How to internally respond after a breach

by Nik Whitfield, CEO, Panaseer

There is no such thing as 100% secure.  Frustrating for security professionals, but a fact of life as it’s now not about if but about when.  You will already be busy driving your risk-based approach to security, closing and shutting as many doors and windows into the organization, driving best practice in cyber hygiene and running best practice on your monitoring and detecting.  However, in an era where every company is liable to get hit with a data breach, you also need a rock-solid plan.  One that, should the worse happen, will ensure that your public and internal response douses the fire, not inflame it further.

In this article, I will outline some recommended best practices for how to respond after a data breach internally and what to include in the plan of action. Why is this important? Well given that 2017 smashed world records for the most data breaches, you don’t have the luxury of sticking your head in the sand anymore. How you manage the breach internally will have two significant impacts. First, it will impact your ability to control the external communications and secondly if done right, it will give you powerful insight allowing you to take steps to increase your security and the reduce risk from a similar attempt.  Putting in place a pre-agreed plan of action sets you up for the greatest chance of success.

Ultimately, a good plan will reduce the cost to the business. Currently, the average cost of a data breach is $3.86 million. For the past 13 years, the Ponemon Institute has examined the cost associated with data breaches of less than 100,000 records and found that costs have steadily risen over the course of the study.  We should be preparing for greater and greater costs as more organizations digitally transform and criminals get more sophisticated in their approaches. A robust plan will help minimize the financial or brand costs to the business.

When developing a plan, it’s important to remember that it’s rare for a company to find the breach themselves, so they are often on the backfoot. This is because it’s incredibly difficult to discover a negative, especially when there could be no immediate impact – more often the ‘bad guys’ fish throughout the network for valuable data, which they may hold onto for a long time. Typically, companies are notified by third-party organizations when they have breached, such as when law enforcement finds customer information for sale on the dark web.  According to the study by IBM Security and Ponemon Institute, the average time to detect and contain a mega-breach was 365 days – almost 100 days longer than a smaller scale breach (266 days) – but given the 72-hour mandatory reporting period for GDPR, organizations need to make sure they know exactly how to respond.

The following is a tried and tested process, which you can use as a template for your plan of action for how to internally respond after a breach:

• Roles and responsibilities – it is vital to have an ‘incident response’ team agreed beforehand, with responsibilities assigned. It’s unlikely it will happen during working hours so there will need to be an alert system in place. Do you know whom you need to get in touch with and how? Or where is key information backed-up or stored? You do not want to find yourself in the same position as Maersk frantically calling hundreds of IT admins in data centers around the world searching for domain controllers. It may seem obvious, but, the world tends to get in your way, so plan for all eventualities.  Remembering time is not on your side, for example, once you are alerted to a breach the GDPR clock starts ticking – you can’t waste a moment.

• Identify the root cause – the first job is always to recreate what the attacker did – to be clear on how they got in and how far they spread – following the kill chain.  Verify the extent of the breach and find out what damage was done.  Don’t play nice here.  Make sure you’re completely open about the breadth and depth.

• Gather the data – don’t just stop with data that you might understand, you need to quantify it in terms that the Board will understand.  This is about translating into business risk terms, i.e. potential downtime, customer records impacted.  A lot of CISOs come from a technical background, which can make a challenge to see things in non-technical terms, but it’s imperative that there is a correlation of what this breach means to the business and the extent of the potential business impact.  This stage will also give you tremendous insight into your organizations true risk-appetite for the future.  While it’s easy to talk about, it’s another to experience an incident, and the learnings will spotlight, once this is over, what to focus on to reduce the areas of greatest risk to the business.

• Plug the leak – once you know the damage, you then need to deliver a plan of how you will plug the leak, with recommended actions and a timeline.  To truly do this effectively, you must have been maintaining a well-defined asset inventory.  On average CMDBs are typically only 70-80% complete. I recommend reducing the number of gaps by making sure your approach leverages data from across HR, business, security and IT.  This data needs to be cross-referenced, so you know you’re capturing as many devices as possible. It’s not typical for security, but it’s essential to have a breakdown of devices by at least technology and business attribute, most aligned to your business strategies such as region or product line to understand your exposures and measure your risk accordingly.

• Deliver proof – once you have eradicated the problem across your estate so that an attacker couldn’t get in using the same process it is time to present this proof to the Board. At the same time, you can advise on how this breach has been used as an opportunity to focus on remediating similar areas of high risk, we recommend delivering measurable programs of remediation.  Don’t just raise the IT ticket and assume it’s all done, instead, for example, we recommend tracking through burn-down reporting reports that the work has been undertaken to address the issues and fix any cyber hygiene gaps that may have exacerbated the breach or open you up to a similar attack.  This will also provide you with the reporting that auditors will be expecting when required to share detail externally.

This is just the internal response – the external response is a complete another kettle of fish, which requires its own bespoke plan.  However, both scenarios are similar in the respect that if you don’t have bona fides plan, you will react under pressure, you will result in mistakes and inflame the crisis. It might not be sexy, but by planning now, you’ll experience huge benefits in the long term.

About the Author

Nik is the founder and CEO at Panaseer. He founded the company with the mission to make organizations Cyber-Security Risk-Intelligent. His team created the Panaseer Platform to automate the breadth and depth of visibility required to take control of cybersecurity risk, demonstrate ROI and drive robust cyber hygiene practices.  Over the past 20 years, Nik has held leadership positions in various organizations, primarily building data analytics products. He is recognized by the UK government and industry bodies as a leading entrepreneur and thought leader on cybersecurity and the future of technology.