It was the “worst year ever” for data breaches, again. According to data from the Online Trust Alliance (OTA), the number of cyber incidents targeting businesses doubled in 2017, fueled in part by the increasing reach of new attack methods. The number of reported breaches could have fallen short of actual numbers. In many cases, companies either choose not to report cyber attacks or aren’t even aware they’ve been victimized by attackers until long after data has been damaged or exfiltrated.
So, is all hope lost? Should we turn off the internet and go home? No, with the right incident response and breach plan in place, businesses can improve response efficacy and reduce the impact of network compromise. Here are five tips for data breach planning to drive improved outcomes.
Recognize that all businesses — regardless of size or market vertical — are potential data breach targets. This is especially critical for SMBs that often see their limited data set as less valuable to potential hackers. This is an outdated view from when attacks weren’t so automated. Just as a spammer will send many emails on the tiniest chance that they get a single bite, attackers scan the internet looking for networks and systems that they can penetrate. If you are prominent enough that you have been sent a spam email, you are being attacked. However, being a smaller business, you may lack robust IT security capabilities. Hackers view SMB companies as easy targets and use them as a proof-of-concept for new attack methods. Bottom line: Attackers don’t discriminate.
It’s critical for companies to continuously monitor their current IT infrastructure to determine potential avenues of compromise. For example, insecure network devices or risky employee behaviors — such as downloading applications — could put companies at risk. Here, consider using an external partner to assess network vulnerabilities from the perspective of attackers; this can provide valuable data on specific weak spots as we are unaware of our blind spots.
“There is no teacher but the enemy.” Orson Scott Card, Ender's Game
Boost Basic Defense
Once you’ve identified the key risks, you need to boost basic data defense. Start by categorizing critical data in your organization. It is hard to focus on protecting your most valuable data if you don’t know what data is valuable. Disaster recovery and backup tools can help. What are you protecting with these tools, and why? Answering these questions gives you a breach plan baseline — which data must be defended and at what costs?
Next, leverage industry best practices to improve overall IT security. Encryption is first. Any data on your system — stored, in transit or in use — should be encrypted with strong encryption keys. Even if hackers get their hands on critical files, encryption makes data much harder to access.
It’s also a good idea to implement two-factor authentication. Practically speaking, this means requiring staff to use either one-time passcodes in addition to usernames and passwords. As a result, “account spoofing” by attackers becomes much more difficult since they must first gain access to second-factor keys.
Finally, make sure you are regularly testing networks for potential attack vectors. Just as attacks are continually evolving, network and application security must be dynamic rather than static — regular tests help businesses address both current and emerging threats.
Despite the rise of malicious attacks, many businesses consider their employees the biggest risk to cybersecurity. Why? Even staff members with the best intentions often lack good security hygiene. As a result, robust data breach plans must also include employee training to reduce the chance of accidental compromise. This training should take place at least every six months and include best practices to avoid “phishing” scams along with clear policies about what type of apps are permitted on the corporate network. Good security hygiene requires you to have buy-in from the entire organization, and your employees can’t help if you don’t let them know how.
Ideally, companies want to create a culture of corporate responsibility. Make it clear to staff that reporting potential security issues is encouraged and won’t be met with suspicion or blame.
Despite best-laid plans, data breaches will happen. As a result, companies need to create incident response teams before the breach is detected, so you are ready to tackle these challenges head-on.
First, identify specific personnel — including at least one C-suite member (or in SMBs, the business owner) who can liaise with other executives or stakeholders. Then, build a team composed of high-level IT professionals and frontline staff, along with backups in case staff leave the company or are on PTO.
Next, detail specific actions the team will take after a data breach. This includes quarantining affected network systems, identifying potential data loss and ensuring backup data is available. Staff should also document all attack and response data for a later debriefing and long-term breach response improvement.
Once this team is in place, it is a good idea to run occasional breach simulations. These could be as complicated as actually switching over to a disaster recovery site or as simple as a role play where the team sits on a video call and says what they would do in response to an unfolding scenario. It is quite a shame, not every organization has a member with extensive dungeons and dragons experience to run the breach simulation, but seriously, it doesn't take much to expose the implicit assumptions of your team when you run a scenario.
Finally, make sure you have a response package ready to go in case of a data breach. This includes a notice letter to affected parties along with media materials describing the work of the data breach response team and questionnaires potential beach victims can fill out to determine their risk.
Checklists to determine the need for law enforcement response and/or compliance agency notification are also critical. Local laws determine the criteria for police involvement, while data handling frameworks (such as HIPAA or PCI DSS) demand specific response actions and may levy fines for improper data handling or noncompliance. Creating a breach response package streamlines the notification process and reduces the chance of potential missteps.
Data breaches don’t discriminate — businesses of any size and industry are potential targets. Improve response outcomes with a data breach plan that recognizes risk, boosts native defense, educates staff and includes both a dedicated response team and data breach response package.
Dr. Aaron David Goldman Ph.D. is Senior Security Researcher at tCell.
He received his Ph.D. in Electrical and Computer Engineering from the Georgia Institute of Technology. Since then he has worked securing networks at university, a government contractor, fortune 500, and startup organizations. Now he works at tCell changing the nature of the information security game by researching the next generation of Web App Firewall.