Data breach readiness

June 2016 Editor's Choice, Cyber Security

Many prominent corporations endured database breaches in 2015. Unfortunately, 2016 will be no different. With cyber security threats on the rise, the adage of “not if, but when” holds truer than ever. Businesses of all types, including financial service companies, should take significant steps now to mitigate harm and protect their stakeholders, their reputations, and possibly their very existence. In this first of three articles, LIFARS and Fortress Strategic Communications LLC look at ways companies can prepare themselves to identify, address, and recover from database breaches.

Data breach incident response plans can, if properly implemented and tested, save your business in the most critical of moments. The importance of proper preparation cannot be overstated. Managing a cyber security incident versus simply “surviving it” makes a major difference in the resulting impact on business. A well-structured, holistic cyber security incident response plan will help manage a seemingly unmanageable scenario. When dealing with privileged and confidential information, time is of the essence and being prepared always delivers superior results.

Ondrej Krehel, CEO of LIFARS LLC.
Ondrej Krehel, CEO of LIFARS LLC.

Information assets

The most important action in any incident response plan is to identify the so-called 'crown jewels' – the most valuable data (or assets) critical to the operation of your business. Without knowing what you are protecting, it’s very hard to effectively do so. Defining your crown jewels is key. Each organisation has different crown jewels, but they are typically substantially similar within a given industry.

Once identified, it’s necessary to become familiar with the environment – knowing precisely where on your network they are located and which users have access to them. It is also necessary to establish where 'ownership' of the data assets resides. This entity will be fully responsible for the data and will be the point of contact during an incident response.

Lastly, it is necessary to establish baselines for critical data security processes and controls. This will help detect any intrusions in a timely manner and provide a solid starting point for the incident response or digital forensics investigation.

Evan Bloom, CEO of Fortress Strategic Communications.
Evan Bloom, CEO of Fortress Strategic Communications.

Technical handling of the data breach

Early detection is crucial for an effective cyber security incident response. Time is money and this holds especially true for data breaches and their impact on business. Advanced Persistent Threats are now common and difficult to detect. Fortunately, there are new technologies available that can speed up the mean time to detection – including advanced malware detection, from Cyphort, next-gen SIEM technology like LIFARS TIMS, and advanced endpoint protection, such as EnCase, and many others.

Detecting a breach is only part of the story; an effective incident response is equally important. The emergency incident response team needs to respond swiftly and with striking precision. This can only be achieved if the team of responders is a dedicated internal team or a retainer-based team with a SLA-specified guaranteed response time. A retainer-based incident response (IR) team must have an in-depth knowledge of your environment and a strong connection to the internal IT teams. The responsibilities of the internal and external teams must be clearly defined prior to an incident. The external IR team has to be well informed about the persons responsible for various assets and systems within the network. As an example, the IR team must know who has the necessary privileges to the access logs. Having to search for that person at the time of a breach can take a long time and can become very costly.

Tabletop exercise

To better prepare for the various situations that might arise (i.e. DDoS, ransomware, insider data breach, etc.), it is important to conduct tabletop exercises and explore the various possible threats and ways to mitigate them. Tabletop exercises are an important tool that provide a high-level estimate of the success of handling a given cyber security incident situation. To ensure the best results, find the time to prepare properly for the exercise and give a lot of thought to the various options available. It’s best to involve multiple departments and parties to have a more complete understanding of the emergency scenario. The legal department, in particular, is a crucial part of any data breach tabletop exercise.

Before conducting a tabletop exercise, it is important to let all of the participants know what the rules of the exercise are, otherwise some parties involved might get frustrated and not want to attend future exercises. Various industry organisations and the government provide resources and information for tabletop exercises. In most cases, organisations also benefit from having an external cyber security company conduct the exercise. This helps deliver objectivity and brings a new perspective and ideas to the table, along with past experiences. Lastly, the exercise should always be as wide reaching as possible to encompass the plethora of various options available.

Test the plan

After completing the tabletop exercises, it is advisable to perform a test of the incident response plan. The test could vary in scope and intensity. Some cyber security companies offer incident response tests by realistically simulating a cyber attack – for example by launching a spear phishing campaign followed by an attempt to breach the network and access critical data. This type of test can push the IT security team to the limits, but the results are always positive. Any gaps are revealed and the overall efficiency of the plan is tested and can be improved upon, fortifying your defences in the process.

When developing a data breach incident response plan, decision makers need to make safeguarding the company’s reputation top priority. Failing to do so could potentially lead to severe implications for their business.

Reputation protection

Reputation protection commences long before any cyber security incident or crisis arises. Unfortunately, pre-crisis readiness is often either neglected altogether or approached solely from a crisis planning perspective. In fact, crisis planning is just one of several responsible steps a proactive business should implement; all elements of business planning should serve as integrated components of a larger reputational management strategy. Three key communication steps are essential to crisis readiness.

1. Implement an internal communications campaign.

Internal communications are a core component of both strategic public relations and crisis communications. When a critical event occurs at a company and it spills over to the media, journalists often approach employees for more information. While companies need to have enforceable media policies in place that clearly delineate who can and cannot speak to the media, policies are no guarantee that employees will not talk to the media when pressured, as is seen in articles regularly attributing quotes to 'someone close to the company' and 'anonymous sources'.

Companies should implement a robust internal communications campaign that internally delivers the same messaging that is disseminated to external stakeholders, including the media. Strong internal communications keep employees motivated and invested in the well-being of their company. Informed employees have greater trust in their employers and their company and can serve as excellent brand custodians. When they feel involved in and committed to their company, they are more likely to share factual, honest and accurate information.

With a consistent communications framework in place, when a crisis breaks, critical messages and information can be communicated with minimal lag time and a reduced risk of error. Regularly informed employees have easy access to uniform messaging. As a result, when employees are contacted by journalists, they will be prepared to respond appropriately and direct the media to the company spokesperson. Even if they decide to break with company communications policy, at least they will have access to the same consistent messaging as everyone else.

2. Invest in a public relations campaign.

Investing in public relations lays a strong foundation for a proactive communications campaign in the event of a crisis. More often than not, during a crisis, a company will communicate with its regular media, i.e. trade and various vertical media, as well as general news and investigative journalists. When a crisis breaks, journalists who have received regular company communication about new product launches, deal announcements and bylined thought leadership articles will by default understand the company better and can write with more authority and clarity about the business.

Informed journalists are less likely to make a factual error when covering a crisis. Correcting inaccuracies in news articles in the midst of a crisis can cause additional headaches that can be avoided by building solid media relationships ahead of time.

An effective public relations campaign entails more than simply sending out company news and generating a bit of social media activity. It must also include relationship building among key publications, journalists, C-suite executives, and the company spokesperson who will lead the public face of the company during a crisis. Building the critical components of trust, respectful relationships, and clear communication when business is running smoothly will help companies reap immeasurable benefits when the going gets rough.

An excellent public relations plan goes beyond media relations to include stakeholder communication via content marketing and social media communications through relevant channels and platforms. A monitoring component for print, video, and social media can serve as an early warning system to correct misconceptions before they get out of hand and address developing issues and trends as quickly as possible.

3. Formulate an enterprise-wide crisis communications plan.

Many companies create crisis plans based on a simple template, often downloaded from the Internet. However, crises do not follow templates. They occur at inconvenient times with varying levels of intensity and unpredictable twists and turns.

A vulnerability and risk audit can determine risks, threats, and anticipated impacts a business may be susceptible to. Such an audit facilitates resource planning, and, if done correctly, it can prevent the dreaded secondary crisis, which often emerges out of a primary crisis.

The crisis plan should include the usual suspects: a list of crisis team members and their roles and responsibilities, contact details and a call tree, core messaging, strategies and policies, etc. The plan must designate a specific spokesperson to lead all internal and external crisis communications. The company spokesperson should be media trained and provided with a yearly refresher course. Most importantly, the crisis plan must be tested, exercised and then updated for continuous improvement.

Preparing for a data breach is fundamental to ensuring a company’s vitality and sustainability. Proactive readiness helps a company respond more quickly and reduces potential reputation damage. With the ongoing news of companies and government agencies being hacked across the country, customers and partners now expect organisations to take the responsible steps of identifying where they are vulnerable and implementing the necessary plans and processes to respond accordingly. Just as when responding to a fire or a flood, time is always of the essence in a data breach, therefore well thought-out preparation is essential.

In the next article we will look at what steps a company needs to take to manage and communicate during a cyber security event.

For more information, please visit: and

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Off-grid power solution for residential estate
Editor's Choice Security Services & Risk Management Residential Estate (Industry) Products
Coral Beach Estate, an upmarket residential estate based in East London, has been struggling with load shedding and power outages due to South Africa's energy crisis, as well as the vandalism of its power infrastructure.

Eleven steps to an effective ransomware response checklist
Editor's Choice Cyber Security
Anyone is a viable target for ransomware attacks and should have a plan in place to deal with a worst-case scenario. Fortinet offers this ransomware attack response checklist to effectively deal with an active ransomware attack.

Cybersecurity in Africa: The challenges and solutions
Training & Education Cyber Security
Africa faces a significant challenge when it comes to the availability and distribution of cybersecurity talent and secure IT infrastructures. Facing this challenge will require supporting and nurturing the next generation of security graduates and professionals.

Top seven trends for the security industry
Hikvision South Africa Editor's Choice
Expect security systems to become even more deeply integrated and comprehensive, expanding with capabilities that are now shouldering tasks that are more intelligent, to improve efficiency in security as well as other operational functions.

AI’s take on physical security trends
Technews Publishing Editor's Choice
In Issue 1 every year, Hi-Tech Security Solutions looks at expected trends in the security industry, incorporating views from different sources. This year is no different, except we have a new contributor, ChatGPT from OpenAI.

Developing an effective CCTV control room culture
Leaderware Editor's Choice CCTV, Surveillance & Remote Monitoring Training & Education
Organisational culture in organisations can be seen as the set of values, practices, focus, standards and behaviours, and ways of interacting with others that are accepted and subscribed to by the people who work there.

Women in Security
Technews Publishing Editor's Choice News
Hi-Tech Security Solutions together with ASIS International’s South Africa Chapter, will be focusing on women working within the South African physical security services and information technology sectors during 2023.

Enter the 2023 South African OSPA Awards
Editor's Choice News
Nominations for the 2023 South African Outstanding Security Performance Awards (OSPAs) in six categories have been extended and entries can be submitted until 18 April 2023.

Hardening physical security against cyberattacks
Genetec Editor's Choice Cyber Security IT infrastructure
As the world becomes increasingly interconnected through the move to cloud computing and Internet of Things (IoT) devices, cybercrime has risen steadily, along with tools to combat it. Geopolitical tensions have the potential to rapidly unleash devastating cyberattacks worldwide.

Fast, reliable and secure cloud services
Technews Publishing Editor's Choice Cyber Security IT infrastructure
Security and speed are critical components of today’s cloud-based services infrastructure. Cloudflare offers a range of services supporting these goals beyond what most people think it does.