Do you have a data breach incident response plan?

This blog has been updated to reflect industry updates. Originally published 6 August 2018.

Under the EU GDPR (General Data Protection Regulation), organisations must respond to a serious data breach within 72 hours of becoming aware of it.

This places a significant burden on organisations; after all, taking the appropriate measures to comply with the law while simultaneously dealing with the collateral impact of a breach is no picnic!

According to the Ponemon Institute Cost of a Data Breach Study 2018, one in four organisations will suffer a data breach in the next two years. This shows how important it is to have a data breach response to deal with cyber security incidents.

What is a data breach response plan?

A data breach response plan is a set of actions that help organisations detect and respond to incidents in a fast, planned and coordinated manner.

This will include technical measures, such as anti-malware software and data encryption, and policies and processes for staff to follow.

An effective plan reduces the financial and reputational damage associated with a breach and helps you comply with the GDPR.

But despite the proven effectiveness of data breach response plans, the PwC Global Economic Crime and Fraud Survey 2018 found that only 30% of organisations have a plan in place.

Implementing a plan can be a challenge, but that’s no reason not to avoid responsibility. The first step is to know what you’re getting yourself into.

Top 10 challenges when implementing a data breach response plan

CREST (the Council of Registered Ethical Security Testers) has outlined the top 10 challenges of data breach management:

1.Identifying a suspected cyber security incident.

The longer your organisation is exposed to a vulnerability, the more damage can be caused. As a result, spotting a data breach promptly can be the difference between a moderate disruption and a disaster.

This is why information security risk assessments are so important. They help you detect weaknesses and inform your decisions regarding how to address them.

2. Establishing the objectives of an investigation and a clean-up operation.

It’s obviously important to get up and running as soon as possible after a breach, but this should be a coordinated effort. You must review what caused the incident, and set goals for what you’re aiming to achieve. You might ask, for example, when or whether customers need to be notified, or whether a system needs to be at full capacity before it can go back into use.

3. Analysing all available information related to the potential cyber security incident.

Potential breaches (or reviews into incidents that already occurred) will generate a lot of raw data. You need to not only know how to use that information but also have adequate personnel and resources to disseminate it.

4. Determining what has actually happened.

Data breaches aren’t always clear-cut. Sure, sometimes you’ll find a smoking gun in the form a malware injection, but often it’ll take time to piece together what went wrong. Until you figure this out, you won’t be able to review your network for similar mistakes.

5. Identifying what systems, networks and information (assets) have been compromised.

It’s hard to know whether the breach you’ve identified is the full extent of the damage. A cyber criminal might have launched multiple attacks or leveraged their way into other parts of your organisation. As such, you’ll need to take the time to investigate the incident and review anything that could have been compromised.

6. Determining what information has been disclosed to unauthorised parties, stolen, deleted or corrupted.

It’s not only compromised systems, networks and assets that you need to identify. You must also investigate the information within those systems.

7. Finding out who caused the breach and why.

Most breaches are random attacks by crooks looking for financial gain, but some incidents will target you specifically, such as political attacks or those caused by malicious insiders.

8. Working out how the breach happened.

This is the fundamental question all organisations must be able to answer if they are to prevent future attacks. It’s all well and good stopping this incident, but if you don’t know how to address the root cause, it won’t be long before you’re back where you started.

9. Determining the potential business impact of the cyber security incident.

You need to know the financial implications of the breach so you can plan for the long-term. The cost of recovery and the loss in productivity will affect your revenue and may well affect your ability to meet deadlines.

Meanwhile, estimating the financial damage of a breach will inform your data breach response budget and your decision about cyber security insurance.

10. Conducting a sufficient investigation using forensics to identify those responsible.

Not all organisations will have the capabilities to conduct a forensic investigation, and those that do may not be familiar with the process. However, the process can be essential for discovering clues that could bring the perpetrators to justice.

How to overcome those challenges

CREST offers several tips to help organisations improve their understanding of data breach response management and their ability to manage security incidents.

Its first recommendation is to follow the advice and guidance provided on government websites, such as the NCSC’s tens steps to cyber security and the CPNI’s first responders guide, as well as other publicly available guides, such as ENISA’s Good Practice Guide for Incident Management.

It also suggests attending conferences or training courses to gain a close-up look at the specifics of cyber incident response management. This gives you the chance to engage in discussions, take part in workshops and ask experts to clarify any questions you have.

You might also consider working with threat intelligence sharing feeds. This is essentially a way for organisations to team up in the fight against cyber crime, with industry professionals contributing to a central registry discussing threats they’ve faced.

It’s particularly useful for alerting organisations about new criminal campaigns and techniques, such as a variation on a phishing scheme. As soon as one organisation faces the threat, they can alert others, who can pre-empt the attack.

Are you prepared for a disaster?

Anyone looking for specific advice on how to respond to a security incident should take a look at our data breach survival guide.

It lays out the six key steps that you must take to respond to a security incident in line with the GDPR’s requirements and explains how you can reduce the impact of a breach and gather the necessary disclosure information as quickly as possible.

You might also be interested in the GDPR data breach support service.

The GDPR data breach support service helps you respond to a data breach quickly and in line with the GDPR’s requirements, allowing you to get back to business as usual with minimal disruption.

Find out more >>

No Responses