Articles and Insights ,

6 Steps to Building a Strong Breach Response Plan

By Michelle Drolet
7 Oct 2020

Cybersecurity resilience depends on having a detailed, thorough, and tested breach response plan in place. Here’s how to get started. 

No matter how secure your business, data breaches are an unfortunate fact of life. Whether an attack is the result of a determined cybercriminal, a disgruntled insider, or simple human error, you can limit the damage with a carefully crafted response strategy.

There’s a lot of groundwork to cover to begin building an effective strategy for coping with a breach: You need to gather relevant data, prioritize potential threats, and make sure you have solid detection capabilities in place. Then, and only then, can you start to assign responsibilities and draw up step-by-step workflows for different scenarios.

Here’s a closer look at what’s required.

Find your major risks

Before you can craft a valuable plan, you need to understand what a major catastrophe would look like for your organization. There are many types of breach and all data is not equal in value, so dig into scenarios that would bring your everyday business activities to a halt. Gather all key stakeholders to discuss the risks, put forth their views on what represents the biggest threat, and work towards a consensus on the top risks.

When everyone is agreed on a prioritized shortlist, report to the board. This gives you a great starting point but bear in mind that your list will have to be updated regularly. If you enter a new partnership, release a fresh line of services or products, hire a new member to the C-suite, or go through any other substantive changes, then your major risks need to be reconsidered.

 

Fully map your network

IT departments find it challenging to track every device, person, and application in use across an organization at the best of times, and with the rapid rise in remote working this has become even tougher. Nevertheless, it’s crucial to have a big picture view of your entire network. Rather than prohibiting, try to find strategies to encompass unsanctioned apps and cloud-based services securely. Create secure barriers on personal devices between employee’s lives and work-related data.

Assess user privileges. Try to rein in admin rights and excessive access to data where it’s not really required. Put rigid policies in place to ensure user accounts are properly closed when people depart the organization. A big part of being able to establish and retain a complete picture of your network depends on striking the right balance between caution and convenience. People must be able to do their jobs effectively, so any security policy that’s too restrictive is doomed to failure.

 

Deploy strong breach detection

It’s common for data breaches to go unnoticed. A successful phishing attack or software exploit may give an attacker access, and if the breach isn’t flagged, they may be quietly present on your network for days, weeks, months, or even years. Start with the assumption that a breach may have already occurred and perform a deep scan of your network.

A continuous monitoring system is a good idea. Consider software that can detect unusual user activity and data exfiltration. Remember that you need to establish a baseline of normal behavior for this kind of software to be effective. The aim is to detect a breach in real time, to prevent it from developing, and to minimize the potential damage.

 

Establish a clear chain of command

The panic that a breach causes often provokes a rush to action but can also cause paralysis. The best way to avoid either issue is to lay out a clear set of responsibilities. Everyone should know who is responsible for what, and when things should happen. Most importantly, ensure that employees know who to alert first when a suspected breach is discovered.

Time is of the essence, so reporting incidents to people with the skills to assess them properly is vital. Beyond IT and security teams, it’s wise to loop in the legal team to ensure compliance, and the communications team to handle queries. As things develop, execs and the board must be kept apprised of progress and may need to weigh in with decisions.

Craft a communication strategy

After a breach, customers and business partners will be clamoring for information, internal staff will want to know what’s happening, and the press may ask for commentary or explanation. Whether it’s a major or minor breach, your reputation is at stake. Set expectations on how often statements and updates will be delivered. Clarity is vital; there should only be one voice emanating from your organization.

Ensure that your employees understand the importance of a united front for messaging after a breach and be sure that your communication strategy delineates who writes and approves messages.

Create detailed plans and test them

When a potential breach is flagged, you need a process to validate it before you bring in the incident response team. Craft clear plans for different kinds of breaches that makes clear the actions that need to be taken. Present a set of prioritized steps explaining precisely what’s required. Consistency is key. Eliminate room for doubt or misinterpretation.

The only way to be sure your plans are fit for purpose is to test them. Make sure your employees are well versed in the new workflows and that communication channels work as intended. Run through exercises to test different scenarios with the relevant players and identify weak points that require further attention. To achieve real long-term resilience, you will have to continually test and improve your plan.

Breaches are sometimes unavoidable, but a strong response plan will help you minimize the disruption to business operations.

 

This article was originally posted on CSOOnline >