Believe it or not, a data breach isn't the worst thing that could happen to your organization. Reacting poorly to the incident could be, however.
Experts agree every organization that stores personal or financial information about customers, partners or employees or that has intellectual property in electronic form should be considered a target — that's arguably just about every organization doing business. Instead of assuming data breaches happen only to large financial services companies or retailers, companies large and small in every industry should be prepared to react to help minimize damage and quickly restore customer confidence, they say.
"It makes all the difference in the world" if a company is prepared to respond to a data breach or other type of cyberintrusion, says Tom Bowers, managing director of Security Constructs, a security services firm based in the US.
Here is a list of what companies should do and what they should avoid doing in the case of a data breach, besides putting a computer-emergency response team in place to react to such incidents.
The list is compiled from interviews with consultants and security experts who have had to deal with these incidents or who have been called in to help companies immediately following an attack:
DO confirm and contain the problem.
This seems obvious, but in the stress and confusion of the moment, the importance of knowing exactly what happened can get lost. Once evidence of a potential data breach has been uncovered (customers complaining of fraud alerts on their credit cards, server logs showing unauthorized access to sensitive data, and so forth) security professionals should work with the IT team to determine whether a breach happened and how it happened, and to fix the weakness if possible.
"You need immediate containment; that's where the network and system folks jump in, and you need to let that team do its job," says Ed Zeitler, executive director of the International Information Systems Security Certification Consortium and former CISO of Charles Schwab.
DON'T contaminate the crime scene.
Decide whether the IT team can plug the security leak without modifying the computers from which the data was stolen; if not, call in security experts — preferably a company you have hired beforehand and have put on retainer to help in case of an incident. While this may delay reacting to an incident, it could help your company down the road.
"Often we see [an incident] could be an open-and-shut case, but the company muddied up the crime scene and so law enforcement won't achieve prosecution," says Bryan Sartin, vice president of investigative response with security services provider Cybertrust, which in May Verizon Business announced plans to acquire.
DO communicate with and rely on other departments.
You don't want legal counsel involved to the point that they are combing through log files, but security professionals who alert other key departments — legal, compliance, human resources, public relations, marketing and of course, the executive team — will put themselves on a better footing if they alert key departments in the breach's early stages, rather than at a point that could be construed as after-the-fact.
What's more, security professionals should rely on all these resources for help in the case of a breach. "The security person shouldn't feel they own the responsibility of what steps to take for the company; they should leverage resources and collaborate," says Randy Barr, CSO of WebEx, a conferencing and collaboration services provider that Cisco in March 2007 announced it plans to acquire. Because responding to a data breach is a multifaceted process that can include alerting customers, issuing press releases, dealing with regulators and possibly even litigation, security professionals should leverage the resources available to them, he says.
"Security is not 100 percent; you're in a race to protect yourself and your customer data. The biggest thing is not having to rely on your security program to address [all] the issues," Barr says.
DON'T go on the defensive.
"You need to keep an open mind," says an investigation manager with a US financial services company who has been called in to help his company's partners deal with security incidents, and who asked that his name and his company's name not be used. "A lot of times these guys are walking into a boardroom with the CEO, COO, CIO and head of IT, and all they're saying to themselves is, 'My job is going down the tubes,'" he says. "Go into it with an open attitude and spirit of cooperation, that's how you'll want to be perceived."
DO remember that it's not only your job that could be affected by a breach.
While some security professionals may believe it's best not to bother the executive team with details of an incident, those executives can be held accountable and therefore need to know what's happening. "While customers might be becoming a little more desensitized to data breaches [because they're in the news so often,] CIOs are becoming a lot more sensitized," says Security Constructs' Bowers, who previously was senior manager of information security with US-based Wyeth Pharmaceuticals. "That's what is driving money into security: More companies are saying we need to meet these privacy regulations because they could affect our stock price . . . and bonuses."
DO be honest in communicating with the public, customers, employees and partners.
How a company alerts people to a breach is the first step in rebuilding their confidence in the organization. Without giving away too many details, offer an honest assessment of what happened. If the company has no reason to believe the stolen data has been used by the criminal, state that, too.
DON'T go public until you know what happened.
If a company has to change its story about what happened — a la TJX — their credibility is instantly eroded. "You can cause panic sometimes," says the investigation manager. "TJX released information that wasn't necessarily true [about the extent of stolen information and when it was compromised] and caused the people who were working on that case trying to identify the extent of the breach to be sidetracked trying to answer the feeding frenzy in the media," he says.
"They did exactly the wrong thing."