Look out over the ramparts of cyber defense and you’ll see that there are barbarians at the firewalls, an ever-diversifying lineup of hackers, corporate spies and foreign agents hell-bent on compromising the data of your corporation. Add to that the increasing scrutiny that regulatory agencies are applying to those who “allow” their sensitive information to be compromised, and you’ve got a recipe for cyber disaster.
While outright prevention of attacks is impossible, mitigating the effects of a data breach and the reputational damage associated with is something that organizations can aspire to. That being said, it can take a considerable effort to make it happen, and it also requires that corporations embrace this challenging new reality.
At the 2014 SuperConference, the session “Primer to Cyber Security Incident Response Plan” examined exactly what corporations were up against, and tapped a number of industry experts to give their advice for developing plans to combat the issues.
In the words of Scott Vernick, partner at Fox Rothschild LLP and moderator of the panel, “looking at the 2013 statistics, 90 percent of companies reported they’ve been hacked. There are only two types of companies, those that have been hacked and those that don’t know they’ve been hacked.”
The first step to combatting a breach is putting together a preliminary blueprint, but as Vernick pointed out, tactical plans can be as much of a blessing as a curse. On the one hand, while they provide an actionable list of instructions on what to do, on the other, they can be cumbersome or restrictive when taken too literally.
For Gretchen Herault, deputy chief privacy officer at Nuance Communication, ensuring that there is wiggle room within that plan is essential. “It doesn’t have to be specific down to who does what and when, but if you’re planning for battle you have to have a plan. Granted, when that battle starts that all goes out the window and you do what comes naturally, but at least you have a starting point,” she says. “People need a script to read off of. As the situation evolved you might have to go off that script a little bit, but you need that framework to give everyone the lanes to swim in.”
Shannon Couffer, director, regulatory law, legal services and administration for Walgreens, agreed that a level of flexibility is key to a successful plan. “Breaches never happen when you have the luxury of time, they happen in the instant and you have to respond in that instant. So having a plan that anyone can pick up and run with is a strength,” Couffer says.
Regardless of how succinct or illustrative the plan turns out to be, Deitzah Raby , assistant general counsel & privacy officer, of Hill-Rom Holdings, Inc., says that the whoever is responsible for overall cyber protection needs to ensure that the key stakeholders are involved, “The two most critical groups to me are legal and the IT security group,” Raby says. “They’re most likely the ones who first become aware of the incident, whether they find it themselves or hear from external parties. If you’re not already working closely with security, it’s wise to make sure you get to know them and understand the things they work on. One you’ve confirmed the breach, then I think you need to expand the group further to include all the other stakeholders.”
But a plan of action alone is not enough to save the day from a data breach. The group agreed that identifying where the information is, and knowing inside and out what could potentially be affected is also a critical component of breach mitigation. Those in charge of protecting information should readily know, what info is where, whether or not the information was stored electronically, if it was encrypted, and whether or not it could be acquired by an unauthorized user.
And when the inevitable breach does happen, the choice to alert users should not be taken lightly, nor should offering compensation to those affected. Herault says that at a previous employer, a massive data breach resulted in the company shelling out millions to offer credit monitoring software anyone whose information had been stolen. Only one person ultimately signed up.
For more on cyber security issues, check out these stories: