5 steps to take when a data breach hits
- 08 October, 2014 00:46
The IT industry has an answer to almost every security problem. Need to lock down an app server to ward off hackers? There's likely a product available for that. Same goes for making sure a stolen Android phone uses strong authentication to keep a hacker from stealing data.
However, if the worst does happen say, the hackers manage to break into a server and steal credit card numbers from a database it can be hard to know what to do next (other than panic). CIO.com spoke to several security and legal experts to find out what to do after a leak occurs. Here are their five steps for how to survive a data breach, in chronological order.
Address the breach immediately
Experts agree on the first step: Solve the problem and fix the data leak. Marc Malizia, the CTO of the IT consulting firm RKON Technologies, says it's important to address the security flaw. Determine what server, or servers have been compromised.
"Once located, a disk image of those servers should be made in order to preserve their state," he says." To protect chain of custody in the event of a lawsuit, these images should be read-only and secured." Finally, he adds, put in place a containment strategy "to ensure the compromised server cannot infect other servers or devices.
Form a task force
Almost every expert says another critical early step is forming a team to deal with the breach. You can't report a breach to the authorities and the legal department until you have a task force to lead the charge and communicate about progress.
[ How-to: Breach blanket: To contain the damage, plan ahead way ahead ]
Pat Calhoun, the senior vice president and general manager of network security at McAfee, says a "Seal Team" needs to be assembled immediately to carry out any additional steps. Attorney Tatiana Melnik adds that a company has to speak with one voice after a data breach; this team is response for making sure all information about the issue is reported in a concentrated effort.
Test the security fix
Once the problems have been resolved and a team is ready to lead a counter-offensive and even before moving on to the stage of communicating about the breach outside of the organisation it's important to make sure the flaw is fully resolved.
This may require having the security team look through server logs again or running penetration tests. It may require investigating whether other servers, or a cloud infrastructure, are also susceptible.
"Companies should undergo a rigorous penetration test by an external team of experts," says Chris Pogue, senior vice president for cyber threat analysis at Nuix, a company that analyses unstructured data.
"This is really the only way of ensuring that the fixes that have put in place are fulfilling their intended purpose. The penetration test will also help to identify potentially unknown attack vectors that could be used by future attackers."
Contact outside parties
Once the problem is under control, Calhoun says the task force should start notifying the local authorities, the internal legal department (and any outside legal experts), and the public relations department. It's important to communicate about the breach after the problems have been resolved meaning, all resources should be used to stop the breach first.
In some industries, such as healthcare and financial services companies, there are requirements for reporting the data breach within a set period of time. Data breach notification laws vary on state and federal levels, but they could require disclosure in as little as 24 hours. However, Calhoun says not all data breaches come with that requirement: "Disclosure comes as a part of what happened if credit cards were stolen vs. a breach of internal intellectual property."
Resolve any related issues
It might seem obvious, but companies must address the long-term implications of the breach by resolving any other related problems throughout the organization. The security flaw that led to a breach must be fixed immediately, but "remediation" is a thorough process that can take much longer and involves looking for other potential flaws, Calhoun says. Without remediation, another strike could occur, as the firm has become now a target for attack.
"Companies should make a remediation plan that's tailored to the incident. This means that the company must undertake a true and honest assessment of what happened and the cause or causes for the incident," Melnik says. "The remediation plan should include addressing any security issues, but also employee training and monitoring programs."
After this remediation stage, there are additional steps to take continued analysis of the security infrastructure, for example, as well as more penetration testing and additional remediation. But Calhoun says the first steps of fixing the breach and reporting it to authorities are the most critical.