Many prominent corporations endured database breaches in 2015. Unfortunately, 2016 will be no different. With cyber security threats on the rise, the adage of “not if, but when” holds truer than ever. Businesses of all types, including financial service companies, should take significant steps now to mitigate harm and protect their stakeholders, their reputations, and possibly their very existence. In this first of three articles, LIFARS and Fortress Strategic Communications LLC look at ways companies can prepare themselves to identify, address, and recover from database breaches.
Data breach incident response plans can, if properly implemented and tested, save your business in the most critical of moments. The importance of proper preparation cannot be overstated. Managing a cyber security incident versus simply “surviving it” makes a major difference in the resulting impact on business. A well-structured, holistic cyber security incident response plan will help manage a seemingly unmanageable scenario. When dealing with privileged and confidential information, time is of the essence and being prepared always delivers superior results.
The most important action in any incident response plan is to identify the so-called 'crown jewels' – the most valuable data (or assets) critical to the operation of your business. Without knowing what you are protecting, it’s very hard to effectively do so. Defining your crown jewels is key. Each organisation has different crown jewels, but they are typically substantially similar within a given industry.
Once identified, it’s necessary to become familiar with the environment – knowing precisely where on your network they are located and which users have access to them. It is also necessary to establish where 'ownership' of the data assets resides. This entity will be fully responsible for the data and will be the point of contact during an incident response.
Lastly, it is necessary to establish baselines for critical data security processes and controls. This will help detect any intrusions in a timely manner and provide a solid starting point for the incident response or digital forensics investigation.
Technical handling of the data breach
Early detection is crucial for an effective cyber security incident response. Time is money and this holds especially true for data breaches and their impact on business. Advanced Persistent Threats are now common and difficult to detect. Fortunately, there are new technologies available that can speed up the mean time to detection – including advanced malware detection, from Cyphort, next-gen SIEM technology like LIFARS TIMS, and advanced endpoint protection, such as EnCase, and many others.
Detecting a breach is only part of the story; an effective incident response is equally important. The emergency incident response team needs to respond swiftly and with striking precision. This can only be achieved if the team of responders is a dedicated internal team or a retainer-based team with a SLA-specified guaranteed response time. A retainer-based incident response (IR) team must have an in-depth knowledge of your environment and a strong connection to the internal IT teams. The responsibilities of the internal and external teams must be clearly defined prior to an incident. The external IR team has to be well informed about the persons responsible for various assets and systems within the network. As an example, the IR team must know who has the necessary privileges to the access logs. Having to search for that person at the time of a breach can take a long time and can become very costly.
To better prepare for the various situations that might arise (i.e. DDoS, ransomware, insider data breach, etc.), it is important to conduct tabletop exercises and explore the various possible threats and ways to mitigate them. Tabletop exercises are an important tool that provide a high-level estimate of the success of handling a given cyber security incident situation. To ensure the best results, find the time to prepare properly for the exercise and give a lot of thought to the various options available. It’s best to involve multiple departments and parties to have a more complete understanding of the emergency scenario. The legal department, in particular, is a crucial part of any data breach tabletop exercise.
Before conducting a tabletop exercise, it is important to let all of the participants know what the rules of the exercise are, otherwise some parties involved might get frustrated and not want to attend future exercises. Various industry organisations and the government provide resources and information for tabletop exercises. In most cases, organisations also benefit from having an external cyber security company conduct the exercise. This helps deliver objectivity and brings a new perspective and ideas to the table, along with past experiences. Lastly, the exercise should always be as wide reaching as possible to encompass the plethora of various options available.
Test the plan
After completing the tabletop exercises, it is advisable to perform a test of the incident response plan. The test could vary in scope and intensity. Some cyber security companies offer incident response tests by realistically simulating a cyber attack – for example by launching a spear phishing campaign followed by an attempt to breach the network and access critical data. This type of test can push the IT security team to the limits, but the results are always positive. Any gaps are revealed and the overall efficiency of the plan is tested and can be improved upon, fortifying your defences in the process.
When developing a data breach incident response plan, decision makers need to make safeguarding the company’s reputation top priority. Failing to do so could potentially lead to severe implications for their business.
Reputation protection commences long before any cyber security incident or crisis arises. Unfortunately, pre-crisis readiness is often either neglected altogether or approached solely from a crisis planning perspective. In fact, crisis planning is just one of several responsible steps a proactive business should implement; all elements of business planning should serve as integrated components of a larger reputational management strategy. Three key communication steps are essential to crisis readiness.
1. Implement an internal communications campaign.
Internal communications are a core component of both strategic public relations and crisis communications. When a critical event occurs at a company and it spills over to the media, journalists often approach employees for more information. While companies need to have enforceable media policies in place that clearly delineate who can and cannot speak to the media, policies are no guarantee that employees will not talk to the media when pressured, as is seen in articles regularly attributing quotes to 'someone close to the company' and 'anonymous sources'.
Companies should implement a robust internal communications campaign that internally delivers the same messaging that is disseminated to external stakeholders, including the media. Strong internal communications keep employees motivated and invested in the well-being of their company. Informed employees have greater trust in their employers and their company and can serve as excellent brand custodians. When they feel involved in and committed to their company, they are more likely to share factual, honest and accurate information.
With a consistent communications framework in place, when a crisis breaks, critical messages and information can be communicated with minimal lag time and a reduced risk of error. Regularly informed employees have easy access to uniform messaging. As a result, when employees are contacted by journalists, they will be prepared to respond appropriately and direct the media to the company spokesperson. Even if they decide to break with company communications policy, at least they will have access to the same consistent messaging as everyone else.
2. Invest in a public relations campaign.
Investing in public relations lays a strong foundation for a proactive communications campaign in the event of a crisis. More often than not, during a crisis, a company will communicate with its regular media, i.e. trade and various vertical media, as well as general news and investigative journalists. When a crisis breaks, journalists who have received regular company communication about new product launches, deal announcements and bylined thought leadership articles will by default understand the company better and can write with more authority and clarity about the business.
Informed journalists are less likely to make a factual error when covering a crisis. Correcting inaccuracies in news articles in the midst of a crisis can cause additional headaches that can be avoided by building solid media relationships ahead of time.
An effective public relations campaign entails more than simply sending out company news and generating a bit of social media activity. It must also include relationship building among key publications, journalists, C-suite executives, and the company spokesperson who will lead the public face of the company during a crisis. Building the critical components of trust, respectful relationships, and clear communication when business is running smoothly will help companies reap immeasurable benefits when the going gets rough.
An excellent public relations plan goes beyond media relations to include stakeholder communication via content marketing and social media communications through relevant channels and platforms. A monitoring component for print, video, and social media can serve as an early warning system to correct misconceptions before they get out of hand and address developing issues and trends as quickly as possible.
3. Formulate an enterprise-wide crisis communications plan.
Many companies create crisis plans based on a simple template, often downloaded from the Internet. However, crises do not follow templates. They occur at inconvenient times with varying levels of intensity and unpredictable twists and turns.
A vulnerability and risk audit can determine risks, threats, and anticipated impacts a business may be susceptible to. Such an audit facilitates resource planning, and, if done correctly, it can prevent the dreaded secondary crisis, which often emerges out of a primary crisis.
The crisis plan should include the usual suspects: a list of crisis team members and their roles and responsibilities, contact details and a call tree, core messaging, strategies and policies, etc. The plan must designate a specific spokesperson to lead all internal and external crisis communications. The company spokesperson should be media trained and provided with a yearly refresher course. Most importantly, the crisis plan must be tested, exercised and then updated for continuous improvement.
Preparing for a data breach is fundamental to ensuring a company’s vitality and sustainability. Proactive readiness helps a company respond more quickly and reduces potential reputation damage. With the ongoing news of companies and government agencies being hacked across the country, customers and partners now expect organisations to take the responsible steps of identifying where they are vulnerable and implementing the necessary plans and processes to respond accordingly. Just as when responding to a fire or a flood, time is always of the essence in a data breach, therefore well thought-out preparation is essential.
In the next article we will look at what steps a company needs to take to manage and communicate during a cyber security event.
© Technews Publishing (Pty) Ltd | All Rights Reserved