Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/5/2012
11:36 AM
50%
50%

How To Handle A Data Breach: 5 Tips For SMBs

AntiSec's' Apple UDID dump points out why small and midsize businesses should revisit their plans for handling a customer data breach.

Another day, another massive data breach.

Tuesday's news that AntiSec has published 1 million Apple Unique Device Identifiers (UDIDs) online--from a trove of 12 million such UDIDs--joins a long list of large-scale data breaches involving customer information. Other recent cases include the LinkedIn password breach and the Dropbox hack.

High-profile examples like these generate the headlines, but similar, smaller-scale breaches can happen to SMBs with alarming ease. AntiSec claimed those 12 million UDIDs were pilfered from a FBI agent's laptop, after all--if that's true, do your employees stand a chance? (The FBI denied AntiSec's claim.)

If you ask Craig Spiezle, executive director and president of the Online Trust Alliance, even security-conscious SMBs should treat customer data breaches as a when-not-if proposition.

"If [SMBs] collect sensitive data, they need to face the inevitable fact that they will have a data-loss incident, whether that's a breach, a lost USB stick, or a stolen computer," Spiezle said in an interview. Adopting that mindset isn't a pessimistic approach; it's a pragmatic one, according to Spiezle, because it leads to better planning and smarter, faster decisions.

[ For more SMB security tips, see 5 Flame Security Lessons For SMBs. ]

So the question is: How will your company respond if an incident does happen? Spiezle offered the following advice on developing a strong plan for acting in the wake of a data breach.

1. What Data Do You Have? The first step is to fully understand the kinds of customer information your company is handling and storing--and why. It might sound obvious, but according to Spiezle, breaches often expose how little an organization knows about its data. "I've gone through a lot of breach responses with companies where people are literally sitting around a table saying 'I had no idea we were doing that,'" Spiezle said. That can exponentially complicate matters when a data-loss event occurs--you can't very well determine the consequences and communicate them appropriately if you don't know what was at stake in the first place. Assess the kinds of data you have, who has access to it, and why.

The general rule of thumb: Limit access to those who need it for legitimate business reasons. Put a particularly high burden of proof on the case for storing sensitive customer information on laptops, external drives, mobile devices, and other hardware that can be easily lost or stolen.

2. What Are Your Regulatory Requirements? Spiezle is quick to note that this is one of the toughest data-breach challenges for SMBs that lack a compliance officer--much less an entire compliance staff--or that rely on IT generalists rather than information security specialists. But your regulatory requirements will dictate what you must do in data-breach scenarios. These are defined by the likes of HIPAA or PCI, but Spiezle noted that 46 states also now have some form of reporting requirements.

Alas, while there are vendors that can help, there's no central online destination for companies to assess all of their compliance requirements. Spiezle thinks federal legislation could help. "It is a very complex issue, and [it] again underscores the importance of pre-planning," he said.

Bonus advice: Be proactive. If you do seek help from a vendor, Spiezle pointed out that it's much better to do this when you don't already have a problem--it's tough to get the best terms if you're negotiating at 3 a.m. on a Saturday after a breach has already occurred.

3. Who Will You Notify? Knowing who you'll need to communicate with can help lead to faster, more effective responses to data-loss events. Identify those groups before something goes wrong. "This might be partners, customers, [or] government agencies," Spiezle said. He noted that some companies develop relationships with appropriate law enforcement agencies in advance so that they know the proper people to contact in the event of a data breach. Consider it the business equivalent of keeping a list of emergency contact numbers near your home phone.

4. When Will You Notify Them? This is a tricky and much-debated area: How soon should you notify affected customers and other stakeholders? Spiezle said it's a case-by-case decision. With law enforcement or other government agencies, it's usually an ASAP scenario. Customers and partners are a tougher call. On the one hand, Spiezle said, you don't want them to find out from the media or other external sources. On the other hand, you don't want to make things worse by communicating inaccurate information, which can happen if you act too quickly. Some of this decision may be guided the regulatory requirements your company operates under, too. Rule of thumb: Communicate as quickly as possible without sacrificing the clarity and accuracy of the information you provide.

5. What Will You Say? One way to cut down your response time and outreach efforts: Prepare your customer and other external communications in advance. This gets back to the importance of Tip 1--it's tough to accurately message a breach if you don't know what data you had in the first place. If you've got a complete understanding of your information and how you handle it, you can develop solid communications templates in advance.

An additional benefit: You're likely to communicate more clearly if you're writing when things are running smoothly than in the panicked aftermath of a breach. "I've seen several companies that have emails already written, Web pages ready to go, and they just have to add and populate the specifics," Spiezle said.

OTA offers a sample notification letter and related resources in its free Data Protection & Breach Readiness Guide, which Spiezle said will be updated next month.

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kurt Johnson
50%
50%
Kurt Johnson,
User Rank: Strategist
9/25/2012 | 9:29:35 PM
re: How To Handle A Data Breach: 5 Tips For SMBs
We at Courion agree with the five tips you identify for handling a data breach, however, SMBs can also take steps to keep valuable data secure. This was the topic of one of our recent blogs (http://tinyurl.com/8k2nf2v). In the blog, we discuss findings from The Hartford Small Business Data Protection Survey issued in June of this year. The survey highlights eight data protection "best practices" business owners have adopted to help reduce an organization's risk of a breach:

1. Lock and secure sensitive customer, patient or employee data - 48 percent
2. Restrict employee access to sensitive data - 79 percent
3. Shred and securely dispose of customer, patient or employee data - 53 percent
4. Use password protection and data encryption - 48 percent
5. Have a privacy policy - 44 percent
6. Update systems and software on a regular basis - 47 percent
7. Use firewalls to control access and lock-out hackers - 48 percent
8. Ensure that remote access to their company's network is secure - 41 percent

Many of these best practices focus on a companyGs greatest risk. By understanding and managing these risks, particularly the risk associated with user access to sensitive company information, in real time, business owners can protect against a loss event.
kledoux
50%
50%
kledoux,
User Rank: Apprentice
9/6/2012 | 7:55:00 PM
re: How To Handle A Data Breach: 5 Tips For SMBs
These are great tips for handling a breach, and itGs always important to have a crisis plan in place, but itGs also important to do everything in your power to prevent such an attack from penetrating your network. ItGs easy to get caught up in hype of these high-profile breaches, but by being predictive in your approach to security you can better allocate resources to identify and manage the real threats. At CORE Security, IGve written quite a bit about this on our blog, check out one of our posts on predictive security here: http://blog.coresecurity.com/2...
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...