top of page
Search

Data breach! How prepared are you?

  • FOCAI
  • Feb 2, 2020
  • 6 min read

Updated: May 8, 2020

When you're attacked would you know what to do? Having an effective Incident Response Plan and a well-prepared team is vital for any business hoping to survive a breach.

Systems unusually slow, or you can't access resources you usually can? A company laptop has disappeared, or a customer calls fearing identity theft? Pop-ups and redirected websites when browsing? Locked-out accounts? These may or may not be signs that you’ve been attacked or even suffered a data breach, so what do you do?


Ideally, the very first thing to do is not to panic, but instead to immediately rally your incident response team and enact your incident response plan. Unfortunately, a recent global survey carried out by the Ponemon Institute found that:

  • 39% of SMBs have no incident response plan in place

Whilst a report by insurance firm Hiscox identified that:

  • 65% of small businesses failed to act following a cyber security incident


These are shocking statistics when you consider that having an effective incident response plan in place and acting upon it, effectively determines how quicky - if at all - a business can recover from a breach. The sooner a business recognises it has been compromised and does something about it, the higher the chances that it can limit the impact and survive.


Incident Response Management

Incident response management is the process of having an appropriately skilled team in place, with a well-practiced plan to efficiently deal with all incidents that might detrimentally affect the business. How ready and prepared is your business to act upon signs that your systems and defences have been compromised?


It's important for us to make sure we're on the same page with terminology.

  • Event: Any observable occurence in a system or network. Adverse events are those with a negative consequence such as system crashes, DDoS, unauthorised use of system privileges, unauthorised access to sensitive data, and execution of malware that destroys data.

  • Incident: A violation or imminent threat of violation of security policies, acceptable use policies, or standard security practices that has significant potential to lead to: Negative impact on the company's reputation; Inappropriate access to personal data, customer data, research data; Loss of intellectual property or funds.

  • Breach: a security breach in which sensitivem protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorised to do so.

FOCAI: 5 steps to incident management

5 Steps Incident Management:


  1. PLAN

  2. PREPARE

  3. DETECT

  4. RESPOND

  5. RECOVER


It may seem obvious, but for your business to be able to effectively respond to an incident requires planning, preparation and practice.



Step 1. Plan

An effective incident response plan provides a clear set of instructions to help staff detect, respond to and recover from a security incident such as cybercrime, data loss or service outages that threaten the normal operations of a business. The main goals of an incident response plan are to:

  1. Reduce the time to detect an incident

  2. Reduce the time to contain an incident (thereby limiting the possible impact)

  3. Speed up recovery.


Firstly we need to:

  • Identify critical assets. Determine the critical assets of the business (people, systems and data). Prioritise them based on impact to the business if the asset was lost or compromised.

  • Identify and evaluate threats and measures. What are the most likely threats to these assets? Do you have sufficient failover or backup in the event an asset (people, systems and data) is unavailable? Do you have suitable measures in place to prevent unauthorised access to the assets and ensure the confidentiality, integrity of these assets and their availability to authorised people?


Step 2. Prepare

Companies with small security budgets typically make for an easy target yet small businesses have been guilty of becoming complacent, wrongly believing that they were too small and insignificant to be targets, especially since the larger enterprises with the treasure troves of commercial and personal data they hold being much more of a natural targets for attackers. However as a report from Ponemon shows, many are painfully discovering that they were wrong with 66% of small and medium sized businesses globally (with a headcount of <100 to 1000 staff) being attacked in the first half of 2019. This was a marked increase from 2018 figures and the outlook is expected to rise again for 2020.


Business should prepare for WHEN an attack comes. It's no longer a case of IF. To prepare, businesses must be ready with processes that orchestrates the efforts of a hand picked team all working to the same plan.


  • Build Incident Response Processes. From the moment the business is alerted to suspicious or unusual behaviour through to escalation etc.

  • Assemble an Incident Response Team (IRT). This will typically include staff will the following functions: Legal, Management, Technical Management, HR, Marketing/PR, Risk Management, Business leaders, Business Continuity Planning and a Project Manager.

  • Formalise an Incident Response Plan and make sure that everyone, at all levels in the company, understands their roles.


Within the incident reponse plan, make sure to:

  • List and define roles and responsibilities for the incident response team members.

  • Include a business continuity plan.

  • Summarise the tools, technologies, and physical resources required.

  • List any critical network and data recovery processes.

  • Structure a communications plan, for both internal and external audiences.

In order to ensure this results in an effective response, this plan must be well-practiced by the Incident Response Team. With each practice run, gaps and process bottlenecks can be identified and remedied. There will be tough decisions that need to be made in a timely manner and having leadership with the right level of authority (or at least able to gain authorisation quickly) is essential.


Step 3. Detect

Some will argue that detection has overtaken prevention in importance, as attackers seem to consistently penetrate even the defences of larger enterprises despite their huge security budgets and corresponding myriad of tools to prevent this from occurring.


However with the right approach, smaller businesses can be better prepared than many larger enterprises, as they can be more agile and quicker to respond. Prevention technologies are fundamental to have and it will be the security-aware culture that will enable smaller businesses to detect and react to threats more quickly.


  • Detect incidents. There are 3 main sources of alerts to a possible incident: End users (staff or customers) alerting of suspicious activity or abnormal system behaviours; External parties such as partners or suppliers warning that they have been attacked or suspect that you have been; System alerts indicating anomalies in system behaviour. Without a fully-fleded security operations centre (SOC) that runs 24/7/365 security monitoring and response, smaller businesses will depend upon their staff to alert of any suspicious behaviours.

Each business is different and have unique challenges and risk appetites. The security posture of a company (including what security measures are taken and what level of risk is acceptable) has to be individually profiled and defined. Dependent on this, it may be worth considering a managed security service, or certain technologies like Endpoint Detection and Response (EDR) as well as honeypot/deception technologies. Training programmes to develop and reinforce security behaviours in your staff however is critical as they will effectively be your business's human firewall (if something is suspicious – report it).


Step 4. Respond

This is the step that makes all the difference in the defining the outcome of the attack.

  • Investigate and respond. Take action immediately even if you don’t know the cause of the breach or the full damage. It’s time to secure operations and fix vulnerabilities.

The immediate focus should be to identify and isolate the areas that have been affected by the attack. The aim is to prevent further exposure. Rally your incident response team to action the response plan. Try to ascertain the scope of the incident with the resources you have, being careful to manage the number of people "in the know" and what is communicated. Try to resist taking all systems offline - not only would this alert your attackers, but could result in more damage.


If your internal resource is limited or the third parties you rely on have limited expertise/experience in investigating security incidents then it's absolutely advisable to bring in an external team with expertise in forensics and experience in responding to security breaches. They will investigate the cause, understand the impact, and ultimately fix the problem. Be aware that many companies that provide IT support and who are also resellers for security infrastructure, actually have very little security know-how!


It's advisable to also inform law enforcement and authorities about the attack. This can protect you legally, can help you to protect your customers, as well as limit any damage to your reputation. Remember, under the GDPR you have a responsibility to alert the relevant data protection authorities of a data breach within 72 hours of discovery. It is important that any communications are carefully managed.


GDPR: In addition to outlining how personal data must be protected, the General Data Protection Regulation also details what is expected in the event of a data breach. In such an event, as a data controller storing personal data, your business has several key responsibilities not least of which is to report the incident to your relevant supervisory authority (data protection commissioner) within 72 hours of the breach being discovered as well as possibly also having to inform the data subjects whose personal data is involved.

Step 5. Recover

  • Regain control, recover and learn.

Regaining control requires thorough investigation to be completed. Restoration of backups should only occur once you are certain the system is safe and the backups are fully verified to be trustworthy since attacks can also target backup systems. The larger aim is to be as certain as possible that any recovered situation is safe.


Longer-term the focus is to assess your response to the attack and your overall security posture, using the incident as a learning opportunity for both business and employees alike. The aim here is to make sure you are better prepared to prevent, detect and respond when an attack next occurs.


STRATEGY CONSULTING & TRANSFORMATION

FOCAI helps businesses reach the next level with technology-, cybersecurity-, and business growth strategies, blending next generation solutions with insight and action - so that you can focus on what really matters.

FOCAI © 2024

  • LinkedIn
  • Instagram
bottom of page