Posted by Kevin on October 28, 2015.
The gradual realization that we cannot keep hackers out of our networks has led to the evolution of a new security concept: incident response. This states that equal emphasis should be placed on the response to a breach (or incident) as is currently placed on trying to prevent that breach. Part of this response can be achieved by technology; but much is down to business and management.
The technology element is in two primary parts: detection of the breach (usually some part or combination of DLP, SIEM, log analysis and data analytics), followed by forensic examination of that breach (often involving a third-party specialist firm). But then comes response management – what you do in terms of customer and PR relations in order to stop an incident escalating into a crisis. The second part of incident response is crisis management – and this was the subject of a recent roundtable discussion among Wisegate’s CISOs.
Of course not all incidents should be considered crises. Some are merely challenges. The first danger is that overreacting to a challenge can create a crisis – so we have to be able to tell the difference.
There are five main differentiators between challenge and crisis:
A challenge can be fixed, but a crisis has to be managed. Planning for that management should start now, before you are breached (or at least before you know you have been breached). If you ever find yourself in the midst of a crisis and wondering what you should do next then it’s too late – you’ve lost control.
But all breaches and all companies are different, and your precise reaction will depend on the individual incident. Nevertheless, you can prepare. Internally you should have a response team ready briefed. The team must involve all aspects of the company: IT, HR, Legal, the C-suite and so on. All these will have their own part in a crisis and they must be ready to be part of a team.
Externally you should make sure that you have contact with a specialist crisis management company – your existing PR agency might not have sufficient experience. Similarly you should have a contact in a credit monitoring company so that you’re not starting from scratch in an emergency.
But apart from this, exactly how and how quickly you respond will depend upon your judgment and the incident itself. Insights talked to Mitzi Hill. Mitzi is an IT lawyer at Taylor English with expertise and experience. We asked, ‘When does a crisis begin? When the data is known to be lost? Or when it is discovered for sale on the dark net?’
“It starts,” she told us, “when the loss is discovered.” The precise response, however, might vary. Consider disclosure. Mitzi told us, “Not all data losses require disclosure under most US laws. State breach notice laws typically define limited types of ‘personally identifiable information’, the loss of which may require notice to consumers. Some federal laws, such as those governing financial and health information, may impose more stringent requirements. Consulting with counsel will help you assess what is required in your situation.”
Which is why, of course, Legal is already part of your pre-formed crisis management team.
Disclosure, however, is a complex issue. Standard advice is often not to disclose earlier than the legal requirement – and there are good reasons for this. Firstly, the extent of the breach might not be immediately apparent, and you end up telling your customers not to worry when they really should be very very worried. Secondly, early disclosure can make law enforcement investigation more difficult. If the breach is ongoing, the FBI will have a greater chance of locating the culprit if he doesn’t know he has been discovered. Tip him off and he’ll just melt away into the darkness.
“But,” warns Mitzi, “the PR implications of even a small loss may differ from the legal requirements. Knowing what information is involved, how it affects your customers, and what impact that may have on your reputation is a calculus that differs for every business. There may well be times when you decide that disclosure is the best route, even if it is not legally required.”
There is, however, a good rule of thumb that you can use when both planning for crisis management, and putting it into action. “Consider,” suggests Mitzi, “both the law and the golden rule: how would you feel if this were your data and no one told you it got released?”Submitted in: Insights |