I witnessed an exchange between a senior level corporate executive charged with his company’s data security, and a security practitioner who asked him as a briefing opener, “What are your company’s plans for addressing a data breach?” The executive replied “Working at my local gas station.” The speaker dutifully chuckled and then said “No, really - what is your corporate breach procedure?” The executive responded “That’s not an option. I have a friend who owns a gas station not far from my house, and should my company be breached, I’ll be working for him the following day.”
You may be thinking (as did I at the time) that our hapless security officer was just trying to lighten the mood. And like me, you'd be wrong. I won’t elaborate as did this executive, but suffice it to say he appeared completely serious providing entirely too much information about his exit strategy, should it come to that. Since then I’ve thought long and hard about the issue.
Those in our business who’s job it is to identify the signs of breach and provide technology to mitigate it know that breach is not necessarily (and usually is not) catastrophic. But ignoring the skull and cross-bones on the bottle won’t make the poison any less deadly. Pretending breach can’t happen is likely only to exacerbate it’s effects.
To protect our businesses and systems against breach with human and technical measures is table stakes. To prepare to respond to data breach is the same as any other contingency or business continuity planning - is simply best practice. It's unfortunate the lack of the latter remains 'the unthinkable' to so many - evidenced by the following ground-hog's day scenario:
- Week 1 (Company Spokesman) “The system compromised was an ancillary system containing no personally identifiable information."
- Week 4 (Company Spokesman) “We've determined that a small number of email addresses were leaked and we've notified the affected individuals. There is no evidence of further compromise."
- Week 8 (Company Spokesman) "Our authentication system was apparently compromised and we've reset the affected accounts and notified account holders. Our systems are now secure."
- Week 10 (New spokesman) "Acme Inc. deplores the illegal and criminal theft of user accounts and business data, and is recommending it's customers and business partners reset their passwords and contact our hotline should they notice any unusual account activity."
- Week 12 (a Business Journal) "Acme Inc. shares continue to fall on further reports revealing the scope of last quarter's data breach and it's management's apparent inability to address the fallout in an open, timely, and forthright manner.
The bottom line is aptly articulated by Brian Lapidus, COO of the Cybersecurity & Information Assurance practice of Kroll:
“Establish a comprehensive breach preparedness plan that will enable decisive action and prevent operational paralysis when a data breach occurs.”
Not quite the head-in-the-sand approach of our executive friend.
That data breaches occur is unsurprising. The trend indicates they will increase in both frequency and magnitude. Does your disaster recovery plan include a defined procedure to classify and deal with data breach? Has it been tested? Do you perform at least annual 'dry-runs?' If so, thank you. If not, why not?
Here is but a sampling of practice guidelines to help you get started: