For most organisations it is no longer a question of if there will be a data breach, but when it will happen. In addition cyber criminals are turning to blackmail, denying organisations access to data they depend on until they have paid up. For these reasons it is important that, as well as taking steps to prevent data loss and data breaches, organisations have a clear plan for what to do when the worst happens – as, sooner or later, it undoubtedly will.
The first step is to know what data you have and its importance to the business as well as the regulations it is subject to. This is crucial information if you are to make a proper plan for protecting the data and how to respond if it is leaked or lost. It is a challenge made more difficult by the large volume of unstructured data in the form of emails and documents that is created every day.
The best approach is mitigate the effect of a breach before it happens – for example, by encrypting data at risk so that if it is leaked it is still protected. Make sure that the encryption is implemented to a recognised standard like FIPS 140. This will make dealing with a breach much easier.
A key objective of IT services is that systems, data and applications are available to authorised users when and where they are needed. While an important aspect is concerned with protecting data against leakage, there are still scenarios in which it can be irretrievably lost. The possibilities include disaster events like hardware failure, fire or flood as well as a ransomware cyber-attack.
Organisations need an up-to-date and tested disaster recovery plan. This plan should take account of the business-criticality of the data and should be part of the general business continuity plan. Backups, archives, redundant databases, offsite storage – even printed reports that can be used to reconstruct information – should all have a place in this plan.
Read more on incident response
As well as disaster recovery, data breach management and damage mitigation activities need to be worked out, documented and tested to ensure the organisation’s reputation does not suffer when a breach occurs and that all applicable laws and regulations are satisfied.
The first step is to know that information or data has been lost or leaked. The sooner you detect that a breach has occurred, the sooner you can take action to mitigate the consequences and prevent further damage. Detection requires that you have processes and monitoring in place and working to spot anomalous network traffic and system activity and to track media and devices that contain data.
In the event of a data breach, organisations will need a list of those parties they need to notify. This list should also include the timeline for notification and the information that must be transmitted. It should go without saying that this list should be kept in multiple places.
Prepare templates for letters to persons or organisations affected by the breach so that only a few essential details need to be added before they can be sent out. The same is true of press releases, which should be kept updated as circumstances change. Remember: your organisation is the custodian of the data that has been breached; the people who entrusted you with that data deserve a timely and respectful explanation of what happened, what action you are taking and what action if any they need to take.
Handling the press is a key aspect of damage limitation following a breach. A quick response will help avoid pointed questions in the immediate aftermath of a leak or loss. Holding back on admitting that a data leak has occurred simply makes you look either negligent or in the throes of a cover-up. Admit honestly what has happened and show that you are taking the right steps to put matters right. If you aren’t ready with a response, your organisation’s reputation could be at risk.
In a nutshell, you must make sure you have a data breach resilience plan covering what to do when data is lost or leaked. This plan should cover the organisation’s statutory and legal obligations to inform regulators and individuals, how to manage the business impact of the breach, and how to handle the media when an incident occurs.
Mike Small is an ISACA member and senior analyst at Kuppinger Cole
This was first published in July 2014