Despite your best efforts, cyber breaches happen. And if experts are right, even businesses with the best security technologies and practices can expect more of same in 2019. One of the main reasons for the expected uptick of cyber-events is the increasing sophistication of hackers, who continue to create more elusive types of ransomware and other malware. Hackers also have learned how to disguise malware traffic as regular Internet traffic and how to launch multiple campaigns from a single domain, according to a recent report from Cisco.
There is little doubt that your company will experience some type of data breach over the next twelve months. While there isn’t much you can do about that, there is plenty you can do to mitigate it once it happens.
Responding to a data breach
React quickly: Reacting slowly will only make the effects of the data breach worse. Your reputation is on the line when a data breach happens. So as systematically and quickly as possible, you should determine what information has been taken and plug any holes that cyber criminals may have used. As soon as an attack is discovered, mobilize your incident response team, secure systems, and conduct a thorough investigation. The results will determine how you should address the vulnerabilities that led to the attack.
Under Armour won a lot of praise by responding immediately when its food and nutrition application and website was breached, affecting personal information from about 150 million users. The Baltimore, Md.-based company reacted quickly by understanding how and why the breach occurred, encouraging users to change passwords and use account security steps to protect themselves.
But not all companies do it right. Equifax, the credit reporting company that experienced one of the biggest data breaches in history affecting more than 150 million customers, waited a full month before notifying the public. Equifax made more mistakes than we can detail here; suffice it to say that no company wants to replicate Equifax! And then there is Uber, which admitted that it paid hackers to refrain from disclosing a data breach that exposed data from 57 million accounts and 600,000 U.S. drivers.
Make an announcement: As soon as you understand the nature of the breach and how to fix it, notify all people who might be impacted by it—customers, employees, suppliers, partners, stakeholders, etc. Your message should state the facts simply—what happened, what you’re doing about it, and how you will help those affected by it. Also, advise users to change their passwords and even email addresses, if possible. As an example, after Sonic experienced a malware attack that exposed payment information for millions of customers, the company was widely praised for keeping its customers in the loop throughout their data breach management period, and for offering free fraud detection and identity theft protection.
Change all passwords: Some sites only recommend changing affected passwords, but to be safe, the best practice recommendation is to update all passwords. To make sure all affected consumers, employees, suppliers and partners change passwords, use a password manager that notifies users that a breach has occurred and prompts them to change their passwords. And urge users to choose new passwords that are complex. Don’t use common names, and add symbols, asterisks and other characters. Also advise them not to keep a copy of their computer, and to use different passwords for different accounts.
Report to authorities: Report to authorities as soon as you discover a breach. Contact law enforcement, and comply with investigators and industry regulators, where applicable. Depending on the laws governing data breaches in your state (or country), this may be your first course of action. Depending on your industry, you may also be subject to additional requirements. In addition, publicly traded companies must follow SEC reporting guidelines about data breaches; failing to do so may result in scrutiny by the Federal Trade Commission.
Implement your response plan
The ability to react quickly really starts well in advance of a cyberattack, with the development of an incident response plan. The goal of this plan is to lay out the necessary steps in responding to a data breach and restore operations. Yet according to Ponemon Institute, nearly 80 percent of businesses don’t have a formal cybersecurity incident response plan. Of those that do, only 27 percent say it’s applied consistently across the company.
The plan should detail:
- The data and assets that need protection
- Members of the response team, which typically include risk management personnel and representatives from human resources, the legal department, IT, operations and PR. It should also include contact information for each of these people. It’s particularly important to empower the response team to take the actions they deem necessary.
- Steps to identify how the breach occurred and the nature of the attack (phishing, data leak, ransomware, etc.)
- Assessment of the impact.
- Steps to restore security.
- Steps to repairing impacted data and systems.
- A communication strategy for each type of user: employees, customers, stakeholders, suppliers and partners. This strategy should also include contact information for concerned users, and a press statement explaining the situation and detailing how it will be fixed.
After an event has occurred, it’s helpful for members of the incident response team to debrief, discussing what worked, what didn’t, and what could have been done better. After that meeting, change the incident response plan to include those lessons learned. Also, test your plan at least once a year and revise it to meet your company’s business continuity plans and mission statement.
Odds are that your company will experience some type of data breach within the next year or so. The best chance you have to emerge with your reputation and finances intact rests on how well you prepare before the event, and how quickly and effectively you respond when it happens.