January 25, 2012 1 Comment-
Last week, online shoe retailer Zappos experienced a massive data breach that exposed the personal information of 24 million of its customers. The incident was just the latest high profile example of a company falling victim to digital attackers. Although data breaches at big companies make news headlines, a company doesn’t have to be large or well known to be a target of cyber criminals. Do you know what to do if it happens to your company? If your company is like most, the answer is no.
It’s time to figure it out.
Your company has spent time, money and effort purchasing security software, installing firewalls, hardening networks and educating employees to create a secure computing environment. When you were done, you likely felt safe – confident and assured because you’d followed best practices. These days, maybe you only really think about security when it’s time to apply a patch for the latest malware. Hackers will never breach your well-fortified corporate walls. Right? Unfortunately, as RSA, Zappos, Sony and many other companies will attest, a data breach can (and at some point probably will) happen. What are the first five things you should do after your company has been hacked?
After a security breach occurs, your first impulse might be to disconnect and shut down everything.
Take a moment.
You will need to contain the breach, but it’s also critical to determine the scope and root cause of the security incident. Abruptly powering down a machine could destroy important details about how attackers circumvented your security measures since a lot of malware exists in memory.
Additionally, don’t assume that only a few machines were compromised. Unless you have strong evidence that an attack is isolated to a small set of infected computers, approach every breach as if attackers have gained access to your entire environment. Take the time to examine your network, end user workstations, mobile devices, web-based email accounts, servers and other assets for signs of an intrusion. Although this can be a time consuming process, it requires much less time and stress than handling a secondary outbreak after you’ve announced that an incident is resolved.
Once you have discovered the root cause of an issue – stop the bleeding. Your attacker is unlikely to keep the details of your security vulnerability private. If you fail to act quickly, it’s likely you will be attacked again. Block access to the infected machines and from any web addresses associated with the malware, disable compromised accounts and apply patches if applicable. Quickly plugging your security controls can be the difference between a negative incident and a full scale security disaster.
Once you have determined the nature and scope of an attack and neutralized or contained it, move forward and restore any services that were disrupted due to the data breach. Restoring service and returning to normal operations should only occur after you are completely certain that threat is contained or neutralized.
After a data breach occurs, one of the most important things you can do to restore confidence in your organization is to communicate. Openly disclosing details like scope and impact to customers, partners and suppliers almost always increases the likelihood that will be understanding. Make it clear your company is taking the issue seriously and that you understand the root cause. Additionally, communicate the measures that have been or will be taken to prevent similar issues from reoccurring. Revealing the truth about a data breach may be difficult, but transparency is almost always the right approach.
In many cases, however, transparency is not a choice; it’s the law. Within the United States, forty-six states, Washington D.C., Puerto Rico and the Virgin Islands have laws that require companies to inform individuals when a data breach exposes personal information, and many states are actively attempting to expand their legislation. Several countries like Canada, Australia and Japan have or in the process of enacting disclosure laws. Communication requirements don’t end with governments. Industries, like healthcare, have additional reporting requirements.
Once the threat is identified and contained, operations restored and the public informed take time to look at the non-technical issues that might have contributed to the security breach. Your should ask answer questions such as:
After a security breach occurs, it’s normal to panic, point fingers or become frustrated, but having a response plan in place can minimize the damage. Does your company have a security response plan? Do you agree with the five steps that have been highlighted in this article? We would love to hear your thoughts.
Made up of various contributors' opinions and insights - the power of the collective.
Security Exposed Bloggers
Norman Safeground Blogs Archive