Breach Strategy: Making the First 24 Count
There’s a lot that can happen in a standard day on earth. 371,000 babies are born, lightning strikes 8.6 million times, around 150 different types of lifeforms go extinct and more than 17,250 websites get hacked. If your organization is included in the latter figure, you and Jack Bauer have something in common: The knowledge that every second of the next 24 hours is crucial.
The first order of business is remembering not to panic and stick to your team’s emergency response plan. Rushing and acting out of fear is the best way to ensure that mistakes happen, valuable information is lost and critical tasks slip through the cracks.
Notify Your Team.
Your team’s disaster response plan should highlight who needs to be contacted first in the event of a breach, starting with your incident lead and your breach response team.They will likely know the procedures on when to issue the call-to-arms for executives, PR team, legal team and other members of IT, as well as external parties such as forensics firms, law enforcement, media professionals and your organization’s notification vendor. Emergency plans will vary from company to company for this stage and largely depend on circumstance and regulatory requirements.
Diagnose and Create a Game Plan.
The first two hours after a breach is discovered are often the most critical and will often determine the ultimate business impact of the incident. With this in mind, it’s important to create a quick, but thorough diagnosis to determine the order in which resolution tasks are carried out. Whether it’s a stolen corporate laptop or a large scale server hack, gathering all the facts and establishing a timeline before acting prevent resolution items from being missed and lessen the likelihood of a secondary incident stemming from the first. This is the time to ask the important questions: Who discovered the breach and how? What data was lost and when? How did the breach occur and how long has it been going on?
The difference between a few hours of crisis and a hearing with the board starts with good communication. Your pointman on the response team should have sound communication skills, total knowledge of every factor of the incident and the ability to assign capable staff to every key task. This leader should be able to make everyone involved understand their exact role and responsibilities and hold them to those touchpoints. Any ambiguity in this stage could likely lead to assumptions about what was done and finger pointing later on. In many cases where an incident is not an all-hands-on-deck situation, using a scrum system for task assignment is incredibly helpful.
To make the most of the time you have and ensure a clean incident report in the end, be sure that you and your team document each step of the resolution process in painstaking detail. A huge benefit to making sure everything about an incident is captured and on record is having the evidence to show your board and investigators that no stone was left unturned. Even the smallest bits of information can hold the key to stopping similar incidents from happening in the future and provide a benchmark for repeatable processes. This includes time and date stamps, how the incident was reported and any uptick in suspicious network activity before and during the incident’s timeframe. This is especially true if a case is reopened years down the road; Documentation is always readily searchable, but human memory isn’t nearly as reliable.
Remaining calm under pressure is one of the best things to do during a crisis that could affect millions of your customers. After remediation efforts have begun, the fine line between discretion and transparency must be taken into account regarding breach notification. Consult with your legal team to find out which entities are in the need-to-know versus which parties can be notified during the standard breach notification process.
Going along with the idea of secrecy in the discovery and cleanup process, resist the urge to go offline completely. Loss of business associated with server downtime can equate to losses in the millions every hour your online presence is inaccessible to customers. Instead, disable access to any nonessential assets and quarantine any affected business units within reason. Panicking and cutting everything can also increase the likelihood of the general public finding out about the breach, which can be incredibly damaging to brand loyalty.
When the situation has moved into the breach notification phase, make sure your networks are as strong and secure as possible. In the same way that well-televised crime sprees can attract copycats, large corporate breaches can attract would-be hackers looking for low-hanging fruit.
If you can follow these tips during your next information security crisis, you’ll probably have more time to watch shows like “24” instead of living them.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about how privacy programs and the importance of being prepared for a breach.
Learn about the constant vigilance of continuous security monitoring.