Data breaches are not new to the IT world, but with the recent high-profile mega breaches that have occurred and ensuing media coverage, the topic has been greatly elevated among public consciousness and C-suite executives. This heightened awareness has created an interesting dynamic for security professionals; on one hand it has taken some of the heat off of IT as the primary wardens and, if a breach occurs, the culpable department for the security lapse. As we have seen, chief executive officers at organizations have been, and will continue to be, held ultimately accountable for safeguarding a company's data.
On the other hand, IT has broadened the landscape of data breaches so that those on the more technical side of the fence are required to have a larger understanding of how a data breach is more than a security lapse. There are touch points and ramifications that affect many departments within an organization. This extends to outside the office walls to the company's customers as well, who are the most important stakeholders to address when a breach occurs. Faced with this reality, what can organizations do to prepare and minimize the damage?
Based on our experience and observations, we've compiled five lessons from the data breach trenches – keeping in mind the IT security perspective when a breach occurs. These lessons provide guidance for managing a data breach before, during and after an incident.
First, it all starts with IT. We've learned that every sector – from banks to retailers and the health care industry – is susceptible to a data breach and when cyber criminals find vulnerabilities, they will use them time and again to attack similar industry organizations. While a data breach is inevitable, organizations can significantly reduce the costs and reputational fallout by preparing ahead of time with a strong IT security posture, chief information security officer (CISO) or outsourced IT consultant and an incident response plan. The response plan – similar to a fire drill – should be practiced and backed by a solid team which includes, in addition to IT, C-suite executives, legal counsel, forensics, breach resolution providers, public relations and human resources. An up-to-date and practiced response plan can save an organization on average $12.77 per record. Multiply that by hundreds, even thousands of records exposed in a data breach and the savings can really add up.
In relation to a data breach preparedness plan, IT contribution is important. This department can play a large role in properly preparing for a breach and driving adequate response by outlining high-impact incidents based on the type of information the organization collects, the industry sector and operating countries. Organizations should conduct research and audit how industry peers have handled relatable breach incidents. For example, in the retail sector, evaluate recent payments breaches and then plan for similar scenarios.
Third, as part of the planning process, IT can assist with evaluating and investing in cyber insurance. The number of companies purchasing these policies continues to grow as the 2013 Betterley Report estimates $1.3 billion in annual premiums on cyber and privacy insurance policies were collected by U.S. insurance companies in 2013. Investing in cyber insurance can help organizations reduce the cost of a breach and provide added benefits to a company's security posture via access to data breach experts or other valuable services. As with any investment, IT security professionals should shop around for the best deal and it may be wise to use a broker, instead of an agent who only works for one company.
During a breach, many organizations feel pressured to communicate to their customers as soon as they discover a breach. This is where IT can assist in determining the status of fact finding and what information is available to communicate externally. There is no need to be hasty. Instead, when possible, complete the forensic investigation before announcing the breach so the company can communicate the most accurate information and appropriate remediation steps. While other departments such as public relations will handle the communications, IT can be helpful by distilling technical information so that notification letters to affected individuals or statements to the media about the breach can be crafted in a simple and straightforward manner.
Lastly, IT may be responsible for documentation and the content has many implications from a legal and regulatory standpoint. Make sure to record as much information as possible about the breach and response efforts. While customers are a key stakeholder group, communications and compliance with regulators and policymakers at both the state and federal levels should be a part of the response plan. Developing a meaningful dialogue while engaging them openly and transparently to provide timely answers to questions they pose is critical to a company's long-term response strategy. So all of the information collected, documented and recorded will be very useful and valuable to colleagues, such as the company's legal counsel, who will be on the front lines protecting the company from fines and lawsuits.