Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

1/31/2017
10:30 AM
John Bruce
John Bruce
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Things Companies Must Do Before A Data Breach

It's important to plan ahead for when you're attacked, and these tips will help you get ready.

As attacks become more complex, more damaging, and more frequent than ever, the quality of your response becomes critical to limiting the impact. In fact, a strong incident response (IR) function saves an average of $400,000 in damages per data breach, according to the Ponemon Institute, in research sponsored by IBM Resilient. 

The new Cyber Resilient Organization study by the Ponemon Institute showed security teams are striving to build stronger and more proactive incident IR programs — but clearly, they have some serious challenges. Two-thirds of IT and security professionals aren't confident in their organization's cyber resilience. And three-quarters of them don't have a cybersecurity IR plan in place that's applied consistently across their organization.

The study also suggested key guidance for increasing cyber resilience: improved planning and preparation. Successfully resolving and mitigating a cyberattack requires fast, intelligent, and decisive action. You need to have a plan in place to know what to do before an attack happens, and, as importantly, practice executing it.

When it comes to the plan, here are three things to include and tips on how to prepare before an attack occurs.

1. Identify and Involve Internal Collaborators
IR is an organization-wide priority, with many business units playing a critical role in successfully resolving an attack. Legal, HR, and finance teams must be involved to ensure compliance with regulations, and understand liabilities in case of a breach or when you're facing an insider attack. In the worst cases, the marketing department and the organization's executives may need to step in to address the media.

During an incident, security leaders should coordinate with these parties as needed, providing specific guidance on the nature of the incident, what's being asked of them, and when they need to act. For example, in the case of a ransomware attack, who makes the decision whether to pay the ransom or determine the business value of the data being ransomed?

Before an incident occurs, involve these groups in the IR planning process. Get their input early — and let them know what will be expected of them. It's also smart to include them in simulations and exercises, to ensure they're primed to act when needed.

2. Enable Investigation into the Full Scope of the Attack
This might seem like an obvious step, but in today's world of advanced persistent threats and targeted campaigns, truly understanding the extent of an attack can be difficult. 

The emergence of threat intelligence gives security teams a strong weapon in gaining context about incidents. By leveraging the indicators of compromise; tactics, techniques, and procedures; and other artifacts of an incident, analysts can discern if an attack is a singular incident or part of a larger campaign against you. Threat intelligence also helps you understand the identity of the adversary and their goal: Is the adversary a single attacker, part of an organized crime group, or a state actor? Is the target intellectual property, customer information, or employee information? By understanding these aspects of the attacks, you can more accurately determine the scope of your challenge and whom to involve.

3. Map Out the Regulatory Ramifications
The regulatory impact of a breach can be one of the costlier aspects of a successful attack. It's no surprise, but the Ponemon Cost of a Data Breach study showed that more heavily regulated industries,  including healthcare and finance, incurred higher data breach costs.

The challenge boils down to two factors: complex and inconsistent regulations, and tight deadlines. For any incident, it's important to get your legal team involved early, and provide team members with the details they need to make fast and accurate decisions.

Being prepared for this is going to be even more critical in the future. The EU's impending data breach law — the General Data Protection Regulation — is among the widest-sweeping global privacy regulations we've seen. It doesn't come into effect until 2018, but smart organizations are preparing, planning, and assessing their ability to comply today.

Incident response is the most human-centric security function,  more so than prevention and detection. Bringing people process and technology together as a cohesive whole when needed is critical.

By taking steps today to develop, practice, and refine IR processes, teams will be much better able to successfully manage and mitigate the damage when they inevitably occur.

Related Content:

John Bruce is a seasoned executive with a successful track record of building companies that deliver innovative customer solutions, particularly in security products and services. Previously chairman and CEO of Quickcomm, an Inc. 500 international company headquartered in New ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NAOVI
50%
50%
NAOVI,
User Rank: Apprentice
1/31/2017 | 12:03:29 PM
Data breach article
Great post I will look out for more of your work. It's is great for a cleint we have. Cheers 
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...