5 Steps to Protect Your Organization After a Data Breach
This post contains the text from the White Paper: How to Effectively Manage a Data Breach. Download the PDF below.
You can’t afford to be unprepared for a data breach’s aftermath. Even organizations with the strictest data security and IT policies could easily go the way of recent victims. (Victims like Hilton Hotels, Home Depot, and Anthem).
It’s up to you to control the situation and protect your brand in the wake of a data breach’s potentially devastating hold on reputation. The following 5 steps will help you successfully stop information from being stolen, mitigate further damage, and restore operations as quickly as possible.
Set your incident response plan into motion immediately after learning about a suspected data breach.
1. Start Your Incident Response Plan
A business typically learns they’ve been breached in one of four ways:
- The breach is discovered internally (via review of intrusion detection system logs, event logs, alerting systems, system anomalies, or antivirus scan malware alerts).
- Your bank informs you that you’ve been breached based on reports of customer credit card fraud.
- Law enforcement officials discover the breach while investigating the sale of stolen credit card accounts on the black market.
- A customer complains to you because your organization was the last place they used their card before it began racking up fraudulent charges.
If you suspect a data breach, here’s your objective: stop information from being stolen and repair your systems so a breach won’t happen again. This begins by executing your incident response plan (IRP).
A well-executed incident response plan can minimize breach impact, reduce fines, decrease negative press, and help you get back to business more quickly. In an ideal world, you should already have an incident response plan prepared and employees trained to quickly deal with a data breach situation.
For some reason, however, most businesses SecurityMetrics has investigated that have been breached didn’t have an incident response plan at the time of the incursion. With no plan, employees scramble to figure out what they’re supposed to do, and that’s when big mistakes are made. (e.g., wiping a system without first creating images of the compromised systems to learn what occurred and to avoid re-infection).
2. Preserve Evidence
When an organization becomes aware of a possible breach, it’s understandable to want to fix it immediately. However, without taking the proper steps and involving the right people, you could inadvertently destroy valuable forensic data used by investigators to determine how and when the breach occurred, and what to recommend in order to properly secure the network against the current attack or similar future attacks.
When you discover a breach, remember:
- Don’t panic
- Don’t let your failure to not panic lead you to hasty actions
- Don’t wipe and re-install your systems (yet)
- Do follow your incident response plan
3. Contain the Breach
Your first priority at this point in time is to isolate the affected system(s) to prevent further damage until your forensic investigator can walk you through the more complex and long-term containment.
- Disconnect from the Internet by pulling the network cable from the firewall/router to stop the bleeding of data.
- Document the entire incident. Document how you learned of the suspected breach, the date and time you were notified, how you were notified, what you were told in the notification, all actions you take between now and the end of the incident, date and time you disconnected systems in the card data environment from the Internet, disabled remote access, changed credentials/passwords, and all other system hardening or remediation steps taken.
- Disable (do not delete) remote access capability and wireless access points. Change all account passwords and disable (not delete) non-critical accounts. Document old passwords for later analysis.
- Change access control credentials (usernames and passwords) and implement highly complex passwords: 10+ characters that include upper and lower case, numbers, and special characters. (Avoid passwords that can be found in any dictionary, even if you are substituting special characters in place of letter characters.)
- Segregate all hardware devices in the payment process from other business critical devices. Relocate these devices to a separate network subnet and keep them powered on to preserve volatile data.
- Quarantine instead of deleting (removing) identified malware found by your antivirus scanner for later analysis and evidence.
- Preserve firewall settings, firewall logs, system logs, and security logs (take screenshots if necessary).
- Restrict Internet traffic to only business critical servers and ports outside of the payment-processing environment. If you must reconnect to the Internet before an investigator arrives, remove your credit card processing environment from any devices that must have Internet connectivity and process credit cards via dial-up, stand-alone terminals obtained from your merchant bank until you consult with your forensic investigator.
- Contact your merchant processing bank (if you haven’t already) and let them know what happened.
- Consider hiring a law firm experienced in managing data breaches. It won’t be cheap, but they may help you avoid pitfalls that could damage your brand. Your law firm may hire a forensic firm to immediately investigate and ensure you’ve properly contained the breach. If the credit card brands have issued a mandate that a forensic investigation must occur, you will be required to hire a PCI forensic investigator (PFI) to perform the investigation, even if you or your law firm has already employed a non-PFI forensic firm.
4. Start Incident Response Management
Assemble Your Incident Response Team
A data breach is a crisis that must be managed through teamwork. Assemble your incident response team immediately. (Hopefully you’ve already met and discussed roles during crisis practices and initiated your incident response plan.)
Your team should include a team leader, lead investigator, communications leader, C-suite representative, office administrator, human resources, IT, attorney, public relations, and breach response experts. Each brings a unique side to the table with a specific responsibility to manage the crisis.
Consider Public Communications
Proper communication is critical to successfully managing a data breach, and a key function of the incident response team is to determine how and when notifications will be made.
Several states have legislated mandatory time frames that dictate when a merchant must make notifications to potentially affected cardholders. You should be aware of the particular laws in your state and have instructions in your incident response plan that outline how you will make mandated notifications.
Identify in advance the person within your organization (perhaps your inside legal counsel, newly hired breach management firm, C-level executive, etc.) that is responsible for ensuring the notifications are made timely and fulfill your state’s specific requirements. Your public response to the data breach will be judged heavily, so think this through.
Stalling May Not Be In Your Best Interest
Your customers will discover if you keep important breach information from them. If the media marks your brand untrustworthy for withholding information, that label could end up hurting you worse than the other effects of the data breach. Some companies fall into the, “Let’s make sure we know exactly what’s going on before we say anything at all” trap, but excessive delays in releasing a statement may be seen as an attempted cover-up.
Providing some information is usually better than saying nothing at all. You can always provide updated statements as needed on your website. In all cases regarding public statements, seek the guidance of your legal counsel.
Make Sure Employees Don’t Announce The Breach Before You Do
Poorly informed employees can often circulate rumors—true or not. As a team, establish your media policy that governs who is allowed to speak to the media. Designate a spokesperson and ensure employees understand they are not authorized to speak about the breach.
Depending on your particular circumstances, you may find it beneficial to withhold from the rank and file employees the fact that your company has suffered data breach until shortly before any public statements are made.
Disclosures of the breach both within the company and to the public should be in accordance with advice from your legal counsel.
Get Your Statements Together
Your incident response team should craft specific statements that target the various audiences, including a holding statement, press release, customer statement, and internal/employee statement. These should be communicated to appropriate parties that could potentially be affected by the breach, such as third party contractors, stockholders, law enforcement, and ultimately cardholders.
Your statements should nip issues in the bud by addressing questions like:
- Which locations are affected by the breach?
- How was it discovered?
- Is any other personal data at risk?
- How will it affect customers and the community?
- What services or assistance (if any) will you provide your customers?
- When will you be back up and running, and what will you do to prevent this from happening again?
Explain that you are committed to solving the issue and protecting your customer’s information and interests. Where you deem appropriate, you could offer an official apology and perhaps other forms of assistance such as one year of free credit monitoring.
5. Investigate, Fix Your Systems, And Implement Your Breach Protection Services
Management of a data breach doesn’t end with your public statement. Now comes the hardest part: investigating and fixing everything. Luckily, you’re not alone. Your PFI will perform the majority of the investigation and then provide recommendations on how to repair your environment to ensure this doesn’t happen again.
Bring Affected Systems Back Online
After the cause of the breach has been identified and eradicated, you need to ensure all systems have been hardened, patched, replaced, and tested before you consider re-introducing the previously compromised systems back into your production environment. During this process, ask yourself these questions:
- Have you properly implemented all of the recommended changes?
- Have all systems been patched, hardened,
- What tools/reparations will ensure you’re secure from a similar attack?
- How will you prevent this from happening again? (Who will respond to security notifications and be responsible to monitor security, Intrusion Detection System, and firewall logs?)
Be prepared for these costs
Obviously, the financial examples presented below will change based on: your size, how many customer cards were stolen, how hackers got into your organization, if you were willfully aware of your vulnerabilities, whether you have breach protection services etc. Data breaches have serious financial consequences.
If breached, you may only be liable for a few of these fines, or you could be expected to pay even more than listed below. It all depends on the size of your breach. Along with possible legal fines, federal/municipal fines, increased monthly card processing fees, you may have to pay for the following:
Make Sure It Doesn’t Happen Again
A key part of a successful breach response is what you learned from the breach. After the dust has settled, assemble your incident response team once again to review the events in preparation for the next attack. Incorporate the lessons you’ve learned and ask, “How can we improve the process next time?” And then revise your incident response plan. Don’t forget to communicate your commitment to data security to the media, even after you’ve repaired the damage.
|Possible Breach Fines|
Merchant processor compromise fine
$5,000 – $50,000
Card brand compromise fees
$5,000 – $500,000
$12,000 – $100,000
Onsite QSA assessments following the breach
$20,000 – $100,000
Free credit monitoring for affected individuals
$10 – 30/card
Card re-issuance penalties
$3 – $10 per card
Breach notification costs
Total possible cost
$50,000 – $773,000+
If you don’t have an incident response plan, making one should be a top priority. Then practice and review your plan. Without annual desktop run-throughs and simulation trainings, your staff will panic in the face of a data breach.
Suffering a data breach is one of the most stressful situations a business owner or organization can endure, but it doesn’t have to be the end of your business. Greet it with a solid and practiced incident response plan to avoid significant brand damage.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.