Attacks/Breaches

7/27/2015
01:36 PM
Stephen Treglia
Stephen Treglia
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The First 24 Hours In The Wake Of A Data Breach

There is a direct correlation between how quickly an organization can identify and contain a data breach and the financial consequences that may result.

If your organization experienced a data breach, would you be prepared?

In this situation you need to act quickly to not only meet various compliance regulations, but also to limit the scope of the damage caused by the breach. In a recent Ponemon Institute report, the average per-record cost of a data breach increased by 12 percent over the past year. The report also demonstrated a direct correlation between how quickly an organization can identify and contain data breach incidents and financial consequences.

What should an effective data breach response plan look like? The plan should be well-defined, concise and rehearsed. Much like a fire drill, all employees of your organization should be aware of the procedures and how to act almost instinctively. And, while levels of urgency will depend on the severity and scale of the breach, there are standard operating procedures to follow during those crucial first 24 hours.

Diagnose the Situation
Businesses need to swiftly and accurately diagnose the severity of a breach. Has a corporate device been stolen? Has your server been hacked? Have you been hit by a distributed denial of service (DDoS) attack? Once the threat has been properly identified, you should enact automated controls: for instance, in the case of a stolen laptop, a company would activate any underlying embedded technology solution to either remotely delete the data, track the stolen device, or cut its connection to the corporate network.

Assign Roles
This is the stage where roles need to be assigned amongst your team to address legal and containment issues. Your organization must also appoint somebody with sound communication skills and with thorough knowledge of the problem to interact with the relevant stakeholders.

Document the analysis & investigation
Documentation is everything, and you must make sure that you have all of the facts at hand. Depending on the type of data that has been compromised, your customers and the authorities will want the full picture.  Evidence has to be properly collected and logged; not only for these reasons, but so the root of the cause can be properly identified and prevented from happening again. Once established, you should ensure that you have several people in the organization who can liaise with anyone who may be concerned about the breach including business partners, customers, or any third parties.

Review your response
Once the threat has been identified, contained, and analyzed, you can get your system back up and running (once you are certain that it is safe to do so). It is at this point that you need to review your response and existing policy to establish what was handled well, and how it can be improved for the future.    

Learn from your experience
You’ve made it through the first 24 hours, but more work needs to be done. Threats to your data do not remain static. They are in a constant state of flux and require your business to stay ahead. Here are three suggestions for applying what you’ve learned from the experience to improve your existing procedures:

  1. Assess where you are – and aren’t -- in compliance with any and all relevant governing regulatory bodies.
  2. Implement a regular, robust security audit. Typically, these are done quarterly, however you should regularly audit your data security measures.
  3. Educate your staff. Employees can often be the weakest link in the organization, so awareness of what is expected and what the risks are should be regularly enforced

At the end of the day, you will never achieve a position where you are completely immune from a data breach. However, you can ensure, through policy and practice, that your business is ready to respond in an appropriate fashion to contain the attack.

As Legal Counsel and HIPAA Compliance Officer to the Investigations Section and Recovery Services Department of Absolute Software, Stephen Treglia oversees the worldwide department staff of more than 40 investigators and data analysts. Stephen recently concluded a 30-year ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PivotalWriting
50%
50%
PivotalWriting,
User Rank: Apprentice
6/24/2016 | 2:22:20 PM
Seems that this post has been copied
It appears that a substantial amount of this post's content has been used in a post at information-age[dot]com/technology/security/123460074/step-step-guide-first-24-hours-data-breach
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.