How to build a data breach response plan for your business

Posted by Geraldine Hunt on Tue, Sep 20th, 2016

Data breaches used to be the bogeymen. People lived in fear of their data (or their customers’ data) being leaked to outsiders. Now it is a daily occurrence that no longer warrants a headline in a local newspaper. The bogeyman has morphed; it has become ransomware, holding data hostage for ransom. No matter the source of the security problem, there are steps you can take to deal with the situation.

Follow the incident response plan

Your business has a plan in place for earthquake, fire, and flood. This plan should also address man-made disasters such as security breaches. Data is a business asset as any other. If you need to formulate an incident response plan, there are many templates online. Be sure to store a copy of the plan offsite in printed form.

1. Contact the appropriate people

The security team (or individual) should be contacted immediately. Ensure that all employees know who to reach for any computer-related security problem. The IT help desk should be vigilant for the tell-tale signs of a breach such as:

• Fake antivirus messages
• Unwanted browser toolbars
• Unexpected software installs
• Ransomware pop-ups

2. Conduct a preliminary investigation

The security team conducts a preliminary investigation to determine the approximate scope of the problem. This should take just a few minutes. Depending upon policy, the network may be disabled immediately to stop any virus from spreading to other endpoints.

3. Define the incident

The next step depends on the type of security incident. If it is easily contained and remediated and no data breach occurred, the security team should carry on after advising management of the incident. If a phishing email was the culprit, it is a good idea to send all employees information about the email so that they can avoid causing a repeat incident.

4. Involve stakeholders

It is important to keep two types of stakeholders involved: the executive team and business managers whose data may be affected by the incident.

5. Security breach notification laws

The law gets involved if there was a data breach. In the US, 47 states have security breach notification laws, many of which require reports to customers as well as regulators. In Canada, the province of Alberta requires notification. For EU-based data, General Privacy and Data Protection (GDPR) will necessitate that data breaches be disclosed within 72 hours starting in 2018.

Depending upon the industry, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Sarbanes-Oxley, or some other federal, state, or local law may dictate further disclosure of the breach. The company’s compliance officer is involved in this aspect of the breach.

The FBI encourages companies to report cyber incidents to its Internet Crime Complaint Center (www.ic3.gov). Filing a report with the local police department is a good idea as well. The legal department should be involved in these activities.

You now have a complete incident team. It is important to keep all members apprised of progress in remediation.

6. Analysis and Remediation

Time is of the essence. The security team works quickly to analyze the network and endpoints, examining the most compromised hosts in detail. Once the causes of the compromise are found, the team establishes a remediation plan. Typically, the team could determine one or more of the following:

• Virus signature
• IP address of the attacker
• MD5 hash of a malware file
• URL or domain name of a botnet command and control server

Firewalls, intrusion detection systems, and/or antivirus software are updated to defend against such agents. Affected devices are remediated. If necessary, data backups are used to restore the system to a point in time before the attack. These steps can take hours to days or even weeks.

7. What happens to the company during this time?

Depending on the severity of the compromise, the network could be nonoperational or restricted during the analysis and remediation phase. Website-based companies are, of course, nearly dead in the water since their revenue derives from online customers. Other types of companies are also greatly affected, as shown by the recent ransomware attack on the Hollywood Presbyterian Medical Center:

• Without email, doctors and nurses had to communicate by fax or in person.
• Patients’ treatment histories were not available since medical records were maintained online.
• Test results could not be shared easily within the hospital or with external entities.
• Paper records were used for registering patients. This system could not handle the customary volume of patients, and some patients were transferred to other hospitals.

Hollywood Pres had no usable data backups to restore operations, and remained in these dire business straits for 10 days, finally paying cybercriminals $17K for the keys to unencrypt their own data.

8. The security incident might be the tip of the iceberg

It is not uncommon for the team to discover during its investigation that there are further security problems. The system may have been compromised for months or even years. Consider the Heartbleed virus. It was introduced into the software in 2012, but not publicly disclosed until April 2014.

The security incident being addressed could actually be the prelude to a larger attack. This is the case especially if phishing emails are involved. A smaller attack could consume security personnel’s  time and effort while a larger attack sneaks in under their radar.

Hacks are not always perpetrated by outsiders. Reports from various security organisations indicate that at least 15%  of attacks come from an insider who may have access to credentials to repeatedly attack the system. Of course, some incidents are the result of employee mistakes. Training and assigning credentials using the principle of least privilege are the best remedies in this case.

The security incident possibly could have been avoided if appropriate software, software settings, or hardware was in place. Consider using email filtering software such as SpamTitan Cloud, a robust email security solution. For general internet threats, consider WebTitan Cloud, a web filtering service which allows you to monitor, control and protect your business and users from online threats.

9. Lessons Learned -  Full Review

Within a week of cleaning up a breach, the team should meet to determine what went right and what went wrong. The incident response plan should be updated to reflect the lessons learned. Given the inevitability of attacks, the company will be better prepared when (not if) the next attack comes.