Damage Control: After an Insider Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/damage-control-after-an-insider-breach-48410/

In the immediate aftermath of a major security or data breach companies
should re-evaluate their risk management systems. In a previous post on
insider threats, we outline what a company can do to prevent risks
associated with insiders. We also have written about the characteristics of
a malicious insider. Today, we discuss best practices after an instance of
insider theft occurs.

Rapid detection of insider thefts requires that companies quickly identify
suspicious activity and evaluate the potential impact. To do so will
necessitate regular vulnerability scans, network monitoring, and incident
investigation. Company policies regarding network access and resource
control should also reflect the businesses overall risk management
processes and may include monitoring online behavior, database use, and
restricting removal of sensitive documents from the company. With strong
policies and management systems in place, companies are in a good position
to identify insider incidents early and develop adequate responses.

Following detection of insider breaches, containment and mitigation should
be a primary focus of a response plan. Swift implementation of this plan
helps to contain further leaks and allows prompt remediation. Response
plans may be different according to the type of incident detected but
should involve a methodology for dealing with suspected threats as well as
documentation and analysis of the incident.

Recovering from an insider breach can be difficult due to the fact that
these crimes can often cause significant harm to a company’s reputation and
result in losses of important propriety and sensitive information and
assets. A corporation’s management should be involved in reevaluating risk
management strategies after a breach to identify possible weaknesses.
During this process information sharing, feedback, and remediation efforts
are important to improve future planning and communications. Organizations
should also consider notifying law enforcement agencies of cybercrimes—a
step few companies take. PwC’s 2014 US State of Cybercrime Survey found
only 12% of companies report insider cyber incidents to law enforcement.

Insider theft can have a significant negative impact on a company. Having a
threat management system and planned response helps to quickly control the
damage from thefts while remediation can reduce the likelihood of future
incidents. To stay ahead of this emerging threat, companies should work to
develop a clear enterprise-wide incident response and recovery plan to
ensure business continuity.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!