It's not a question of if but rather when a breach will occur. The number of U.S. data breaches tracked in 2014 reached a record high of 783, according to a recent report released by the Identity Theft Resource Center. While the larger incidents received a lot of spotlight, the fact remains that exposure of a single record still constitutes a data breach. With a 27.5 percent increase in incidents since the year previous, it's imperative for organizations of any size to develop a functional breach response plan (BRP)
The best place to start: Your existing incident response plan. How do you manage and address a malware infection or how do you address unauthorized or elevated role privileges? Streamline your incident plan with clear IT security operational definitions, develop a detailed inventory of every asset within your network and establish network entry and exit points. All these should ideally exist, but you also want to look at it from a different viewpoint: Indicators of compromise (IOC). As a start, establish IOCs for high value targets (HVT) and build your inventory and focus on keeping it up to date.
Before you can actually draft your plan, you need to consider a breach response team. Develop a discussion platform to specifically talk about breach management with key constituents within the organization – legal, information security, IT, risk management, privacy and compliance and other relevant stakeholders. With the right charter, establish a time-boxed approach to create a functional breach response plan that can be exercised similar to a disaster recovery or business continuity plan.
One of the key aspects of the BRP is to identify an external legal counsel who will partner with you effectively during an active incident. Consider a legal counsel with experience as breach coach with strong exposure to handling different types of security incidents and who can engage collaboratively with state attorneys general and federal regulators.
Next, engage a forensics firm that not only has specific experience but also the necessary scale and operational dimension to support parameters of your organization. Most importantly, establish a retainer and leverage the retainer for a possible annual BRP exercise.
A strong crisis management team will be a crucial differentiator during an active incident. This team would ideally include your internal and external communications team along with other stakeholders from the breach response team. Timely, precise and appropriate communication could alter the perception of a breach incident in any direction. Consider developing templates and fill in specific details during active incident to limit additional exposure.
Finally, cyber insurance coverage may be appropriate for your organization and will also provide additional benefits, such as pen tests, access to a breach coach based on your vendor and coverage. The only right thing about a breach is the fact that you are prepared for it. Practicing these exercises makes it perfect.
Breach Management Plan – Checklist
- Organize a breach management team before you develop a plan.
- Identify an external counsel and a breach coach.
- Retain a forensic firm that can scale as needed.
- Structure your crisis management team.
- CISO to drive breach management exercises to optimize plan regularly.