Let’s Pretend You've Been Breached. Now What?

Let’s pretend You've Been Breached. Now What?.jpg

By Smit Kadakia

If your business hasn’t fallen victim to cybersecurity attacks, you’re lucky. But you won’t be forever.

With attacks occurring every 39 seconds, everyone gets breached sooner or later. Even organizations that have seemingly robust cybersecurity solutions in place aren’t immune. Just as a lock on your house or a physical security system can deter thieves but not stop them from trying, cybersecurity point products can’t eliminate the problem. As is apparent in the headlines, attacks are everywhere, from the Equifax breach and Russian hacking of the U.S. grid to Iranian hackers who targeted 300+ universities around the world.

The impact of breaches on your business can be devastating. A single cyberattack can cost anywhere from hundreds of thousands to millions of dollars, not to mention the loss of customers and future revenue. And if yours is a small- or medium-sized organization (SMB), the stats are just as alarming: more than 60 percent of SMBs close shop within six months of an attack.

The good news is that there are steps you can put in place to mitigate the damage, but you have to plan in advance so you can put them into action quickly. More than 70 percent of businesses say they’re not prepared. And as Benjamin Franklin said, “By failing to prepare, you are preparing to fail.”

How to Prepare for the Inevitable

A comprehensive action plan, prepared well in advance of any attacks, can help you preserve your reputation and revenue, and ensure business continuity. It should include the following items:

1. Post-Breach Damage Assessment

Identify your datasets and their specific content, and prioritize their importance since this will become the order in which you’ll assess damage post-breach. Determine the quantifiable metrics and steps you’ll take to measure and correct the damage.

For example, which corrective action will you take to win an individual’s confidence back if a breach impacts his/her personal data? If renumeration will take the form of external service to minimize impact to that individual, for instance, the cost of such renumeration would be factored into the damage assessment.

2. Procedures to Limit the Damage

Minimizing the time between attack and containment is crucial because the longer the time, the more damage will incur. Containment must be done swiftly — ideally in or near real-time — and parallel to the damage assessment.

Containment methods you can put in place include moving infected assets to a quarantine area, halting the backup process to minimize spreading the infection, blocking the external attacker or disabling the credentials of an attacker. Networking devices, endpoint security tools or an authentication service can help accomplish such containment. However, a unified security solution that can manage all of these disparate artifacts will speed the containment and be more effective.

3. Stakeholder Communications

Company officers and the heads of external communication are among the key stakeholders to be appraised of the breach and continually updated on the findings. These stakeholders should be prepared ahead of time about their specific responsibilities in case of such an event.

Some of the responsibilities include determining key message content, target audiences and timelines for communication. Plan for both external and internal communications and use audience-specific FAQs geared at restoring their confidence in the business.

4. Regulatory Management

Many companies have to comply with their industry-specific regulatory authorities. For example, businesses dealing with European customers or individuals have to follow GDPR guidelines for reporting breaches of personal information. Similarly, businesses dealing with U.S. patient data must comply with HIPAA regulations. Financial industry companies are likely to have to comply with Payment Card Industry Data Security Standard (PCI-DSS).

Maintaining continuous compliance with these regulations and archiving audit records will minimize the effects of any damage and build confidence in the management team and business.

5. Recording the Details

Recording breach-related details is absolutely necessary to manage post-breach and post-containment fallouts. It’s best to have a single person orchestrate all of the actions. The goal is to ensure a good balance between the short-term, quick handling of the breach and the long-term reputation of the business.

Details should include specific actions taken to isolate the effect on valuable data, specific impact, time and duration of the breach, the effectiveness of the containment, communications employed and audience feedback. This type of detailed record will not only help you prepare for communications with stakeholders, customers and regulatory authorities, but will also be valuable in performing retrospection for improved future preparation.

As part of your security measures, you must ensure that the records themselves are not compromised. Maintain encrypted records of your security postures off-site, make sure the records are maintained live, and enforce continuous compliance with your internal standards. Any deviation from such compliance should be immediately flagged with about the same priority as other alerts.

6. Engaging Law Enforcement

Your preparation plan must include designated responsibility for law enforcement reporting. The objective should be prevention of similar attacks in the future to your organization and peers. Law enforcement activities should be recorded and reported. Compliance with regulations such as GDPR require this kind of reporting and records of such reporting in order to stay compliant.

7. Post-Breach Business Continuity and Protection

Preparation must include detailing all the steps and assigning responsibilities to ensure business continuity by enabling smooth transition to an alternate method of service. Business continuity can be achieved through such means as failover infrastructure architecture, disaster recovery sites and off-site back-up/restore methods.

Contemporary hybrid and cloud infrastructures allow almost instantaneous switching to a totally different and unaffected location for accessing critical business data while the breach is being investigated and addressed.

8. Customer Retention and Management

Customers are the crown jewel of the enterprise and must be completely on board with your security readiness. The readiness must encompass both proactive pre-breach communications about attack prevention and expectations about what would happen in the event of a breach, as well as post-breach communications about containment and fixes. The objective here is customer buy-in about your company’s data security management and customer confidence in your business.

9. Risk Mitigation

Risk mitigation is most effective when a breach is quickly detected. But, according to a 2018 Ponemon Institute study, “the average time to identify a data breach is 197 days, and the average time to contain a data breach once identified is 69 days.” The best security protection can only be achieved with near real-time, automated threat detection and containment.

Preparation Is the Best Defense

This breach preparation list may seem daunting at first. However, in today’s world of highly aggressive and increasingly frequent cyberattacks, it’s imperative to address all of these items.

Good preparation, goal-oriented security management and a cybersecurity solution that caters to your needs, addresses most of your important criteria, and minimizes the time from breach to detection to response will enable you to mitigate post-breach damage and preserve your reputation and business.

About Smit Kadakia

Smit leads Seceon’s Data Science and Machine Learning team. Before joining Seceon, as an executive member of the Tradepoint Systems which was later acquired by Kewill Systems, Smit leveraged data analytics to transform the legacy supply chain products to modern, competitive and cost-effective SaaS- based solutions. This allowed Kewill to shorten the revenue recognition cycles while increasing sales.

More About Smit