Effective data breach response plans hinge on human preparedness

Experts at a Verizon event at RSA Conference 2015 say no data breach response plan is complete until certain human factors are considered.

SAN FRANCISCO -- A data breach may be an excruciating experience for any enterprise, but a panel of breach-investigation experts agreed that pain can be lessened if an organization plans out the people-centric elements of breach response.

At a Verizon event held this week in conjunction with RSA Conference 2015 and the release of Verizon's 2015 Data Breach Investigations Report, experts strongly encouraged organizations to construct data breach response plans and ensure key stakeholders are ready to respond effectively.

Emily Mossburg, leader of the Cyber Risk Services Resilient Practice with Deloitte & Touche, said being prepared for a breach is incredibly important, specifically when it comes to staffing decisions. Planners should make sure the right people are in place and that they know their roles and responsibilities during the incident, the conditions under which an incident will be escalated, who makes that decision, and how it would be made.

"It's beyond just a technical investigation," Mossburg said. "It's about having a staff that knows this is a business issue, knowing how to make sure stakeholders are part of the conversation and preparing them in advance for what this might mean."

Paul Nikhinson, privacy breach response services manager with London-based insurance agency Beazley plc, went a step further. He not only advocated for tabletop exercises for an enterprise's breach-response team, but also for making those scenarios as timely and complex as possible in order to best model the sorts of decisions that may be necessary.

Part of the staffing element, said Sherry Ryan, Juniper Networks Inc. vice president and chief information security officer, should include third-party support, which requires choosing a forensic services provider in advance and investing time into establishing a working relationship.

"You don't want to call someone you don't know in the midst of a crisis," Ryan said. "Figure out who that partner is in advance and include them in the practice exercises."

San Francisco-based U.S. Secret Service Agent Scott Swantner echoed the need to reach out to law enforcement, including his agency and the FBI, before an incident, and said "a lot more" companies have recently been doing just that.

"When that relationship is established ahead of time, it's a whole lot easier when law enforcement gets involved to get the response you need," Swantner said. "You don't want that first call to be in the middle of the night when agents are coming to look at your servers, because it's just not going to be a great day."

Human error contributors to breach-response mistakes

The panelists said that some of the most common mistakes they see in data breach response management involve human error motivated by fear, inexperience and uncertainty.

For example, Bryan Sartin -- director of the Research, Investigations, Solutions, Knowledge Team, which handles Verizon's data breach response and forensics services -- said the most common failures his team sees involve an inability to maintain the integrity of potential crime scenes, inadvertently covering the tracks of the crooks.

"Probably an even bigger issue than that is the 'CYA' that victims play, trying to hide the fact they did things they weren't supposed to do once they found out about the incident," Sartin said. "And that's all the things that happen from the time they realized they had a problem until investigators show up to do what they do best."

In addition, Sartin said, key stakeholders often underestimate how complex and overwhelming it can be to manage all the ancillary people and groups who must play a role in mitigating a major breach incident, including internal and external attorneys, internal and external investigators, law enforcement, regulators, insurers and many others. 

Mossberg said the data breach response plan should detail the roles of all those groups. This includes not only how issues related to the incident itself are handled, but also what tasks those individuals will have related to business continuity during the investigation and how to continue business processes or make changes on-the-fly to get the organization back on track after the incident.

Past breaches put security leaders in the spotlight

Several panelists noted how numerous recent high-profile security breaches have given enterprise information security managers more leverage with C-level executives in terms of support and funding. However, Mossburg noted that change means more pressure for CISOs.

"For years we've been knocking on the door of executive management saying, 'This is the budget we need, we're here, this is why it's important,'" Mossburg said. "Now that door has flown open, and they've pulled us in by the shirt collar, and we're standing in front of them. There's a lot more focus."

She said executive teams are increasingly expecting their security leaders to be able to explain how they would respond to the latest incident-making headlines. However, that type of interaction puts the security team in reactive mode. Instead, she advised CISOs to instead seek out conversations more proactively.

"Most organizations are seeing more [security] budget that ever before, but also more pressure and heightened expectations around what the information security officer can and should do," Mossburg said. "Drive those conversations around things most important to us, like the cybersecurity strategy, its core principles, what the program emphasizes, and how it's evolving."

Next Steps

How to create a data breach response plan

Dig Deeper on Security industry market trends, predictions and forecasts