What to Do If Your Company Had a Security Breach
It is better to err on the side of caution, especially when it comes to security matters. Assume that a security breach will happen at some point in the future and prepare yourself for this eventuality. Having an emergency plan will help you save precious time; acting quickly is crucial to do effective damage control. Commission the breach investigation to an external company, as you may lack the resources to handle the case properly. If a breach was caused by one of your employees, an internal investigation could result in a conflict of interests.
Response to a security breach will differ in each case, as every company is different. However, there are some general guidelines you should follow. A typical reaction to a cyber event consists of five stages: initiation, forensic evidence capture, web and behavioral analytics, risk impact analysis, and reporting to internal and external constituent groups.
Start off by forming a breach management team that should consist of the following roles and responsibilities:
- Legal counsel. Internal if the person has experience dealing with breaches or external if the internal legal officer doesn’t have the necessary qualifications.
- Executive sponsor
- Internal security
- Internal IT infrastructure
- Human resources. The human should revise the cyber awareness program and intervene if the breach was caused by one of the employees.
- Corporate communications. They will shape a message to the media.
- Privacy or regulatory compliance
- Risk management
At this stage, you should establish communication standards, protocols, and encryption for oral and written communication. Appoint a person responsible for communication with external advisers or consultants (typically, it will be the legal officer), and with the audit and risk committee of the board of directors. Establish a frequency and method of communicating progress – at the early stage meetings should take place two times a day. Take care to disclose the news about the breach to the smallest possible number of people in case any of the employees was at fault. The time for informing employees will come later.
2. Forensic Evidence Capture
Breach detection sometimes takes years. Confirm that a breach has taken place. Determine what kinds of information were compromised – personally identifying information (health, credit card, and financial information), employee family information, intellectual property, trade secrets, business proprietary information (alliance partners, customers, third-party vendors, investors). Determine if the breach is terminated or if it’s still taking place. Change passwords throughout the company in order to prevent further information leakage. Determine if the information was encrypted and what kind of encryption was used. Isolate and image any hard drives, so that an independent professional can examine them. If this is not the first breach the company is experiencing, look at the history of breaches to try and find any parallels. If this is the first security breach, look for similar cases on the Internet.
3. Web and Behavioral Analytics
Analyze the IP addresses in the environment and classify them into three categories: authorized and benign, unauthorized and toxic, and authorized but toxic. Determine if the breach came from the inside or outside – if from the outside, what was its source? Determine the method of the breach, and look for any malware programs in the system. Did the breach involve a physical intrusion? Is there any physical threat to employees?
4. Risk Impact Analysis
Verify what kind of data was affected, checking both electronic and paper formats. If any information pertaining to personally identifiable information, personal health information, intellectual property and trade secrets, critical infrastructure, defense information was leaked, make sure you notify law enforcement about the event. In addition, ask your legal counsel for advice regarding internal reporting requirements – you may need to notify at-risk corporate customers and partners, regulators, and board members. Establish appropriate notification protocols and a notification strategy.
5. Reporting to Internal and External Constituent Groups
Adjust your reporting strategies for different audiences – remember that a technical report may cause confusion and misunderstanding among non-technical audiences, such as the board of directors. Instead of technical language, use the language of business and risk. The executive report should contain: an introduction (general risk conditions and trends), a description of the breached company (in case the audience doesn’t know it), a description of the intrusion event, the date of intrusion, a description of at-risk data, an analysis of preliminary mitigating measures, conclusions and recommendations (this part is crucial to convince customers that the company is committed to manage well risk impact), and a technical summary.
Ulsch, N MacDonnell, “Cyber Threat! How to Manage the Growing Risk of Cyber Attacks”, Wiley, 2014