CDC Cyber Defence Center Respond Breach Response

Home  Cyber Threat Response  Breach Response  Security Incident Investigation 

Data breaches happen, but they aren’t necessarily the end of a company. In many cases a breach can be an inflection point, with the company coming back stronger. With a data breach response plan, companies have a better chance of mitigating the negative consequences of a breach.

By following these best practices for a data breach response plan, companies are able to retain business, customers, and shift brand perception in the market.

1. Prepare with a Data Breach Response Plan.
While breaches may vary in nature, having a solid blueprint to organize can streamline a timely response. First, recruit the key organizational players that should be involved. Who should be on your incident response team? Typical players include Human Resources, Legal, Governance, Business Continuity Officers, Information Technology, Security, and Communications – but it varies based on your organization. Gathering the stakeholders and documenting a response plan with detailed actions and owners ensures a defined path for the initial steps. Don’t forget to include a list of additional partners to engage such as authorities, law firms, PR firms, and security teams to specialize in breach incident and response.

2. Be transparent and timely.
Large breaches don’t remain secrets for long, and the timeframe of exposure is a measurement in the public eye. It is important to ensure rapid communication and response to breaches. Communicate within the organization, as well as with customers and partners who could be affected, with clarity on what happened and next steps. Work with any applicable regulatory bodies to ensure adherence to laws or regulations. For example, a GDPR incident response plan would ensure disclosure to the proper authority within 72 hours of discovering the occurrence of a breach (Article 33). Failure to do so could subject your organization to hefty fines. A good rule of thumb is having a 24-48 hour response plan – especially if personal data was breached, or user credentials might be compromised. Ensure that you are releasing information quickly, and advising customers on options or actions that could limit or eliminate exposure.

3. Construct your communication strategy.
The majority of breaches’ initial assessments underestimate the overall impact. Given this factor, it’s important to assume worst cases and begin to reach out proactively. This could mean credit reporting companies, financial companies, and theft protection services, along with PR and the news media. A fantastic tactic to have prepared are email templates that could provide communication across the digital landscape (social media, email, website, response/KB articles with details, blogs), along with your press release and any customer portals you may have.

4. Identify the root cause beyond the technical aspects.
Ascertaining the technical details of a breach is critical. Understanding how people interact with technical tools is paramount to understanding breaches – including but not exclusive to phishing. Whether it's upkeep, maintenance/patching, best practices in architecture, audit/reporting, data model flow mapping, identity/credentials and access management, or beyond – it involves people and business processes. Understanding the human element involved is essential to meeting the challenge of security.

5. Strengthen your posture, don’t just remediate.
Developing a robust security posture is an ongoing effort. Immediate remediation steps are important, but it’s more crucial to look at risk exposure over time to ensure data and IP protection. This could take the form of response planning for the security organization, or instituting coaching to fortify the data protection strategy. It takes long-term investment: Target didn’t just eliminate the login credential exposure and focus on wireless network strategy within the stores, it rolled out EMV-compliant POS terminals and re-issued REDcards with Chip-and-PIN over an extended timeframe. And their stock price recovered from $55 (Dec 2013), to $60 within 6 months.

Securing an organization is like competing in a track meet: there are a variety of challenges, from immediate, short-term needs like sprints and hurdles, to the endurance and strategy required for long distance events, to the specialized skill-sets required for events like the shot put and pole vaulting. It takes long term strategy, planning, and partnering with the right team to create a winning legacy -- equating to long-term brand equity. Wherever you are in your journey as an enterprise, whether you are racing to the cloud or focusing on safeguarding critical IP in a new service or offering, Forcepoint continues to invest in new innovation around data protection to partner with organizations on their overall security approach. Let us know how we can help!