The high-profile breaches of major companies in the last two or three years, along with the growing number of publicly disclosed cyberattacks, have brought more discussions into the corporate boardrooms about cybersecurity risks as well as incident response. As cybersecurity professionals shift to the new mindset of “assumed compromise” — acknowledging a breach will happen regardless of how robust their defenses are — more organizations are putting incident-response plans in place.
Why do you need a plan? First of all, let’s look at the numbers. Verizon’s 2015 Data Breach Investigations Report found that one million threats were being released on a daily basis, while Symantec’s 2015 Internet Security Threat Report found that five out of six large companies were being targeted, a 40 percent increase from the previous year.
And small/medium businesses are not off the hook either. The National Small Business Association found in its 2015 Year-End Economic Report that 63 percent of the respondents had been victims of cyberattacks in the past 12 months.
Regardless of your company size, if you have any kind of data — whether it’s employee or customer records, intellectual property etc. — your chances of being a target are quite high.
Now imagine being in the middle of an attack. You’re scrambling to respond from a tactical IP approach as you try to assess the impact and secure your information infrastructure. But that’s just the first phase. You also have a much broader problem — you may have to notify many layers of stakeholders, deal with customer concerns and media inquiries, respond to government regulators and potentially have to come up with millions of dollars to pay for lawsuits, fines, credit monitoring and so on.
An incident response plan gives you a better understanding of what to expect and the ability to think a strategy through while you’re not in the middle of a crisis and allows you to practice through drills and tabletop exercises.
A look at how some big companies responded
There are plenty of examples of how others have responded to major breaches in the last two years. Unfortunately, in the majority of cases, the response was far from stellar. But there are still good lessons to learn — using their mistakes.
When Target was hit at the height of the holiday shopping season in 2013, it took a week to announce it; in the meantime, news began spreading to customers via media reports. The customer response nightmare that followed included a gridlocked customer service line, a social media firestorm and eventually a class-action lawsuit that included up to $6.75 million in attorney costs and another $10 million in customer settlements.
As Target scrambled to inform all its customers in the days following the disclosure of the attack, scammers lost no time to move in and sent out fake communications claiming to be from the retailer.
EBay’s response was even worse — it took three months to realize it had been compromised and then two more weeks to actually notify customers. And even then, some of its actions were downright embarrassing. Its first warning was posted only on its obscure corporate website (ebayinc.com). A banner on PayPal’s website led to confusion as to whether PayPal accounts were also compromised. And when a statement finally made it to ebay.com, it told people they needed to change passwords but failed to mention if financial information was at risk.
As customers complained about lack of information, eBay reacted with a simple tweet that said it would take some time for everyone to receive an email for resetting passwords. At the same time, the company did its best to do “damage control” by downplaying the magnitude of the breach. For many days following the breach disclosure, the company even refused to give an educated guess on how many records may have been impacted.
Anthem didn’t fare much better, as it took close to two months to realize it had been breached and five days to make the first announcement. It first disclosed in early February 2014 that hackers potentially stole more than 37.5 million records — but 20 days later raised that number to 78.8 million.
But more than a month after the breach became public, as many as 50 million consumers had still not been informed about their data being potentially at risk, which prompted intervention from the Senate health committee. And Anthem made it difficult for affected members to sign up for the free credit monitoring services it offered — insisting people sign up on its website (despite public trust issues) and if people called into a dedicated line to sign up, it took days for a representative to call back.
What a response to breach should have looked like
There’s no doubt from the examples above that if those companies had been fully prepared for the magnitude of their breaches by “assuming compromise” and planning accordingly, the scenarios would have played out differently.
Let’s take eBay. As a major e-commerce player, the company should have been fully aware that its infrastructure protecting data was not foolproof, as there’s no such thing. For starters, it should have had tools in place for better visibility into its own networks — which data resides where and how a breach of different systems would impact its security.
And more importantly, in this age of social media, its reaction should have been immediate, telling customers to reset their passwords, even if only as a precaution. A properly executed crisis communications plan should have had ready-to-go, preapproved messages informing customers that the company was investigating a potential breach and in the meantime advising them, for their own protection, to take a simple step like password reset.
The website should have immediately warned visitors as well — with a clearly communicated, clearly visible message. But just a warning is not enough. An incident response plan would have spelled out in detail what the company would do after a breach to secure information; and those steps should have been communicated to customers with transparency.
The thing about a detailed incident response plan is that it’s not just an IT or PR department issue. It’s pretty much all hands on deck, as teams from legal to risk are activated for a full-scale effort. But that’s not easy — perhaps close to impossible — to smoothly implement without advance planning and training.
Creating a comprehensive plan
It’s encouraging to know that boards of directors (BODs) and the C-suite are increasingly becoming more aware of cybersecurity risks. Insurance analytics company Advisen recently asked risk professionals if cyberrisks are “viewed as significant risks” to their organizations; and 68 percent said they were significant for the BOD, and 75 percent said they were for the C-suite — with both categories showing an increase from 2014.
But planning is still lacking. EY’s survey of 1,755 executives for its annual Global Information Security Survey found that only 43 percent had formal incident response programs, and only seven percent of organizations had comprehensive plans that integrated multiple layers including vendors, law enforcement and playbooks.
Here are some basic steps for a breach response plan, and how it could play out in the ideal world, using Anthem to rewrite the real-life scenario that we actually saw.
1. Inventory the types of personal information the organization collects and stores — everything from the categories of groups (customers, employees, etc.), the type of data and files and where it’s stored, to how it’s transmitted and to whom, and who has access to the various types of data. In our fictitious Anthem response, the insurance provider immediately knows which layers of data were impacted and that third-party customer data is at risk too.
2. Understand requirements and regulations that govern data privacy and protection for your specific industry. In the case of healthcare organizations, HIPAA compliance includes reporting specific types of breaches not only to federal officials and affected consumers, but also to the media. Anthem knows medical records weren’t stolen, and its plan spells out what regulations are involved and what procedures must take place for this specific case.
3. Develop a crisis communications plan with exact messaging, a schedule and recipients, as well as delivery methods. Anthem has a process in place for reaching out to its 80 million employees and customers and also triggers communication with its associates, such as Blue Cross and Blue Shield. Within several days, all those affected are notified using a variety of avenues, thanks to easily adaptable templates for customer letters, notices to authorities and so on, and with the help of designated account managers, who have deep knowledge and training of the priorities in this process.
A digital media team constantly updates information on the website and social media so stakeholders can take action and preventive measures. A temp agency that’s on standby fills a temporary, 24/7 customer service center that can handle the increased load of inquiries as well as sign up customers for credit monitoring.
4. Assess legal risks, which means not only legal obligations dictated by regulations but also fallout like potential lawsuits. Anthem has already engaged legal counsel specializing in breaches, so its response can begin immediately instead of waiting for legal advice before making public disclosure.
5. Secure the infrastructure. This begins immediately, and it’s something that should be integrated into IT’s daily workload that includes monitoring threats. Anthem’s IT team is already on full alert, executing its checklist that includes everything from disabling infected computers to contacting the outside forensic investigative team.
These steps are by far not all-inclusive, but rather a basic starting point. The key message is that just like an HR manual or a marketing plan, an incident-response plan needs to be part of an organization’s toolkit. A breach, when it happens, will unhinge you no matter what. But knowing ahead of time what to expect and what steps you’ll take will go a long way in mitigating the crisis as it unfolds.
Sekhar Sarukkai is a co-founder and the chief scientist at Skyhigh Networks, driving the future of innovation and technology. He has more than 20 years of experience in enterprise networking, security and cloud services development.