Steps to take in a security event
Businesses around the world continue to be plagued by a high number of security breaches. The larger the business, and the more confidential data it houses, the bigger the risk.
Despite companies having solid security policies and procedures in place, augmented by myriad best-in-class security solutions, there’s always the danger that an attacker will find the one weakness in the security chain, and just like that, your business can be compromised, and crucial customer data exposed, putting your bottom line and reputation in serious danger.
Just look at the damage done to online fine payment platforms after a database containing sensitive personal data of South African citizens leaked online. The data contains the names, ID numbers, cellphone numbers, email addresses, and plain-text passwords of 934,000 South Africans.
Robert Brown, CEO of DRS, a Conosec AB company, says no matter how much money organisations throw at security solutions, preventing every data breach is impossible. “It’s the way you handle a catastrophe of this nature that really matters.”
He says waiting to develop a response plan to a breach until one happens is leaving it too late. The best way to ensure you survive a data breach is to carefully plan your approach and response before an event takes place.
“Planning ahead is vital. Begin by assigning a strong response team, made up of all stakeholders, to take responsibility for creating and carrying out plan should a breach occur. This should include representatives from top management, IT, legal, risk management, privacy, marketing, and customer service,” he says.
Following this, craft and maintain an incident response plan that clearly defines how to handle a security incident, including what data to collect about the breach and who needs to be notified in the event. “Should a breach occur, the response team is your first point of call. The plan can be adjusted for the event at hand, and the plan put into motion.”
The technical team will be able to pinpoint the source of the incident, whether it was caused by a firewall with an open port, a piece of malicious code, spear-phishing, or a drive-by download, and will isolate or take the affected system offline, says Brown.
“When the threat has been contained, bring a team of outside experts and penetration testers to perform thorough testing to make sure that all the fixes in place are doing the job, as well as uncover any additional vulnerabilities that could be exploited,” he adds.
Following this, bring forensic experts on board to perform a root cause analysis to ensure the problem doesn’t happen again. “Employing forensics to rigorously analyse traffic and locate anomalies can take the guesswork out of the occasion, and stop the problem happening again.”
The next step is to perform risk and impact analysis. “Businesses who handle sensitive information have to notify regulatory bodies, and affected parties should the information be compromised. A thorough risk assessment will allow the business to determine whether these notification rules apply to the incident in question. It would take into account various factors, including the sensitivity of the data, whether the information was actually accessed or exfiltrated, and whether that data was protected by tools such as encryption which would lessen the risk of specific data exposure.”
Should parties need to be notified, the business must know who needs to be contacted, and by when. “Find out what needs to be disclosed. Sometimes notifications have to include a description of the event, the types of information involved, as well as what the company is doing to minimise damage, investigate the breach, and prevent future incidents.”
Finally, remember that your response plan isn’t a static document. “It must be fluid, and constantly re-evaluated to move with the times. Look at the plan, and your policies, and update it along with human resources movements within the business, new technologies, and of course any new threats out there.”
While security events are inevitable, they don’t have to be catastrophic for your business, Brown says. “By having a plan in place, you can respond instantly to an attack, and take immediate steps to contain any damage, notify any affected parties, and maintain a good reputation with your stakeholders.”