
In fact, Symantec report that 40 per cent of all targeted attacks are now on smaller firms (with less than 500 employees).
If you are attacked and suffer a breach – what should you do? A good security breach management plan has four main elements.1. Monitoring, containment and recovery
A good security breach management plan starts with the ability to detect whether a breach has occurred. Given the fact that cyber threats are evolving and growing rapidly, a cyber-strategy based on only preventative controls (i.e. firewall perimeter) is unlikely to be effective. It is essential to ensure that all key aspects of your organisation are being monitored for cyber threats as well as data loss events so that the Board and key management can respond in an efficient and informed manner. Don’t forget third parties and Cloud service providers – Trustwave reported in 2013 that of 450 data breaches, a massive 63 per cent were involving third party outsourcing providers. Reviewing your outsourcing and third party contracts, ensuring that you also receive sufficient security monitoring MI and that you have a periodic assurance process to review the security of your key third parties is essential.2. Residual risk assessment
This stage is all about establishing the scale of the risks of the security breach as well as assessing whether there are any ongoing risks that need to be managed (e.g. regulator communications). It will be important to identify the loss event particulars including:- What was the loss incurred – data, passwords, physical assets?
- How sensitive was the loss? – explore what another party could do with the stolen information assets;
- Securing any access and audit logs is often an important step to ensure there is a comprehensive audit trail for further on-going assessments. This might need the skills of forensic technicians to ensure there is a robust and secure audit trail of the original systems;
- What controls were in place to limit the loss (i.e. if data was stolen, was this encrypted?); and
- If it was sensitive data – who could be potentially impacted? What could the data be used for or could the data be used to identify or impersonate an individual? If the information asset losses were passwords – what could these be used to gain access to and have you other compensating controls (e.g. two-factor authentication) to limit unauthorised access?
3. Notification and communications
Consider what the risk assessment tells you about who are the likely persons that may be affected by the security breach? Consider how these people are to be informed and by whom. Ensuring there is a clear and approved message is essential. A notification policy should incorporate a description of how the breach occurred, the steps you’ve taken to contain and assess the risks of the breach and should describe the information assets that were affected. Informing key persons can be an important part of a well governed breach management plan – allowing the other parties to be aware and provide advice where appropriate. In respect of regulators, also consider whether you have any legal or contractual obligations to report security breaches. This might include to regulators, but also to your third parties, partners or customers.4. Post event investigations
Share this story