Security professionals have good reason to fear information security breaches, and in turn to create a data breach response plan. The sophistication and targeted nature of attacks continue to increase, the number of compromised records continues to rise, and organized crime is surfacing more often. However, many chief information security officers (CISOs) find themselves ill equipped to respond to these attacks.
In its 2009 Data Breach Investigations Report (.pdf), Verizion Business reported that nearly nine out of 10 security breaches could have been avoided. This statistic isn't something to be proud of, but it does indicate that efforts can be made to protect against future attacks. Now is the time to start establishing and testing a security breach response plan. A detailed data breach response plan not only decreases the likelihood of attack, but can also substantially reduce the amount of organizational chaos and the valuable time wasted in dealing with the confusion.
In this tip, we've outlined high-level steps organizations should take to build a data breach response plan. Follow these 10 steps to build a robust security breach response plan.
1. Use existing means to identify and protect sensitive data.
Many companies establish elaborate classification schemes and data-handling guidelines that are too complicated to follow. Although data classification is important, it should not be a hurdle in protecting sensitive data. Leverage existing efforts such as business impact analysis (BIA) or disaster recovery (DR) exercises that seek to identify and protect critical areas and sensitive data. It's likely that these efforts have already produced sufficient documentation for classifying and locating sensitive data.
2. Determine the state of your IT environment and identify the potential areas of risk.
Focus on the most critical areas by taking a close look across the people, process and technology domains and by performing a high-level risk assessment. Talk to those within the organization who handle sensitive data; they know where vulnerabilities lie. Additionally, consider hiring an external party to do an assessment and help you identify the highest areas of risk. This is helpful for large or non-traditional organizations in which it is difficult to map the environment, or when there is disagreement within the organization regarding what is or isn't a high-level risk. Don't take on everything at once; focus on critical risk areas first.
3. Establish processes to reduce unintentional errors.
A majority of breaches occur because of human error, not technology failures. Companies can reduce the risk of unintentional breaches with well-defined and frequently measured processes. For example, if every time a server is hardened there is a process to verify its configurations, then there is little chance that a vulnerability on that server could lead to a security breach. Recognizing these types of human errors can go a long way in a data breach response plan.
4. Plan a layered defense approach.
Adding security controls in layers exponentially increases the likelihood of keeping an attacker at bay. As a first line of defense, employees should be trained to watch for social engineering attacks; every organization's security program is only as strong as its weakest link: users. After implementing user awareness, security pros should ensure technical capabilities exist to augment the risk mitigation e.g. encryption, DLP etc. Lastly, process capabilities need to exist to make it easier for the other two layers to function. If you ask people to encrypt email but don't have a seamless process for people to do so, nobody will follow those instructions.
5. Empower the response team.
Valuable response time is often wasted waiting for management approvals and authorizations. This frustration can be avoided by empowering incident management teams to make decisions on the spot without fear of retribution. Data breach response plans should also be aligned with existing business continuity or incident handling plans. That way, the response team is able to make timely and effective critical decisions and coordinate activities across these teams. They definitely need to keep management in the loop, but it can't be a bottleneck.
6. Test your plan religiously and address gaps quickly.
Almost every organization has some sort of documented data breach response plan: Forrester Research Inc. estimates, however, that less than 20% of companies regularly test and keep their plans current. During testing, document "action items" and "lessons learned" and assign remediation and follow-ups to ensure kinks are ironed out before an incident occurs. Confirm that the response plan is in line with minimum requirements from a legal and regulatory perspective. Otherwise, the company will be considered negligent in its responsibilities.
7. Develop a communication plan.
Work with corporate communications, legal and human resource departments to decide how to communicate the breach to: a) internal employees, b) the public, and c) those directly affected. It's important to have this plan ready at a moment's notice, as customers and regulators are more forgiving when a breach is reported in a timely manner and relevant law enforcement agencies are informed appropriately.
8. Establish internal and external relationships.
Develop relationships now with the likes of forensic companies, law enforcement agencies and legal and public relations firms to avoid wasting time by searching for contacts when a breach occurs. Creating these partnerships in advance allows enough time to conduct a thorough evaluation and find a partner that fits the organization's specific needs. On the same token, internal relationships established as part of the communication plan should also be fortified, with teams such as IT operations.
9. Provide appropriate tools and training to responders.
Responders need to be comfortable with any incident response tools. If the plan is to handle incidents in-house, act now to familiarize the staff with forensics tools and train them on well-defined evidence collection and storage processes. Moreover, make sure necessary certifications are in place for all people who handle sensitive parts of the incident. Many times valuable evidence is lost because it was not collected properly.
10. Treat your people as your last line of defense.
Users aren't only the first line of defense, they're also the last. Employees should be educated and trained on how to behave once the incident response plan is activated. Hold refreshers on how to handle sensitive information and remind employees not to become lax or complacent if they have not had a breach. It's important to always stay vigilant.
About the author:
Khalid Kark is an analyst at Forrester Research, where he serves security & risk professionals. His research focuses on building and maintaining effective security programs and making information security leaders more successful in their role.