“…in this world nothing can be said to be certain, except death and taxes,” so said Benjamin Franklin in 1789.
Now we can safely add another – enduring a data breach.
Unfortunately if you haven’t been hacked by now, you either don’t realise it, or you will eventually become a victim, almost guaranteed.
I have seen companies – both large and small – laid bare as they struggle to cope technically, managerially and emotionally with a data breach. Emotions run high and the day to day business gets neglected.
In my experience, very few businesses have put in place plans to deal with this inevitability. Although most have a risk register containing financial, HR and competitive threats, many forget to think about planning for a data breach.
This planning work does not need to be overly complicated. I recently wrote an information security response handbook for a client that was no more than 20 pages. Short, sweet and to the point, with lots of diagrams and flowcharts to help their thought processes at what will be a stressful time.
So what elements should be in such a handbook? Of course it will vary depending on the organisation in question but I like to see;
- An introduction simply explains the scope of the handbook; and just as importantly what it does not cover. It is not designed to instruct users in the minute detail of digital forensics or long term chain of custody issues, rather think of it as a first aid manual providing lifesaving, first responder help.
- A list of applicable policies. Without these how can you enforce HR action in response to a data breach incident? How would you know if a policy had been contravened? This is especially important in complex cases, such as those that involve employees accessing systems they should not. In this case, you should be able to evidence that a user has been explicitly told they cannot access systems that are not relevant to their job role, and therefore start the process of building a case.
- Help for those first responders to undertake an initial assessment of an incident (like a primary survey in first aid terms) so at least they can see if there are any other larger problems looming and if the incident is a deliberate distraction created by attackers.
- A list of trusted advisors and specialists known to the business that can be called in to help, along with their current and up to date contact details. Ideally, engagement terms would have already been agreed, reducing the paperwork required to get started on the work.
- Steps that can be taken to limit any collateral impact and ensure that business as usual is maintained, wherever possible.
- Tailored flowcharts that are customised to the business and enable them to follow appropriate and pre-planned steps in responding. These should be tried and tested, as they will form the basis of the response
Of course, a standalone response handbook is no use unless the relevant people have been trained and tested so they are fit for purpose when an incident occurs.
Planning for a data breach need not be a long, complex and expensive process. Keeping it simple is the first step.
I am sure Benjamin Franklin would have agreed.