Does Your Breach Incident Response Plan Have Holes? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // Security & Risk Strategy
07:00 AM
Xuyen Bowles, Sentek Cyber
Xuyen Bowles, Sentek Cyber

Does Your Breach Incident Response Plan Have Holes?

The likelihood of a company suffering a breach is worse than most believe. Here's a checklist for building out a plan to deal with a breach.

In 2016, the number of data breaches in the US reached a record high of 1,093, according to a study by the Identity Theft Resource Center and CyberScout. That was a 40% increase over 2015.

These statistics may seem frightening, but the reality is likely much worse. According to the researchers, the untold numbers of breaches that go undetected and unreported keep us from seeing the full scope of the problem.

These attacks take a toll on businesses. A recent study by IBM/Ponemon placed the average cost of a data breach for a U.S. company at about $4 million. The most important thing an organization can do to avoid such losses is to have a breach response plan in place, and a team trained to implement it.

If your company doesn’t have an incident response plan, there’s never been a better time to establish one. We’ll examine some best practices for creating a breach incident response plan.

Create a Strong Response Team

No plan can be effective without vigilant employees tasked with specific responsibilities. A CIO should be closely involved in the formation of a team of members who each know his or her role in responding to a breach.

Such a team should include:

  • Incident Response Officer (IRO). The IRO should serve as the liaison to external partners involved in combating a breach.
  • IT Personnel. IT personnel should assess and contain the damage, perform forensics, recover data, and mitigate the effects of the breach to the company and end users.
  • Legal Counsel. An attorney’s responsibility is to determine if specific evidence can be used if the company decides to take legal action. The attorney will also advise on any legal issues that may arise if a data breach impacts customers, shareholders, or vendors, who could pursue legal action.
  • Public Relations. The public relations team will assume crisis management duties in the public eye.
  • Outside Partners. Forensic and cybersecurity companies can help restore systems and remove threats. These partners, including exactly what they do and the point of contact, should be documented in the response plan.

Establish a Reporting Structure

Employees across departments must know whom to contact if they notice suspicious activity. To do that, CIOs must ensure that staffers are educated on what constitutes suspicious activity they may come across.

Document the Breach

Documenting the breach is essential to address the attack and respond to fallout. It should also help the company learn where to improve security in the future.

Documentation should include:

● The system affected

● The origin of the breach

● Any malware used

● The location of remote servers where data may have been sent

● Which users were logged on

● A list of running processes

● A list of open ports and connected applications

Communicate Effectively

Once a data breach has been confirmed, the IRO should inform management of the steps being taken to repair the damage. Once the breach has been contained, communications should be sent to staff outlining an explanation of the event, steps being taken to fix the situation, and resulting policy changes.

Establish a Remediation Process

Written policies should be in place to inform IT actions in response to a breach, including:

● Monitoring suspicious activities

● Disconnecting/blocking services

● Confiscating affected workstations and devices

● Contacting external cybersecurity resources

● Contacting the Internet service provider

Test Your Response Plan

The best way to test the effectiveness of the response plan is by conducting a breach simulation exercise that replicates an attack. This drill will allow your team to see how a breach unfolds in real time, and it will uncover any problems that need to be tackled.

Establishing a plan is great, but it’s only a first step. Once a plan is established, it should be examined and tested periodically, and revised if necessary. More than a third of companies that have a plan have never done this, according to a study by Experian. Don’t learn this lesson the hard way.

Xuyen Bowles, Sentek Cyber
Xuyen Bowles, Sentek Cyber

With 20 years of experience in the enterprise space, Xuyen Bowles now oversees one of the most successful cyber security firms in San Diego. Sentek Cyber (a division of Sentek Global) offers a wide array of cyber security protection from penetration testing, consultancy, and training advance threat detection.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/4/2018 | 3:20:32 PM
Pending Review
This comment is waiting for review by our moderators.
User Rank: Apprentice
8/23/2017 | 5:28:47 AM
router login
Thanks! It's really detailed and informative post. The author did make big work!
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Flash Poll