Damage limitation: best practices following a data breach

Treasury professionals and the systems they use are prime targets for cyberattack, thanks to their privileged access to business-critical information and assets. When your company is targeted, it’s vital to have a concrete plan to reduce the damage done by a data breach.

The most recent study from Michigan-based independent research centre the Ponemon Institute, which publishes an annual assessment spread over 11 countries, found that the average cost of a data breach had increased by 23% over two years and reached close to US$4m in 2015. By following the advice below, businesses have a much better chance of keeping their heads above water in the event of a cyberattack.

Scrutinise your data

The key to being able to mitigate a breach is to be prepared and keep close watch on the company’s critical assets such as financial plans, intellectual property, customer or employee data, business operational data and business continuity applications – point of sale (PoS), inventory control system (ICS) and supervisory control and data acquisition (SCADA).

By taking care of the critical assets, the IT security and operations groups can use their tools and processes to quickly sort through all the captured event data to understand how, when and by whom the security breach occurred. They can also use the tools to detect which systems were compromised and determine if the attackers are still inside the infrastructure.

For an organisation to properly detect a breach it is important to be able to use and reconstruct the events from the logs and data captured and answer five key questions:

1. What systems and data are affected?
2. How did the breaching party do it?
3. Who is responsible?
4. Is the breach over (have they stopped the attack)?
5. When will an attack happen again and what measures do we need to take to prevent it?

If these questions are properly answered, key information and concrete evidence will be captured. This will enable the IT security groups to see what controls were bypassed or obviated and as to what measures need to be implemented to improve methods for a better security and compliance posture.

Discovering a breach

Unfortunately, organisations rarely detect that they have suffered a breach until an external party informs them of it. Typically today, most breaches become known to the organisation when they are notified by either government agencies – the police, Federal Bureau of Investigation (FBI) or UK Government Communications Headquarters (GCHQ) – or worse, by the party that breached the organisation. In the latter case, this will happen when the breaching party either “blackmails” the victim or distributes the illegally-obtained material on the Internet.

The first response

The initial responders should typically be the IT security teams and operations groups, but an organisation should be prepared and have identified key members that need to be a part of the breach response team.

Depending on the type of breach it may require people like the chief information officer (CIO), chief information security officer (CISO) and legal representative beyond the IT security IR team to become involved.

However, for a more impactful breach a larger team encompassing the chief executive officer (CEO), CIO, CISO, legal, human resources (HR), IT security and IR team as well as a representative from law enforcement should be considered. For a high visibility breach, it is good to have public relations (PR) in the team to be able to control and send out the right message to the public.

Common mistakes

A common mistake that organisations make is to underestimate the seriousness of the breach. Typically teams are unprepared and don’t take the time to properly investigate and analyse the events they have captured and understand the depth of the compromise.

Often, they have a tendency to attempt to minimise the external communications of the impact of the breach, or may under-communicate to the parties who have suffered from the breach. An organisation needs to find a balance between over- and under-sharing.

Are there any best practices to follow when it comes to breach mitigation, outlined by respected organisations?

It is not necessary to re-invent the wheel, as there are plenty of well-founded best practices published by organisations such as the Computer Emergency Response Team (CERT), the US SANS Institute or the National Institute of Standards and Technology (NIST). In any case, the most important foundation of any plan is being prepared! It is extremely important for the incident response team to be ready and be able to execute the process. A key aspect to being prepared is to practice, practice, practice.

Managing the flow of information

The flow of information should be at the centre of the incident response process. That process should describe what conditions detected during the breach will trigger notifications to key people. A simple breach that has little impact may only require reporting to the CISO, while a breach that has the potential to impact the organisations’ intellectual property (IP) or brand reputation would require immediate notification to the CEO and possibly the board.

Avoid repeating the same mistake

A good incident response plan typically includes a formal and documented “lessons learned” phase. This is a key best practice to ensuring that the means used to commit the breach are understood, remedial security controls are put into place and improvements on user awareness programmes can be deployed.

If the analysed questions are properly answered, key information and concrete evidence will be captured to describe what controls were bypassed or obviated and what measures need to be implemented to improve methods for a better security and compliance posture.


Related reading