Risk
9/5/2012
11:36 AM
50%
50%

How To Handle A Data Breach: 5 Tips For SMBs

AntiSec's' Apple UDID dump points out why small and midsize businesses should revisit their plans for handling a customer data breach.

Another day, another massive data breach.

Tuesday's news that AntiSec has published 1 million Apple Unique Device Identifiers (UDIDs) online--from a trove of 12 million such UDIDs--joins a long list of large-scale data breaches involving customer information. Other recent cases include the LinkedIn password breach and the Dropbox hack.

High-profile examples like these generate the headlines, but similar, smaller-scale breaches can happen to SMBs with alarming ease. AntiSec claimed those 12 million UDIDs were pilfered from a FBI agent's laptop, after all--if that's true, do your employees stand a chance? (The FBI denied AntiSec's claim.)

If you ask Craig Spiezle, executive director and president of the Online Trust Alliance, even security-conscious SMBs should treat customer data breaches as a when-not-if proposition.

"If [SMBs] collect sensitive data, they need to face the inevitable fact that they will have a data-loss incident, whether that's a breach, a lost USB stick, or a stolen computer," Spiezle said in an interview. Adopting that mindset isn't a pessimistic approach; it's a pragmatic one, according to Spiezle, because it leads to better planning and smarter, faster decisions.

[ For more SMB security tips, see 5 Flame Security Lessons For SMBs. ]

So the question is: How will your company respond if an incident does happen? Spiezle offered the following advice on developing a strong plan for acting in the wake of a data breach.

1. What Data Do You Have? The first step is to fully understand the kinds of customer information your company is handling and storing--and why. It might sound obvious, but according to Spiezle, breaches often expose how little an organization knows about its data. "I've gone through a lot of breach responses with companies where people are literally sitting around a table saying 'I had no idea we were doing that,'" Spiezle said. That can exponentially complicate matters when a data-loss event occurs--you can't very well determine the consequences and communicate them appropriately if you don't know what was at stake in the first place. Assess the kinds of data you have, who has access to it, and why.

The general rule of thumb: Limit access to those who need it for legitimate business reasons. Put a particularly high burden of proof on the case for storing sensitive customer information on laptops, external drives, mobile devices, and other hardware that can be easily lost or stolen.

2. What Are Your Regulatory Requirements? Spiezle is quick to note that this is one of the toughest data-breach challenges for SMBs that lack a compliance officer--much less an entire compliance staff--or that rely on IT generalists rather than information security specialists. But your regulatory requirements will dictate what you must do in data-breach scenarios. These are defined by the likes of HIPAA or PCI, but Spiezle noted that 46 states also now have some form of reporting requirements.

Alas, while there are vendors that can help, there's no central online destination for companies to assess all of their compliance requirements. Spiezle thinks federal legislation could help. "It is a very complex issue, and [it] again underscores the importance of pre-planning," he said.

Bonus advice: Be proactive. If you do seek help from a vendor, Spiezle pointed out that it's much better to do this when you don't already have a problem--it's tough to get the best terms if you're negotiating at 3 a.m. on a Saturday after a breach has already occurred.

3. Who Will You Notify? Knowing who you'll need to communicate with can help lead to faster, more effective responses to data-loss events. Identify those groups before something goes wrong. "This might be partners, customers, [or] government agencies," Spiezle said. He noted that some companies develop relationships with appropriate law enforcement agencies in advance so that they know the proper people to contact in the event of a data breach. Consider it the business equivalent of keeping a list of emergency contact numbers near your home phone.

4. When Will You Notify Them? This is a tricky and much-debated area: How soon should you notify affected customers and other stakeholders? Spiezle said it's a case-by-case decision. With law enforcement or other government agencies, it's usually an ASAP scenario. Customers and partners are a tougher call. On the one hand, Spiezle said, you don't want them to find out from the media or other external sources. On the other hand, you don't want to make things worse by communicating inaccurate information, which can happen if you act too quickly. Some of this decision may be guided the regulatory requirements your company operates under, too. Rule of thumb: Communicate as quickly as possible without sacrificing the clarity and accuracy of the information you provide.

5. What Will You Say? One way to cut down your response time and outreach efforts: Prepare your customer and other external communications in advance. This gets back to the importance of Tip 1--it's tough to accurately message a breach if you don't know what data you had in the first place. If you've got a complete understanding of your information and how you handle it, you can develop solid communications templates in advance.

An additional benefit: You're likely to communicate more clearly if you're writing when things are running smoothly than in the panicked aftermath of a breach. "I've seen several companies that have emails already written, Web pages ready to go, and they just have to add and populate the specifics," Spiezle said.

OTA offers a sample notification letter and related resources in its free Data Protection & Breach Readiness Guide, which Spiezle said will be updated next month.

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kurt Johnson
50%
50%
Kurt Johnson,
User Rank: Strategist
9/25/2012 | 9:29:35 PM
re: How To Handle A Data Breach: 5 Tips For SMBs
We at Courion agree with the five tips you identify for handling a data breach, however, SMBs can also take steps to keep valuable data secure. This was the topic of one of our recent blogs (http://tinyurl.com/8k2nf2v). In the blog, we discuss findings from The Hartford Small Business Data Protection Survey issued in June of this year. The survey highlights eight data protection "best practices" business owners have adopted to help reduce an organization's risk of a breach:

1. Lock and secure sensitive customer, patient or employee data - 48 percent
2. Restrict employee access to sensitive data - 79 percent
3. Shred and securely dispose of customer, patient or employee data - 53 percent
4. Use password protection and data encryption - 48 percent
5. Have a privacy policy - 44 percent
6. Update systems and software on a regular basis - 47 percent
7. Use firewalls to control access and lock-out hackers - 48 percent
8. Ensure that remote access to their company's network is secure - 41 percent

Many of these best practices focus on a companyGÇÖs greatest risk. By understanding and managing these risks, particularly the risk associated with user access to sensitive company information, in real time, business owners can protect against a loss event.
kledoux
50%
50%
kledoux,
User Rank: Apprentice
9/6/2012 | 7:55:00 PM
re: How To Handle A Data Breach: 5 Tips For SMBs
These are great tips for handling a breach, and itGÇÖs always important to have a crisis plan in place, but itGÇÖs also important to do everything in your power to prevent such an attack from penetrating your network. ItGÇÖs easy to get caught up in hype of these high-profile breaches, but by being predictive in your approach to security you can better allocate resources to identify and manage the real threats. At CORE Security, IGÇÖve written quite a bit about this on our blog, check out one of our posts on predictive security here: http://blog.coresecurity.com/2...
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9651
Published: 2015-08-28
Buffer overflow in CHICKEN 4.9.0.x before 4.9.0.2, 4.9.x before 4.9.1, and before 5.0 allows attackers to have unspecified impact via a positive START argument to the "substring-index[-ci] procedures."

CVE-2015-1171
Published: 2015-08-28
Stack-based buffer overflow in GSM SIM Utility (aka SIM Card Editor) 6.6 allows remote attackers to execute arbitrary code via a long entry in a .sms file.

CVE-2015-2987
Published: 2015-08-28
Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.

CVE-2015-6266
Published: 2015-08-28
The guest portal in Cisco Identity Services Engine (ISE) 3300 1.2(0.899) does not restrict access to uploaded HTML documents, which allows remote attackers to obtain sensitive information from customized documents via a direct request, aka Bug ID CSCuo78045.

CVE-2015-5367
Published: 2015-08-27
The HP lt4112 LTE/HSPA+ Gobi 4G module with firmware before 12.500.00.15.1803 on EliteBook, ElitePad, Elite, ProBook, Spectre, ZBook, and mt41 Thin Client devices allows local users to gain privileges via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.