Suffering a data breach can be catastrophic for a company — and the people who work there. The realization that security controls have failed and the focus will now be on investigating and remediating the situation is never pleasant, but unfortunately it's becoming all too common as threats magnify.
Even more disconcerting is the concept of facing the "blame game" as details emerge about the breach and whether it occurred as the result of human failure. "What could we have done to prevent this?" will quickly become a mantra amidst the massive amount of work that lies ahead.
Fortunately, you can answer that question in advance by learning from the mistakes of others. Here are 5 ways you can plan for a breach to help avoid this catastrophe.
1. Know the regulations and laws in advance
Depending on the type of organization you work for, there may be regulations such as Sarbanes-Oxley (SOX), HIPAA, PCI-DSS, FISMA, and GLBA which could apply to your systems and data. Learn these and determine how you can comply with them. Often these guidelines can not only help you prevent data breaches but ensure your protection for complying with these principles if a data breach does occur.
Also make sure you know the laws applying to the states and/or countries in which your organization is based or conducts business. The United States has no federal laws dealing with notifying customers about data breaches, but most U.S. states as well as Washington D.C. have laws requiring companies to inform customers if their personal information has been seized.
In Europe, the General Data Protection Regulation was formulated to enhance the protection of data for individuals in the European Union and specifies how this data can be exported outside the EU. Regarding data breaches, this regulation establishes that individuals must be notified if their data is adversely impacted (unless the data has been anonymized or encrypted).Publicly traded companies are also subject to US Securities and Exchange Commission reporting guidelines regarding data theft and other crimes.
2. Analyze and monitor your armor for weaknesses
Security scans and threat detections can be very effective in identifying and helping to remediate vulnerabilities before they can be exploited. If you can't do them in-house, these services are offered by companies like Exabeam, Qualys, Rapid7 and Tripwire.
Exabeam chief security strategist Steve Moore said that one of the most critical approaches to reducing the threat of a breach is to understand the threat of stolen and misused credentials. Pulling data from multiple sources can help establish the scope of an event by linking this information back to an identity to establish which individual(s) are responsible for or involved with a breach.
With this in mind, logging and alerting are key components to prevent security compromises. Establish centralized logging and alerts based on warning signs such as high volumes of failed logins, unauthorized access, privilege escalation and other elements which indicate malicious activity is taking place. Exabeam, Splunk, Logstash and Graylog are three such products which can help establish this functionality.
Moore said that more than 80% of breaches are the result of stolen or weak passwords. Breaches also leverage email as a delivery mechanism, desktops as a foothold and throwaway cloud solutions (storage) as a data exfiltration landing zone.
"The most resilient systems are those with good hygiene and logging and with enriched events; however, identity and device behavior transcends device age, configuration, and strength," he said.
SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
3. Have an incident response plan in place
According to Moore, incident response plans often go unused because they don't reflect the scope and speed of large attacks, and disaster recovery plans usually don't do enough to represent cyber threats. Therefore, it's important for the plan to be as elaborate, subjective, and detailed as possible, and make sure it's tailored to your company operations and priorities.
Armed with the information gathered in the prior step, you can build an incident response plan to address a potential data breach. This requires you to assess possible breach scenarios. Could company or employee-owned devices used for company business end up stolen or compromised? Might internal or external servers be subjected to unauthorized access? What if a malicious attacker manages to get into internal networks?
Establish what software, services and tools you should use to prevent and detect breaches. Common elements are IPS/IDS (Intrusion Prevention Systems and Intrusion Detection Systems), anti-malware software, centralized logging, network packet capture utilities and system alerts.
Refer to policies such as Tech Pro Research's Network Security Policy, Information Security Incident Reporting, Mobile Device Computing, and Information Security to build your incident response plan, and make sure to implement them for your employees and IT staff as well if they are not currently in place.
Also consider additional aspects such as how to communicate details, who to involve (you should include legal, HR and other external groups or entities outside of IT or security, if need be), and whether it makes sense to procure insurance coverage to help alleviate costs of a breach.
4. Identify key personnel and assign responsibilities
Assign a security response team, as well as roles and responsibilities. Focus on tasks such as investigation, recording details, planning changes, engaging in communication, and other elements of your plan so staff can hit the ground running with no ambiguity or time-consuming discussion regarding who needs to do what.
If need be, plan to hire contractors or consultants and ensure their availability. Have backup contacts in place if these individuals are already engaged or otherwise unavailable.
5. Establish ongoing training for end users and IT staff
Official security training is a key element to keeping staff aware of how to reduce the risk of security threats and thwart data breaches. It's also to be aware of new vulnerabilities, risks, social engineering ploys and the like. Subscribe to security newsletters such as those provided
SANS, 24by7 Security and KnowBe4. Security blogs are also another good resource. IT or security staff should send out information to users on at least a weekly basis (or as critical threats emerge) to keep them informed and up to date.
Now you're ready, but don't just sit back on your haunches and wait for the breach, so to speak. Continually revisit and revise the plan as new technologies, threats and staffing changes develop so it will evolve in turn.
- 3 small ways SMBs can build up a cyberdefense strategy (TechRepublic)
- 54% of security experts anticipate a successful cyberattack on their enterprise within the year (TechRepublic)
- 66% of SMBs would shut down or close if they experienced a data breach (TechRepublic)
- FDIC hit by 50+ breaches in a two year period (TechRepublic)
- All of Yahoo's 3B accounts were hacked back in 2013, here's how to protect yourself (TechRepublic)
- Cyberwar and the Future of Cybersecurity (ZDNet)
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.