After the data breach

October 2016 Editor's Choice, Information Security, Security Services & Risk Management, Financial (Industry)

Once a data breach has been identified and contained, the recovery process begins. The recovery process is just as crucial as the readiness and response stages: failure to follow the correct procedures could significantly impact the company’s operating capabilities in the near and distant future. In this final of three articles, Lifars and Fortress Strategic Communications outline steps companies need to take after they contain the data breach and initiate the process of normalising business operations.

Ondrej Krehel, CEO of Lifars.
Ondrej Krehel, CEO of Lifars.

Data breach recovery is a complex process that requires appropriate, precise and coordinated procedures. In this final component of the data breach lifecycle there is a lot of attention paid to not only identify how the breach occurred, but also to implement appropriate remediation steps and strategies to ensure that the incident does not occur again. The steps to data breach recovery include:

Evan Bloom, CEO of Fortress Strategic Communications.
Evan Bloom, CEO of Fortress Strategic Communications.

1. Verify

Verify that containment and cleansing is complete. During and after a breach, indicators of compromise need to be created and listed. These indicators include malicious executables, file modifications, processes, system calls, network connections, and many other items. These are a set of qualities that can be used to identify compromised or infected devices. With these a post-breach cleanup becomes easier, although sometimes it may require a rebuild of critical devices such as database and application servers. In these cases, having backups can greatly reduce downtime.

2. Business continuity

Business continuity begins once the confirmation phase is complete. This ensures that the newly rebuilt environment is not re-infected. Once the environment has been secured to prevent further infections via known indicators of compromise, it can be restored before the remediation begins so that the business can begin running as normal. This phase is heavily dependent on the backup and disaster recovery and business continuity plans and steps that have been taken prior to the incident. If they were not sufficient or did not exist, notes should be made to improve those weaknesses for future incidents.

3. Find the weak points

After cleansing the environment, the next step is to find the weak points in the architecture that allowed the compromise. Architectural weak points are found by identifying the methods the attacker used to breach the system. If the attack came in through unsanitised input and uploaded a remote shell, then the weak point is both the application for allowing such, and the server for not detecting an upload. Using this, gaps can be filled in many areas reducing the response time in new incidents or even preventing incidents. This may include adjusting log levels, timestamps/time-syncing, changing the IR plan, updating and patching systems, implementing or deploying security tools, and/or modifying the functionality of systems.

4. Testing

Once weak points have been patched, the next remediation step is to test the new environment. The testing process should include a dedicated outside team, engineering, management, and compliance. The test is carried out in a similar manner as the attack plus some additional insight by the team to find more vulnerable areas. This will ensure that the changes have not opened up another hole and were effective. This usually includes replaying the attack vector, as well as then going for a more comprehensive test. Once it has been tested the remediation is mostly complete from the technical standpoint.

5. New policies

After the breach, compilation of new policies must occur and be implemented based on all lessons learned during the entire lifecycle of managing the breach. These will usually help create operational standards that include topics such as updating, incident response, backups, security device usage, and the like. These policies will serve as a long-term foundation for a holistic security practice. They should be retested within six months of their initial deployment to ensure the gaps have been filled.

Crisis communications usually ends when the data breach incident is deemed over and all management, investigation, cyber security, and remediation actions are complete. Reputation protection and communication, however, never end. Once the crisis is in a manageable state, the company needs to transition back to its regular public relations and reputation management activities. An effective post-crisis phase features four key strategies:

Conduct a crisis communications post-mortem

Even when a company manages crisis communications effectively during an event, some aspect of the communications process almost always emerges that calls for improvement.

This post-mortem process discovers and describes areas for improvement in crisis communications. Rich in detail, it involves input from a wide array of role players including the crisis communications and management team, the company C-suite, key employees, vendors, and partners. Key journalists the company has established relationships with can add valuable input. Customers and clients can also be surveyed via a variety of methods.

Most importantly, the company crisis communications and management plans should be revised based on the findings of the post-mortem. In addition, the plans need to be tested to ensure that they work and deliver the necessary results.

Provide the necessary support

Just because the crisis is deemed over, that does not mean the company’s responsibilities to those impacted are over as well. If customers have had information stolen, need identity theft protection or counselling, etc., the company must do everything it can to ensure that all impacted parties feel that they are being looked after. In some cases, this support may need to last for an extended period of time.

Continue to communicate

Similarly, just because the crisis is declared over, that does not mean the company should stop communicating about the crisis with all affected parties, i.e. the media, employees, and customers. If customers were directly or indirectly impacted by the breach in any way, proactive company communication must continue for the duration of the remedial action--and beyond. Messaging needs to be amended accordingly. Customers want to know that the company is still looking after them and they want to know specific steps the company is taking in response to the incident.

Some companies may choose to share a case study of how the crisis was handled with key business and trade media. This action achieves two important objectives: it demonstrates to the media and stakeholders how well the business handled the crisis, and it defines and clarifies lessons the business learned and incorporated into future plans. Regular public relations should be resumed, and the company should be prepared to deal with ongoing media questions pertaining to the crisis.

Continue to monitor stakeholders

Companies should continue to monitor media comment, customer opinion, and communications from other stakeholders. Media comment can be monitored via a media monitoring solution along with reviewing key publications on a daily basis. If any irregularities or inaccuracies are identified, the responsible publication/journalist must be contacted and persuaded to issue immediate corrections and amendments. In addition, customer sentiment can be monitored in the social media universe and in call centres. Any inaccuracies, discrepancies, and incorrect perceptions need to be addressed quickly and appropriately. Stakeholders such as shareholders, investors, and employees should be contacted for insight and listened to carefully so the company has an enterprise-wide understanding of the perception challenges it may be facing.

Managing a data breach must be seen as more than simply having a plan to ‘deal with things when they arise’. Data breach management is an integrated process that consists of three distinct phases, all with their own appropriate and flexible plans of actions and messaging. A company that is prepared for a data breach will have a significant upper hand in the management of the crisis and in the highly sensitive communication during the crisis. Their ability to respond intelligently and responsibly will ultimately impact their reputation and the perception of their company, its brand, reputation, and the products, goods, and services it has on offer.

In these times, it is not a case of if there is a data breach, it is a case of when. The best approach to handling a data breach is to be ready with a rapidly implementable plan of action and have well-versed external consultants available to help guide the company through the critical event.

For more information, please visit: www.fortresscomms.com and www.lifars.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

SA’s private security industry receives multi-million USD investment
News & Events Security Services & Risk Management
South Africa's private security sector has attracted significant international attention, with the world’s largest tactical flashlight manufacturer, Nextorch, announcing a major investment in its local operations, Nextorch Africa.

Read more...
SSG Holdings acquired by Fidelity Services Group
News & Events Security Services & Risk Management
Fidelity Services Group has successfully acquired a majority shareholding in SSG Holdings. The acquisition builds on Fidelity’s track record of strategic expansion, including previous high-profile acquisitions.

Read more...
Data resilience at VeeamON
Infrastructure Information Security
SMART Security Solutions attended the VeeamON Tour in Johannesburg in August to learn more about data resilience and Veeam’s initiatives to enhance data protection, both on-site and in the cloud.

Read more...
Get the AI fundamentals right
Editor's Choice Surveillance AI & Data Analytics
Much of the marketing for CCTV AI detection implies the client can just drop the AI into their existing systems and operations, and they will be detecting all criminals and be far more efficient when doing it.

Read more...
The role of drones in farm protection
Agriculture (Industry) Security Services & Risk Management
Laurence Palmer reminds us of the role drones play in agricultural security and offers a free security risk assessment template for downloading (link at the end of the article).

Read more...
SMART Surveillance Conference in Johannesburg
Editor's Choice Surveillance Security Services & Risk Management Logistics (Industry) AI & Data Analytics
SMART Security Solutions hosted its annual SMART Surveillance Conference in Johannesburg in July, welcoming several guests, sponsors, and speakers for an informative and enjoyable day examining the evolution of the surveillance market.

Read more...
Secure data protection without hardware lock-in
Infrastructure Information Security News & Events
New Veeam Software Appliance empowers IT teams to achieve instant protection with Veeam’s fully preconfigured, software-only appliance, delivering enterprise-ready simplified deployment and operational efficiency, robust cyber resilience.

Read more...
Your Wi-Fi router is about to start watching you
News & Events Surveillance Security Services & Risk Management
Advanced algorithms are able to analyse your Wi-Fi signals and create a representation of your movements, turning your home's Wi-Fi into a motion detection and personal identification system.

Read more...
South African fire standards in a nutshell
Fire & Safety Editor's Choice Training & Education
The importance of compliant fire detection systems and proper fire protection cannot be overstated, especially for businesses. Statistics reveal that 44% of businesses fail to reopen after a fire.

Read more...
The growing role of hybrid backup
Infrastructure Information Security
As Africa’s digital economy rapidly grows, businesses across the continent are facing the challenge of securing data in an environment characterised by evolving cyberthreats, unreliable connectivity and diverse regulatory frameworks.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.