What to do after a data breach
One of the many goals of a security professional is to avoid data breaches. Data breaches are virtually inevitable and an event that many organizations may experience at some point. Remember—organizations need to plug every gap, while cybercriminals only need to find one. Here is what to do when your data may be compromised:
Step 1: Find out if you your system(s) has been compromised.
An immediate and effective response is integral. Determine what information was compromised. Act quickly, without panicking and/or rushing.
Step 2: Implement your response plan.
Now is the time to execute the response plan that you and your team have developed and rehearsed. This includes two key components: 1. make sure your legal counsel is engaged and part of the response plan; and 2. preserve the digital chain of custody to ensure evidence is neither edited nor omitted. No matter how you have planned for this moment, adapting is key.
Prior to a Data Breach:
- Review your legal and ethical responsibility ahead of time. Your incident response team must understand, anticipate, and agree on the expectations of your business by customers and stakeholders, as well as the ethical obligation to respond to the incident in a timely manner.
- Select an external cyber forensics firm. If brought in immediately, cyber forensics experts can identify the breach trail to determine exactly what happened.
- Develop a crisis management action plan with your corporate communications manager. This plan should include pre-developed messages, including press release templates, that generally address the situation, with details that can be filled in quickly at the time of the incident. Make sure that you have identified a spokesperson to articulate mitigation efforts, corporate messages, and the next steps. Decide how you want to communicate with the public, stakeholders, and customers.
- Use the S.O.A.R. Method: Security, Orchestration, And Response. This exercise forces an organization’s incident response team to conscientiously practice an anomalous event in anticipation of what could happen. Think of this as the dry run for your “we’ve been compromised, now what do we do” moment.
Step 3: Communicate. Communicate. Communicate.
Have an incident response plan that includes prompt response to stakeholders, customers, the teams that protect your organization (e.g., your legal team, cyber forensics external consultant, cybersecurity insurance representative), and anyone else that needs to know their private data was just compromised or stolen. Communicating that you are working to protect their security may give customers the confidence they need to stay with your business after the breach.
Step 4: Prepare the Postmortem.
Be prepared to ask the tough questions, review all the forensic evidence, and discuss what worked and what didn’t. To preserve your organization and brand, you must act on your discovery. Conducting a data breach postmortem may provide your business with improvements on future security practices and information technology infrastructure, for example, the creation of new security policies.
Step 5: Implement Your Postmortem Plan.
Post-breach organizations should have an action plan that incorporates two key elements: a revised plan that includes the lessons learned from the breach and recovery effort; and exploring your options for decreasing your risk, such as investing in HITRUST.
The Value of HITRUST CSF Certification Post-Breach
A critical part of the analysis that organizations should conduct following an incident or breach includes putting a get-well plan in place to avoid another incident. There is no such thing as perfect security. Today, a breach is almost inevitable, but there are ways to significantly decrease that risk. Regardless of your program maturity level, HITRUST provides an approach to help your organization enhance its existing security infrastructure. Upon the final determination of how the breach occurred, HITRUST can help you with a complete risk management solution. The HITRUST CSF has the prescriptive privacy and security controls to help your organization address holes and leaks.
The value of a HITRUST CSF Certification is that it gives assurances to other organizations that you are taking the right approach—The HITRUST Approach—to bring your organization and brand back on track following a breach. It is important to remember that this is a long-term investment in security for your organization, which will lessen your risk over time.
Forrester Consulting has shown organizations that implement a Capability Maturity Model and have the highest level of maturity— even when limited to the area of identity and access management— incur roughly “half the number of breaches as the least mature … [and save] 40% in technology costs and an average of $5 million in breach costs.”