Data security is one of the most important priorities for businesses around the world. However, just like a physical security system can only deter the thieves, cybersecurity solutions and measures too can only deter but not necessary prevent the attack. No set of security measures is completely infallible to a breach. So data breaches are a matter of when, not if. Most businesses are vulnerable to a breach and are expected to be prepared for such an event to ensure business preservation and continuity. Recent examples of Equifax breach, Russian hacking US grid and Iranian hackers of 300+ universities in US and abroad certainly adds to the urgency for a post-breach plan.
Smit Kadakia, Chief Data Scientist and Co-founder of Seceon (also a machine learning expert) and I were recently chatting about what organizations must do, not only to protect themselves but also have a well laid-out plan of action should they get breached. According to Smit, “It is prudent for an enterprise to put together a well-marinated action plan with minimal impact to the organization’s employees, customers and partners.” and suggested a five-step approach that businesses today must perform post-breach to minimize risk and for responsible handling and reporting.
Figure 1: Actions that a business must perform post-breach for responsible handling and reporting
First and foremost, the highest priority datasets and their specific content must be identified at the same time as implementing any cybersecurity measures and should not be an afterthought once the breach has occurred. Assessing the damage will entail working through all of your important data assets in the order of priority. The stakeholders must be appraised of the breach and should be continually updated of the findings. Also, some stakeholders must have a plan of internal communication as well as externally as required.
Second, the containment must be done swiftly and in parallel to the damage assessment and stakeholder communication. The time elapsed between the attack and the containment is crucial to the amount of the damage a business will incur. So, the containment should preferably be in or near real-time. Some of the methods of containment include moving the infected assets to a quarantine area, halting the backup process to minimize the spreading of the infection, blocking the external attacker or disabling the credentials of an attacker. Networking devices, endpoint security tools or an authentication service can help accomplish such containment. However, a unified security solution that can manage all of these disparate artifacts will speed up the containment and be more effective.
Once the breach is detected, recording of the details is absolutely necessary to manage post-breach and post-containment fallouts. It is highly recommended to maintain encrypted records of your security postures off-site so these are themselves not compromised. The records must include details such as, specific actions taken to isolate effect of the breach on valuable data, specific impact, time of the breach, duration of the breach, the effectiveness of the containment, communication employed and the audience feedback. These details will not only help in presenting to stakeholders, customers and regulatory authorities but also in performing retrospection for improved future preparation.
Third, business continuity is of paramount importance and can be achieved through means, such as, failover infrastructure architecture, disaster recovery sites, off-site back-up/restore methods, application of a patch, etc. Typically, contemporary hybrid and cloud infrastructures allow almost instantaneous switchover to a different and unaffected location for accessing critical data while the breach is being investigated and addressed. Preparation must include detailing the steps and assigning responsibilities to ensure smooth transition. The goal is to ensure that the mitigation for future attack prevention is handled with a good balance between the short-term quick band-aid and the long-term exposure to the business.
Fourth, most industries have to comply with their specific regulatory authorities. For example, businesses dealing with patient data in US must comply with HIPAA regulations. Maintaining continuous compliance with these regulations and archiving audit records will minimize the effects of the damage. Also, the plan must include designated responsibility for law enforcement reporting. Law enforcement activities should be recorded and reported to preserve the image of the business. Compliance to regulations such as GDPR require reporting and records of such reporting to stay compliant.
Fifth, one of the key objective for the post breach operations is to mitigate the risk. The 2018 cost of data breach study conducted by Ponemon Institute states “The average time to identify a data breach in the study was 197 days, and the average time to contain a data breach once identified was 69 days”. The risk associated with the breach is directly related to the time to identify the breach. The best security protection can only be achieved by the solution and the staff that thrives for near real-time threat detection and containment.
Customers must be completely on board with the security readiness. The readiness must encompass both prevention of attacks and post-breach management. Customer communication must include full transparency and integrity of their data security and also set the expectations, should the breach happen and also minimize surprises during the post-breach management.
In conclusion, security operations should be akin to a management system and, in that respect, automation to detect and respond quickly will play a very important role. Such a solution will give a business a good chance of effectively managing the post-breach scenarios. Thus, wide variety of tools is not necessarily an answer. A more comprehensive solution, good preparation and a goal-oriented security management will likely be a much more effective approach.