How to survive a data breach
In the past two years, LinkedIn, eHarmony, Twitter, Adobe and, most recently, Target have suffered data breaches that together exposed more than 120 million accounts. Moreover, the companies who fall victim to these breaches always appear the same way: hobbled, slowed down, and completely vulnerable for days and possibly months as their name is splashed across the media. A data breach may be an even bigger calamity to the individuals whose data has been exposed to cybercriminals, to the press and, possibly, to malicious and ill-wishing acquaintances. Identity theft is a growing problem, and one that is inadequately policed. Individuals whose personal and/or financial data has been breached can find that their credit histories are compromised, and may have to spend years and substantial sums clearing their names.
However, perhaps the most disturbing thing about data breaches is that hacking is not new. The movie, Hackers came out in 1995 and their manifesto stated “You may stop me, but you can’t stop us all.” Fast forward 19 years and nothing has changed. Companies know hackers exist, communities know hackers exist, and even Hollywood knows hackers exist. So why are major companies that deal with sensitive data every day, companies that understand the risks and consequences of mishandling cybersecurity, so often left exposed by these breaches?
Those organizations that have a tried and tested procedure in place for dealing with data breaches will not only put themselves in a better position to adhere to the emerging Australian data breach legislation but, more importantly, will enable themselves to win back some respect from the customers whose data has been breached.
How does a Data Breach happen?
Research into the root causes of data breaches and security breaches, gathered from the Verizon State of Software Security Report, reveals three main types of data breach causes:
- Benevolent insiders
- Targeted attacks
- Malicious insiders
In many cases, breaches are caused by a combination of these factors. For example, targeted attacks are often enabled inadvertently by well-meaning insiders who fail to comply with data or security policies, which can lead to a data breach.
However the breach occurs, there are three important elements to surviving a data breach:
- Assessment and containment
- Notification of breach
- Evaluation and response
Assessment and containment
Data security breaches will require not just an initial response to assess and contain the situation but also a recovery plan including, where necessary, damage limitation. This will often involve input from specialists across the business such as IT, HR and legal and, in some cases, contact with external stakeholders and suppliers.
Consider the following:
- Decide on who should take the lead on investigating the breach and ensure they have the appropriate resources.
- Establish who needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. This could be isolating or closing a compromised section of the network, finding a lost piece of equipment or simply changing the access codes at the front door.
- Establish whether there is anything you can do to recover any losses and limit the damage the breach can cause. As well as the physical recovery of equipment, this could involve the use of backupsystems to restore lost or damaged data or ensuring that staff recognise when someone tries to use stolen data to access accounts.
- Where appropriate, inform the police.
Assessing the risks
Some data security breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. An example might be where a laptop is irreparably damaged but its files were backed up and can be recovered, albeit at some cost to the business. While these types of incidents can still have significant consequences, the risks are very different from those posed by the theft of sensitive credit card holder data
The most important is an assessment of potential adverse consequences for individuals, how serious or substantial these are and how likely they are to happen. The following points are also likely to be helpful in making this assessment:
- What type of data is involved?
- How sensitive is it?
- What has happened to the data?
- If data has been lost or stolen, are there any protections in place such as encryption?
- Regardless of what has happened to the data, what could the data tell a third party about the individual?
- How many individuals’ personal data are affected by the breach?
- Who are the individuals whose data has been breached? Are they staff, customers, clients or suppliers
- What harm can come to those individuals?
- Are there wider consequences to consider such as a risk to public health or loss of public confidence, or trust, in an important service you provide?
Notification of breaches
Agencies and organisations have obligations under the Privacy Act 1988 (Cth) to put in place reasonable security safeguards and to take reasonable steps to protect the personal information that they hold from loss and from unauthorised access, use, modification or disclosure, or other misuse. Depending on the circumstances, those reasonable steps may include the preparation and implementation of a data breach policy and response plan that includes consideration of whether to notify affected individuals and the Office of the Australian Information Commission (OAIC). In general, if there is a real risk of serious harm as a result of a data breach, the affected individuals and the OAIC should be notified.
However, informing people about a breach is not an end in itself. Notification should have a clear purpose, whether this is to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints.
There are a number of different ways to notify those affected so consider using the most appropriate one. Always bear in mind the security of the medium as well as the urgency of the situation
- Your notification should at the very least include a description of how and when the breach occurred and what data was involved
- When notifying individuals give specific and clear advice on the steps they can take to protect themselves and also what you are willing to do to help them
- Provide a way in which they can contact you for further information or to ask you questions about what has occurred – this could be a helpline number or a web page, for example.
- You might also need to consider notifying third parties such as the police, insurers, professional bodies, bank or credit card companies who can assist in reducing the risk of financial loss to individuals.
Evaluation and response
It is important not only to investigate the causes of the breach but also to evaluate the effectiveness of your response to it. If the breach was caused, even in part, by systemic and ongoing problems, then simply containing the breach and continuing ‘business as usual’ is clearly not acceptable. Similarly, if your response was hampered by inadequate policies or a lack of a clear allocation of responsibility then it is important to review and update these policies and lines of responsibility in the light of experience.
You may find that existing procedures could lead to another breach and you will need to identify where improvements can be made. The following points are worth considering:
- Make sure you know what personal data is held and where and how it is stored. Dealing with a data security breach is much easier if you know which data are involved unfortunately in the case of credit cards it can be stored in many places within an organisation and hard to find. In cases like this a credit card discovery tool is a powerful remediation device.
- Establish where the biggest risks lie. For example, how much sensitive personal data do you hold? Do you store data across the business or is it concentrated in one location?
- Risks will arise when sharing with or disclosing to others. You should make sure not only that the method of transmission is secure but also that you only share or disclose the minimum amount of data necessary. By doing this, even if a breach occurs, the risks are reduced. Network Security Management tools and tokenisation reduce the risk substantially here.
- Identify weak points in your existing security measures. For example, the use of portable storage devices, public access to private networks when offering free Wi Fi, mobile payments, unsecured POS devices, and BYOD all increase the risk.
- Monitor staff awareness of security issues and look to fill any gaps through training or tailored advice.
- Consider whether you need to establish a group of technical and non-technical staff to discuss ‘what if’ scenarios this would highlight risks and weaknesses as well as giving staff at different levels the opportunity to suggest solutions.
- If your organisation already has a Business Continuity Plan for dealing with serious incidents, consider implementing a similar plan for data security breaches.
There is no one size fits all remedy to surviving a data breach but common themes apply to most breach scenarios. Identifying a group of people responsible for reacting to reported breaches of security is a great start and having a security technology partner to work side by side with them may be the difference between just surviving or thriving.