make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

How to Respond When A Security Breach Occurs

11/04/2015  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Practice Leader of Risk Services

Share

Social Logo Social Logo Social Logo Social Logo

Now that we’ve covered the path to mitigating security risks through risk assessment, processes, and people, we need to identify what will be done if a data breach does occur.

This problem isn’t going away in the foreseeable future. And just because you haven’t identified an intrusion or other data loss event doesn’t mean you haven’t had one or won’t ever have one — even if you are “doing everything right”.

Preparation is a vital component to mitigating cyber threats. As the saying goes, “Fail to prepare, prepare to fail.” Be proactive and plan ahead, and make provisions for as many potential cyber security breach scenarios as possible and make sure you have a documented Incident Response Plan that covers them. If you’re starting from scratch, The National Institute for Standards and Technology Special Publication 800-61 (NIST SP 800-61) provides detailed instructions on building an incident response capability, including a handy incident response checklist.

With that in mind, we recommend you employ these strategies to respond to security breaches:

Containment: Don’t delay your response once an intrusion
is identified. Do carry out your containment procedures with expediency. Containment strategies will vary, depending on the nature of the attack. In some cases it will be appropriate to shut down affected systems quickly. In others, you will want to keep them up and closely monitor the attacker’s activities in order to gain additional detail that will be helpful during the remainder of the response. Having a comprehensive Incident Response Plan to guide your actions can be the difference between success and failure.

Eradication & Recovery: Once the incident is contained, it’s time to start cleaning up the mess. Do rely on your Incident Response Plan to guide Eradication & Recovery efforts. During eradication, you will identify all affected systems and perform activities appropriate to the incident type, such as removing malware or changing passwords on breached user accounts. Recovery activities typically involve actions like restoring files from backup, or installing missing security patches. These efforts are intended to get you back to normal business operations. 


Communication: Notification of internal and external players: Don’t delay in communicating with internal departments and external vendors, partners and clients. Do outline a clear chain of communication before breach detection and follow it post-breach. Depending on your industry and state, laws vary with regard to required deadlines to inform those affected by the breach. 
Following proper procedures carefully and quickly can minimize breach 
fallout.

Remember:

  • Contain the breach 

  • Assemble the response team 

  • Investigate the breach 

  • Document the who, what, where, when, why and how of the breach 
as well as the relevant notification time limits 

  • Follow your breach communication procedures including  
 informing authorities, insurance companies 
and affected parties

Finally, organizations should be sure to assign ownership of the Incident Response Plan to a network security team leader to ensure it evolves as needed and does not remain a static document. 

Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter @lbmcsecurity.