krebs, who broke the news on his blog after discovering stolen card details for sale on the dark web. In the days following, Target failed to communicate with banks about which payment cards were stolen, while customers were unable to reach the company due to a jammed customer service line. Consequently, Target’s share price fluctuated, both the CIO and CEO resigned, and the company estimates it has spent almost £200 million in relation to the breach.
Creating an incident response plan
Before drafting a plan, companies must first thoroughly understand the different types of personal and regulated data they collect, how it’s protected, where it’s stored and who has access, as this will influence the response required. The action guide can then be created, which must include detailed descriptions of the roles and responsibilities of specific individuals and departments, and timelines.
How quickly customers are informed about any breach is essential if a company wants to retain any integrity and credibility. To ensure that stakeholders are reassured that the situation is being managed, firms must draw up a crisis communication plan. This should include draft email and letter templates, and scripts for spokespeople. Not only will communicating quickly limit any further risk to affected parties, but it also allows the company to have some control over the media narrative. Breach notification can be communicated through several channels, including:
• Social media
• Press release
• Corporate website and blog
• Custom website that provides the details of the breach
Businesses should run ‘fire drills’ to ensure that everyone is aware of their responsibilities and to identify any further required actions that may have been previously overlooked.
Real time data breach response
The first hour
Once a breach is discovered, it should trigger an investigation by the forensics team. It’s vital for the company to quickly identify the scale of the breach, if it was caused by a cyber-attack or employee error, and whether the wider infrastructure is at risk. The organization should also assemble the internal response team and notify the authorities and other relevant agencies.
Hours two to twelve
At this point, the crisis communication plan should kick into action and the forensics team should be hard at work. Meanwhile, the engineering team should focus on patching vulnerable systems as they become known. Larger companies should have a short list of third-party vendors to help them accelerate this process.
Hours twelve to forty-eight
In the majority of cases, the initial assessment of a breach underestimates its true scope. To at least mitigate some of the risk, businesses should assume the worst case scenario. Now, companies must start reaching out to credit card providers and banks, if payment details have been compromised. If they haven’t already, communication teams must also start their outreach, informing customers, the media and any other affected stakeholders of the situation. Even if the scope of the breach isn’t fully determined, the company should communicate whatever information is available.
If user credentials are at risk, the organization should implement an automatic customer-wide password reset while turning on some form of multi-factor authentication. If personally identifiable information (PII) or PCI-DSS regulated data was exposed, free credit monitoring should be offered.
Beyond the first 48 hours
Though the first 48 hours are the most critical time in getting a handle on the situation, it is just the beginning. Companies should expect a deluge of customer and media inquiries and must have a plan to handle a significantly higher volume of calls and emails. It will likely take weeks, if not months, for the forensics team to uncover the full scope of the breach; and businesses should be prepared to tear down and rebuild parts of their infrastructure to mitigate the risk of the situation repeating itself.