Your organization most definitely has physical security breach plans in place, but do you also have a data breach incident response plan?
Consider that the average loss in a physical burglary is about $2,000, but in a cyber-attack it’s more like $117,000. By any level of logic, you’re organization should be extremely focused on creating a data breach incident response plan.
Cyber crime is in the news continuously. Any level-headed IT director knows it’s a matter of when, not if, a cyber security breach hits home.
Paul Konikowski, a consultant at Command Systems Group, LLC which services mission-critical customers including military bases, recently offered up six essential steps for data breach incdient response plans to sister site Commercial Integrator. As he writes, there are many variations, but the best incident response plans typically include these steps.
Data Breach Incident Response Steps
Is it a false positive? The IRT should review the logs for vulnerability tests or other abnormalities. What systems have been attacked? What stage of the attack? What is the origin?
Provides time to determine the next steps, while limiting the spread, and the impact. Your team should isolate the system if possible and make a backup for forensic investigation.
Alert everyone on the Incident Response Team including IT, HR, Legal, Operations and Management representatives.
Should law enforcement/FBI be contacted? Experts like FireEye? Third party vendors? Industry peers? How soon should you alert the public?
The laws vary by state in the US. In the EU, the GDPR says within 72 hours.
Your IRP should include a detailed cyber crisis communication plan, detailing who should be contacted in case of an attack, what message that will be conveyed to them, and who has the authority to communicate on behalf of the organization.
Scan all systems for malware. Isolate and disable all accounts and components that have been compromised. Remove access to systems by suspect employee logins. Change passwords, apply patches, and reconfigure firewalls.
This can take a while, so you need to prioritize what systems are most critical to resume functionality
6. Post-event analysis
What was the dwell time? (time from data breach to recovery) Are changes to policies, procedures, or equipment in order? How effective was the incident response plan? Then, test the revised IRP using simulated attack.
In conjunction with having an incident response plan, organizations need to provide adequate cyber awareness training to all employees, not only explicitly telling everyone what to do, but what not to do, in the event of a data breach or cyber-attack.
Setting guidelines for communicating with outside parties regarding incidents is key. You don’t want someone in your organization tweeting “WE ARE GETTING HACKED!!!”, followed by a dozen hashtags, do you?