A data breach is an all-too-common, unfortunate event for IT managers. The question is not if an organization will be attacked, but how often. No organization is immune, as the U.S. National Security Agency (NSA) breach and subsequent theft of NSA hacking tools in 2016 illustrates.

External attacks are the most common data security breaches. The Verizon 2018 Data Breach Investigations Report found that outsiders such as organized crime groups or even hostile governments account for nearly three-fourths (73%) of cyberattacks.

The damage from a data breach may include:

  • Legal liabilities to customers and partners
  • Government fines for noncompliance with privacy and security regulations
  • Costly repairs to IT systems
  • Purchase of new security software and cyberinsurance
  • The cost of hiring outside public relations, legal, and forensics consultants
  • Loss of consumer trust and damage to the organization's brand

An IT department that reacts quickly to a breach can minimize the damages. A slower initial data breach response increases the opportunity for an attacker to steal data, corrupt files, or plant malware for future use. An Aberdeen report that McAfee commissioned determined that most damage from a breach occurs immediately after the breach, when records are first compromised. The report concluded that responding twice as fast to a breach could reduce economic impact by nearly one-third.

In worst-case scenarios, some organizations are unable to discover the breach for weeks or even months. Verizon’s report found that 68% of breaches took months to discover. In many cases, customers, partners, or law enforcement—not in-house security efforts—discovered the breach.

Create a data breach response team and establish a chain of command

Successful response to a data security breach requires a thorough plan that specifies the workflow and chain of command to follow during a data protection breach, as well as the people responsible for each aspect of the response. A data breach response team may include:

  • IT security staff
  • Lawyers to determine legal responsibilities and liability
  • Public relations employees to field media calls
  • Customer service associates to answer questions from concerned customers
  • Human resources staff if the breach involves employee data
  • A data protection officer (a new position that some companies are establishing)
  • Forensics consultants to trace the attack or uncover hidden malware
  • Compliance experts if the compromised data is covered by government regulations such as the Health Insurance Portability and Accountability Act (HIPAA) or General Data Protection Regulation (GDPR)

The scope and sensitivity of the data dictates who needs to be involved in the response. For example, customer service personnel and compliance experts are needed if customer credit card data is compromised. Conversely, these personnel may not be needed if marketing plans are stolen. Because data security breaches are both complex and variable, regular team drills enable participants to function more quickly and effectively.

Including C-level executives on the data breach response team helps ensure that the data response plan receives necessary support and resources. The involvement of executive managers shows commitment to data preparedness and encourages mid- and lower-level employee participation. To gain executive support, however, IT managers need to explain the consequences of a security breach in terms of its potential impact on the organization, and the ways in which a data breach response plan can help the organization avoid liability costs, government fines, and lost revenue.

Response and data breach protection: best practices

Tools, technologies, and training can greatly improve the effectiveness of a breach response and aid future data breach protection. These are a few best practices:

IT asset inventory
An effective response begins with an inventory of the organization’s critical IT and data assets. A ready inventory enables rapid identification and protection of possible targets once a breach is detected. For all sensitive data, the inventory should include the location of the database or application where the data resides.

Documentation
Records of the breach and the response are essential to the subsequent investigation and to future efforts to improve security. Documentation is important for law enforcement and other government agencies that may become involved, as well as in any legal cases that arise. Documentation should include the time that the breach was detected and a list of all subsequent actions. Employees and other witnesses should document their actions and recollections while their memory remains fresh.

Incident prevention and response technologies
Cybercriminals use an array of sophisticated approaches and tools to penetrate networks. Organizations need similar tools to detect attacks and collect the needed information immediately after an attack. These tools include:

  • Security information and event management (SIEM) systems combine information from an intrusion detection system (IDS) with additional data from other sources. A SIEM monitors where sensitive data is going, which users are accessing it, and whether their behavior appears suspicious.

  • Data loss prevention (DLP) software scans and identifies sensitive content, such as personal data, stored on file shares and other network data repositories. A DLP application can classify and analyze hundreds of types of content for asset inventories and help ensure that all critical data is protected appropriately.

  • Forensics and analysis tools, such as McAfee Investigator, evaluate and triage security alerts for IT staff. McAfee Investigator collects evidence from other systems, such as SIEMs, and analyzes the evidence of a suspected attack.

Security awareness training
Security-aware employees are an organization’s first line of defense. Savvy personnel can prevent many attacks by learning to protect passwords and change them frequently, avoiding clicking on suspicious links or attachments, and alerting IT about suspicious activity. The SANS Institute provides security awareness training resources that help organizations create necessary employee training programs.

Data protection resources

~next-article-color-bar~

~next-article-heading~

Why All Organizations Need a Data Breach Plan

~read-more-link-label~