Your worst nightmare just came true; your company has been hacked. This scenario happens every day to small, medium and large corporations. It is the world we live in today because of the ability to gain access to a company’s infrastructure via the internet. They literally can steal from you anywhere in the world. And what makes this problem even worse is they are very good at it. If they really want access to your data and systems, they will find a way. The most common ways are: your employees unknowingly give away password/account access; or the hackers exploit weak access control where the data is kept; or the thief’s exploit architectural vulnerabilities because of poor design or known holes in the security systems you use. And my favorite, your systems where penetrated because of 3rd party vulnerabilities.
What do you do now? Hopefully, you have a business continuity plan which addresses data breaches. If you don’t have one for security breaches, this article will help you. This article contains the key steps necessary to address the breach will all parties who are responsible, accountable, or need to be consulted or informed.
The first thing you need to do is investigate the basic facts surrounding the incident. This is important because you need to understand how they did it and what information they stole from your systems. Your investigation should try to answer the following questions:
What data kept in the compromised system?
Was the data encrypted?
Did the data include any customer proprietary information like names, addresses, birth dates, SSN, financial account numbers or payment card numbers, or any other information which could be linked to specific customers?
How many customer records were affected by the breach?
In what states, countries did the affected people reside and what languages do they speak?
Who (if anyone) acquired the data? Can you trace it to a specific location?
Are they likely to misuse the data in the future?
All the questions above are important to understand the scope of the data loss. There are regulatory compliance issues you must deal with at a local, state and country level. Some of the regulations that may impact you include HIPAA, The Sarbanes Oxley Act, Federal Information Security Management Act of 2002, Family Educational Rights and Privacy Act, Payment Card Industry Data Security Standard, and the Gramm Leach Bliley Act. Your company needs to be concerned with complying with information security to protect your data. Your organization may have to comply with multiple regulations, so it is best to outline all the regulations which could impact your company. A determination can be made for which security controls to implement which satisfy the requirements of all the regulations you need to comply with. I have attached a good Forbes Article where they reviewed a few of the past world’s largest data breaches and the possible consequences if GDPR penalties would have been in place.
Keep a written chronology of what you learned, when you learned it, and from whom. Document everything you do and everyone you talk to regarding the data loss. If your business is short on internal resources, consider obtaining the assistance and guidance of a data forensic expert or company to assist in your investigation. Your written logs on the breach will help you when you are talking to your customers and government agencies and it proves you were on top of the situation.
Get your legal team involved. If your company does not have a legal staff, seek outside counsel. Consider asking the following questions to your legal staff or the outside counsel you engage:
Which state laws apply to the incident? Check on the states specific laws which deal with security breaches
Would the incident be considered a “data security breach” under those laws?
Am I required to notify consumers, government or other third parties of the incident? If so, by when?
If required to notify the government of the incident? If so, which state or federal government agencies must be notified?
Do I have to notify my local law enforcement or the FBI?
Am I required to notify the consumer reporting agencies (e.g., Experian, Equifax, and TransUnion)?
Am I required to notify the payment card companies of the incident? If so, by when?
What is required if the affected individuals live abroad?
What information is required in the notification letter? If so, how and in what format should the notification letter be sent?
Make sure your employees and contractors have the appropriate confidentiality and nondisclosure agreements in place to prevent liability in the event of a data breach may have been intentionally caused by one of these parties.
In parallel to the steps you are taking above, make sure you take full backups of everything on all affected systems and any related applications. Shut down the access of your affected system until you know it is secure. Check to see if there is any data loss or data corruption. If there is loss or corruption, start to check on your backups to find the point of uncorrupted data to restore from.
If the breach occurred with your 3rd party partner, then contact the “breach” company. Find out the extent of the damage from what they know and what are they going to do, and if they have any instructions of what you need to do next. In your conversations with them, find out what information was stolen. Even if they tell you your stolen information was encrypted, don’t trust them! Always assume the data is out in the open. Your lawyers will also need to check the contract of the “breach” company for liability and damage. Get the “breach” company to perform a security breach assessment at their data center
Perform a security assessment and penetration test at your company and update your security software and run security scans at each computer and server. Patch all systems with the latest security software. Reset all passwords for all external accounts and systems. Review your enterprise architecture to see if further enhancements (like regular patch maintenance & vulnerability testing, Air Gaps, endpoint protection, etc.) are needed to prevent breaches in the future.
Respond to customer and employee issues. Your employees or customers will respond with questions about the breach. Be prepared with responses. These can come in the form of phone calls, e-mails, even press releases. By responding to your customers in an honest and timely fashion, you’ll maintain a good relationship with them, as well as keeping their business.
Put a plan in place to notify your customers. Be open and sincere. Admit if the fault was on the company’s side and accept responsibility. Provide details when the time is right (what occurred, when it occurred and the steps you are taking to address the event). And finally, mitigate the situation with your customers. Make concessions out of the disaster and describe solutions for affected users. If possible, prepare a special offer for the affected audience. For example, consider buying them a 1-2 year credit monitoring plan. Call the credit bureaus and advise them your customers could possibly be a victim of identity theft and they can place a fraud alert on their files.
Train your employees to identify/prevent breaches. Consider the following points for your employee training:
Teach employees what constitutes a “data breach.” They should be made aware that this might include errors such as inadvertently sending information to the wrong person via mail or email.
Educate them on data loss prevention and explain how to prevent similar issues in the future
Instruct employees to report any event where personal information is accessed, acquired by, or shared with an unauthorized person to you or to a specific supervisor
Consider providing employees a confidential means of reporting a data breach. This can be particularly useful if your employees might be afraid of reporting a data breach might result in disciplinary action against them or one of their colleagues.
In the end, it pays to be diligent with your business continuity plans and cybersecurity policies, procedures and infrastructure. You can prevent most attacks on your systems and data, but luck always favors the prepared.
I am interested in your comments and suggestions on this article. Please let me know what you think.