It’s no surprise given the impact of the SolarWinds attacks around the world that there’s word that a new Executive Order will likely be signed directing organizations that requires organizations that do work with the United States government to notify the federal government if they experience a breach far more quickly than they’ve had to previously. This will impact a large number of companies across a range of industries in the private sector given the number of companies that do even minor work with the US government.
Here are four steps you can take right now to get prepared so you’re not scrambling to try to figure out what to do if you have an incident or data breach.
Make your incident response plans actionable
Most organizations have a paper incident response plan that sits on a shelf and is rarely visited or referenced, even during an incident. It might get dusted off once a year for a tabletop exercise where it hopefully gets at least some updates. Given that data breach and incident response involves a variety of factors including technology and security architectures, organizational structures and teams, as well as rapidly changing regulations, controls, policies, and even contracts with outside vendors, most plans become outdated soon after they are written.
Need help including privacy regulations in your incident response plan?
Leverage the BreachRx platform to make your plans actionable today!
There is some value from using an incident response plan template to map out actions at a high level. When it comes down to the details, however, a one-size-fits-all approach won’t cut it, especially if you’re looking for something actionable you and your team can actually use during an incident. Further, the breadth of incidents requires a wide variety of actions, essentially requiring that each type of incident or group of common types of incidents really needs their own focused set of actions. That necessitates subplans or even multiple plans, thereby creating a much larger requirement that ultimately imposes the need to maintain and practice each regularly.
This is unrealistic for most organizations, especially if the plan includes the appropriate internal and external stakeholders. Rather than create a paper plan, it makes sense to create incident response plans for the common security and privacy incidents you frequently face. These plans should be focused and actionable, specifically detailing the steps you and your team need to take instead of high-level, general guidelines. Ideally, these response plans should be dynamically updated using technology to keep them current if a regulation changes or a contract is updated or as the result of an exercise or an actual incident.
A more streamlined process resulting from this practice will lead to a faster and more effective incident response and allow you to hit the timelines required by government regulators.
Dig into the details
Most teams don’t delve into the details of their incident response plans and so they end up missing critical information. For example, the most recent Verizon Data Breach Investigations Report lists the following requirements, procedures, and activities that are commonly overlooked:
- Less than 20% cite legal and regulatory requirements
- Less than 20% cite internal security policies and procedures
- Only 40% are periodically reviewed, tested, and updated
- Only 10% require internal stakeholders to periodically share knowledge
Another key detail most security and privacy teams haven’t explored is their cyber insurance policy. Many cyber insurance plans require notification within a specific time frame to preserve the ability to make a claim later for the incident. And the challenge with that is many insurance organizations may want to get involved in and even dictate your response, so you have to think about and make decisions about when to notify them.
Teams have a ton of opportunity to improve here, and these areas are straightforward for incident response teams to get their arms around. It should be easy to justify the time spent, since various reports have repeatedly shown that focusing in these areas has shown to save well over $1M in the aftermath of even a small security breach. So where to begin? If you haven’t, form an Incident Response team with named members. Then focus the team on understanding these sorts of details which can make or break the timeline on an incident response.
We hear frequently from law firms that specialize in data breach response that even the largest, most sophisticated companies aren’t organized for an incident. Given readiness for an incident standpoint comes from understanding the obligations that an organization has, it is highly relevant for privacy and security teams to spend time getting prepared so they do not waste time during an incident trying to figure out what they need to do and can instead just do it.
Organizations don’t necessarily understand where their customers are, what regulations apply to those customers’ data sets they might be holding or where they store it, nor where the organization has offices and employees are located. For example, if your customers are in all fifty states in the United States, then every state’s privacy regulations might apply to that incident. Trying to dig through that while an data breach response is underway is painstaking at best and can lead to expensive long tail litigation and investigations.
In the same vein, an organization’s contracts likely have stipulations in them about notification timelines. These can be bi-directional and inclusive of your providers and your customers. If one of your customers is a large business and especially if it’s highly regulated and you have some of their data, it’s very likely you’re obligated to notify them as soon as possible or immediately upon knowing you have a breach. Missing their timeline could damage that relationship, so at minimum it’s important for teams to track their key contract obligations if they aren’t already.
Rather than hope your organization isn’t impacted by an incident, and so you don’t end up paying hundreds to thousands of dollars per hour to outside counsel and remediation firms, collect and capture this information in your response plan. It will save your organization a lot of suffering and a lot of money.
Get stakeholders involved & invested
Data breaches are now a recurring and unavoidable problem, as seen over and over in news headlines. For organizations that are willing to accept this reality and put in the time to prepare and achieve readiness, however, a breach no longer has to be treated as a catastrophe.
One of the key steps in achieving readiness is getting the key stakeholders across your organization involved and invested in the process. While the privacy and security teams are usually in the center of these activities, IT, legal, compliance, risk, communications all play a key part in a successful response. Similarly, building up organizational “muscle memory” around incident and breach response builds trust with executives across lines of business, the C-suite, and the board.
Given these stakeholders all need to communicate and work together in the event of a breach, it’s best teams organize and practice with them ahead of time. A great starting point is defining what the process is for determining what’s an event, an incident, and/or a breach, and who makes the call and how on the ramifications for declaring each. Making a mistake by calling a small incident a breach or vice versa can be costly and even erode legal protections in future court cases, an increasingly common occurrence.
In that vein, for example, when it comes to decisions around notifying regulators and/or customers, you really need your legal team involved. Unfortunately, in many organizations, general counsel and legal teams haven’t been exposed to security and privacy incidents nor their processes. Getting them familiar is therefore hugely important, to reduce risk, reduce cost, and especially because breaches frequently end up in court.
By practicing for things that are going to happen in a crisis, it is easier to hit the ground running. When teams practice their actionable plans for frequent or likely scenarios they’ll run into from a breach standpoint, they’ll have a clearer ability to make calls on the fly when incidents don’t go as predicted or planned.
Ideally breach response testing should at least be done quarterly, but that’s a challenge for many organizations. If you’re not doing it all, strive to do it at least annually with the entire incident response team. If you’re already on the ball with your practice, trying kicking it up to twice a year, or practice with a smaller subset of an incident or a part of the team.
As exercises become routine, breach response will be easier and less costly as well.
What to do if you have a breach
A bad or poor response is not only going to cause an operational impact, it’s going to end up hitting your organization’s bottom line from fines, brand damage, customer loss, and shareholder lawsuits seen with most breaches these days. If you’ve effectively prepared for your incident, you’ll move quickly into two parallel execution tracks – security forensics and remediation, and privacy and regulatory processes.
Most organizations are at least somewhat practiced and familiar with the former, so it isn’t the focus here. For the latter, response teams will likely have one or more timelines from a variety of potential applicable regulations as well as contractual obligations that they likely have. They’ll need to understand the data impacted, including if it consists of customer, employee, or partner personal information in order to determine to what degree regulations apply. Ultimately, the organization will need to make sure to track and hit those timelines and notify and act according to each obligation to ensure a successful outcome.
Automation through the right platform can help improve communication and knowledge sharing by creating a single platform to coordinate, develop, plan, and deploy data breach responses. Software also provides the launching pad for exercises and practicing incidents. Even better, it provides a place to document lessons learned to boost response speed, accuracy, effectiveness, and compliance. With regulators demanding a faster response pace, operationalizing incident response is one of the easiest paths forward to greatly reduce the risk of impacts from an incident.
BreachRx SaaS platform
Our focus at BreachRx is to help organizations turn the chaos of dealing with incident response into a routine business process. Focusing on these issues significantly mitigates the risk privacy and security incidents and data breaches. Privacy, legal, and risk teams need technology solutions to automate and flexibly address their incident response team activities in order to meet the tight time frames and need for scale of successful incident management and response.
BreachRx is an automated and dynamic platform for streamlining best practice workflows to proactively prepare for and achieve readiness for incident response. Teams can use BreachRx as a central system of operation to rapidly execute their response once the inevitable incident occurs, a critical need in response to government regulators demanding increasingly faster response notifications.