Why You Need a Cyber-Security Breach Response Plan

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.baselinemag.com/security/why-you-need-a-cyber-security-breach-response-plan.html

Cyber-security breaches have become commonplace today. Breaches at
high-profile companies such as Walmart and Target, not to mention the
federal government, routinely make headlines.

In addition to eroding public confidence, a cyber-security breach can take
a devastating financial and personal toll on a company and its brand. At
Target, the CEO and CIO were ousted, and the company agreed to a $10
million settlement of a class-action lawsuit brought by affected customers.
Target estimated that its breach-associated costs topped $148 million in
the second quarter of 2014 (The New York Times, 8/5/14), and the company
experienced related declines in both profits and customer satisfaction.

Given the increasingly sophisticated methods used by hackers around the
world, it may be impossible to prevent a cyber-security breach. However,
the next best thing is to be fully prepared by having a comprehensive
response plan that can be swiftly and effectively executed if a breach does
occur.

Develop and Maintain a Breach Response Plan

Developing and maintaining a formal cyber-security breach response plan is
extremely important: It creates confidence in a company’s ability to detect
security breaches, respond to them in the appropriate manner and protect
against further damage. A well-executed plan will send a message of
confidence to both internal and external parties.

In fact, such a plan should play a critical role in maintaining business
continuity and protecting brand reputation. It also should be viewed as a
key component of the company’s overall enterprise risk-management and
risk-mitigation program.

What are the key benefits of such a plan? It should protect a company’s
critical assets and sensitive information, including confidential customer
information, employee files, sales and product records, intellectual
property and other critical data.

Once a breach has occurred, the ensuing chaos can make it impossible to
create and effectively implement a response plan. Coordinating interrelated
parties—such as IT, legal, law enforcement and customer service—and knowing
who needs to be called in at what times, are monumental tasks.

To effectively remediate the breach and restore the public’s confidence in
the company, relevant information must be gathered and disseminated, tasks
must be assigned to various parties, and those tasks must be implementated
at the appropriate times. Although businesses without response plans can
ultimately recover from a cyber-security breach, it is far more difficult
to do so without a well-thought-out response plan.

Create an Effective Breach Response Plan

As the Target episode showed, an ineffective or nonexistent response to a
breach can erode customer and shareholder confidence and cause reputational
and fiduciary risk. A company’s response should be quick and fully
transparent. The cyber-security breach response plan must be carefully
planned and action-oriented, and it should clearly define the roles and
responsibilities of all stakeholders in executing the plan.

A cyber-security breach response plan will vary by company, by the types of
assets it possesses (digital and otherwise), by its compliance requirements
and by other factors. Nevertheless, the following guidelines will be useful
in developing a plan.

Build a Multidimensional Response Team

The most effective response plans require input from—and coordination
with—diverse organizational units. These can include representatives from a
company’s legal, public relations, marketing, customer service, human
resources, IT and executive management teams, as well as external insurance
companies and, possibly, forensics firms and law enforcement agencies. The
breach response team must understand how to work with all these parties to
address breach remediation and communications.

As an initial step, members of the team should collect and review all
current documentation related to incident response policies and procedures,
and then review any current legislation that affects the company. Some
members of the team will be the people who will be informed in the event of
a breach, while others will hold critical roles in the process.

These groups will work together to create the plan, while obtaining buy-in
from internal constituents. The plan should clearly define when and how
each of these parties gets involved once a breach is detected.

The team should also outline the type and frequency of communications going
to employees, customers and clients, business partners, the public and the
media. Post-breach communications should articulate the cause of the
breach, pertinent facts about the damage and risks, what the company is
doing to investigate the breach and prevent further damage, and what it is
doing to help those affected by the breach.

Develop a Plan for Each Stage of a Breach

An effective breach response plan should focus on each of these four stages:

· Preplanning and preparation

· Response

· Discovery and analysis

· Reporting and follow up.

The preplanning stage involves developing a response plan and delineating
responsibilities. It may also include identifying which corporate assets
need to be protected, determining IT and other risks, and conducting
training and dry-run exercises to prepare the response team for a breach.

The response stage includes both the damage assessment and the
communication plan. The response team determines the scope of the breach,
notifies the appropriate individuals, gathers facts on the breach, conducts
interviews, executes the response strategy and begins remedial actions.

In the discovery and analysis phase, the team collects and analyzes the
evidence and formalizes the remediation plan. The team also should
determine how to collect and preserve evidence for use in prosecution. This
may include decisions involving chain of custody, use of digital forensics,
processes for document and data reviews, and related initiatives.

The reporting and follow-up stage includes the strategies and tactics that
are to be implemented as a result of the breach. These may include a
remediation plan with new security measures, a report to shareholders or
legislative bodies, or a major change in business processes.

It is critical to note that the most effective response plan is one that
stays current, with all responsible parties remaining fully aligned with
their tasks and strategies. The response plan should be revisited and, in
some cases, modified as the company’s technology and business environments
change.

Remember that the best-laid plan that's sitting on someone’s desk—or has
not been thoroughly evaulated—is nothing more than a piece of paper.

Most companies have a variety of assets that must be protected. Whether
these are financial, informational or brand assets, a cyber-security breach
can irreparably harm any or all of them. Companies that proactively plan
for a breach are in a much better position to overcome it—both
operationally and in the forum of public opinion.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!