Breach Response: Building a Better StrategyExperts Stress the Need to Get the Basics Right
Even in the aftermath of the high-profile Target Corp. data breach and other recent major incidents, many organizations still aren't developing and testing breach response strategies, security experts say.
See Also: 2016 State of Threat Intelligence Study
"There are more organizations this year with pre-breach response plans in place," says Michael Bruemmer, vice president of Experian Data Breach Resolution. "But at the same time, there are many retailers, manufacturers and small businesses that are lagging behind."
Among the reasons why some organizations don't have even the basics of a plan in place, Bruemmer says, is because they lack the resources or aren't aware of regulatory requirements for risk assessments and breach notification. Plus, some are over-confident that an incident isn't going to happen to them, "which is simply pretty foolish," he adds.
Security experts say the basic components of an effective breach response strategy that many organizations still, unfortunately, lack include: creating a competent response team; devising a well-documented strategy that covers discovery, forensics, response, and notification and reporting; implementing effective training; and testing and auditing the plan to continuously improve it.
Developing a Team
A key to successful breach response is ensuring that an organization has an adequate team in place to handle the incident every step of the way, says attorney Ronald Raether of the law firm Faruki Ireland and Cox PLL.
"While each element [of breach response] is critical, I cannot stress enough the importance of a team that is staffed with people with the leadership capability and support of management to act decisively when it comes time to manage a response," Raether says.
He also recommends that an attorney be a part of the team to deal with liabilities associated with a breach and the need to deal with regulators.
In too many cases, breach response teams are inadequately staffed, the attorney says. "In other words, the plan is written but the incident response team responsible for managing and revising the plan are not competent or maybe do not have sufficient authority to get things done."
A successful breach response plan requires a well-documented strategy. The plan, at a minimum, should address the steps the response team needs to follow to assess a breach, stop it and mitigate harm, Raether says.
Ideally, the plan should be written by individuals who have past experience in breach response, says Alan Brill, senior managing director at security advisory firm Kroll Solutions. "The difference between a model of incident handling and the complexities of a real incident can be significant," he says.
Also, the plan must be regularly updated, Raether stresses. "The problem, of course, is that the business continues to grow in size and complexity around this stagnant policy," he says. "New business partners, data sources, technologies and maybe even more business units complicate the data infrastructure. Likewise, each new element brings one or more additional obligations under the incident response plan."
Ellen Giblin, an attorney at Ashcroft Law Firm specializing in privacy and data security, says that too many organizations lack the technology to adequately respond to a breach. For example, many rely too heavily on the use of spreadsheets to document incidents. "It's not really dynamic," she says. "Spreadsheets won't process information and get you the type of reporting you'd get from a platform."
The lack of an enterprise platform that enables all stakeholders to view up-to-the-minute reports on the number and types of breaches can affect the work of the breach responders and privacy professionals within an organization, Giblin says. "The detriment to that is it prevents those who do the root-cause analysis from trying to fix the processes that led to the breach ... and mitigate them as soon as possible," she says.
Notification and Reporting
When it comes to notification and reporting of an incident, how a company communicates externally is often a point of failure, Raether says. "Companies must carefully and methodically plan for the messaging to consumers, other businesses, media and the regulators," he says.
For public announcements, organizations need to have a "Plan B" in place, Bruemmer says. "Every breach plan should have a provision in the event that the news media gets ahold of it and pre-empts normal notification," he says.
The Plan B should involve coordinating with forensics firms and law enforcement as to what information can be provided in an early announcement. "In many cases, law enforcement will use evidence during the forensics process to catch and convict hackers that are responsible for exploiting or exfiltrating data," Bruemmer says. "It's important to follow the guidelines of forensics firms and law enforcement people beforehand, and wait until you have the information to notify people with the correct information."
Giblin says the implementation of basic training around detecting, reporting and managing breaches is critical. "Training is the lowest cost," she says. "You don't have to have the Rolls Royce of training. You can use a lot of the good resources that the Federal Trade Commission has provided."
Giblin says adequate training helps to ensure that "you're not bringing people up to speed in the middle of a breach."
A company can have its reputation harmed if all staff members don't understand the company's breach response plan, Raether says. He describes one incident when an account representative received a call from a customer about a breach. "The account representative, not knowing about the incident response plan, worked on their own to 'fix' the customer's problem. When the event finally did get to the response team, we had a much harder task in addressing all the moving parts of a breach response, having to undo much of the effort of the good-intentioned account representative."
Testing the Plan
For organizations to build a better breach response strategy, they need to continually audit and test their plan, Bruemmer says. "You need to audit back that plan and continuously improve [it] at regular intervals," he says.
Too many organizations fail to conduct live practices of their plan, which can aid in identifying any gaps in process that need to be filled. "It's no good to develop a plan, check the box and stick the binder on the shelf," Bruemmer says. "That doesn't do you any good."
A recent survey conducted by HealthcareInfoSecurity found that 49 percent of healthcare organizations have not tested their breach response plan to see if it works.
Has your organization conducted a test to see if its breach notification plan will work in a real breach situation?
"There are many who think they have a viable plan but haven't tested it, and may be in for some surprises when they do," Brill says.
Involving Board of Directors
Another essential component to building a better breach response strategy is involving senior management and the board of directors. After all, mishandling a breach can affect a company's financial viability. "We're seeing that firms in the private equity and venture capital spaces are taking very hard looks at cybersecurity as they recognize that data breaches can put their investments at - often preventable - risk," Brill says.
The need for C-level involvement is evident following the Target breach, Raether stresses. "Target's communication strategy immediately following the event shows a lack of C-level involvement," he says. "The messaging showed a slow recognition by Target's top management of the messaging and media outlets that must be used to successfully communicate in the wake of an event.
"While Target eventually used social media and improved its talking points, the delay in getting to that point signals to me a gradual education of the executives as to what is required rather than an immediate understanding."
Organizations may also want to consider cyber-insurance to offset the costs of data breach response, "which can be extensive in both time and money," Raether says. "Some policies include value-add services, such as a breach coach."