Do you have a data breach incident response plan?

Under the EU GDPR (General Data Protection Regulation), organisations must respond to a serious data breach within 72 hours of becoming aware of it.

These reporting requirements place a significant burden on organisations.

What is a data breach response plan?

A data breach response plan is a set of actions that help organisations detect and respond to incidents quickly and effectively.

Plans will include technical measures, such as anti-malware software and data encryption, and policies and processes for staff to follow.

An effective plan reduces the financial and reputational damage associated with a breach and helps you comply with the GDPR.

But despite the proven effectiveness of data breach response plans, the PwC Global Economic Crime and Fraud Survey 2018 found that only 30% of organisations have a plan in place.

Top 10 challenges when implementing a data breach response plan

CREST (the Council of Registered Ethical Security Testers) outlines the top 10 challenges of data breach management:

1. Identifying a suspected cyber security incident.

The longer your organisation is exposed to a vulnerability, the more damage that can be caused. As a result, spotting a data breach promptly can be the difference between a moderate disruption and a disaster.

This is why information security risk assessments are so important. They help you detect weaknesses and inform your decisions regarding how to address them.

2. Establishing the objectives of an investigation and a clean-up operation.

It’s essential to get back to normal operations as soon as possible after a breach, but this should be a coordinated effort. You must review what caused the incident and set goals for what you’re aiming to achieve. You might ask, for example, when or whether customers need to be notified or whether a system needs to be at full capacity before it can go back into use.

3. Analysing all available information related to the potential cyber security incident.

Potential breaches (or reviews into incidents that already occurred) will generate a lot of raw data. You need to know how to use that information and have adequate personnel and resources to disseminate it.

4. Determining what has happened.

Data breaches aren’t always clear-cut, and it’ll often take time to piece together what went wrong. Until you figure this out, you won’t be able to review your network for similar mistakes.

5. Identifying what has been compromised.

It’s hard to know whether the breach you’ve identified is the full extent of the damage. A cyber criminal might have launched multiple attacks or leveraged their way into other parts of your organisation. You’ll need to take the time to investigate the incident and review anything that could have been compromised.

6. Determining what information has been disclosed to unauthorised parties, stolen, deleted or corrupted.

It’s not only compromised systems, networks and assets that you need to identify. You must also investigate the information within those systems.

7. Finding out who caused the breach and why.

Most breaches are random attacks by crooks looking for financial gain, but some incidents will target you specifically, such as political attacks or those caused by malicious insiders.

8. Working out how the breach happened.

This is the fundamental question all organisations must be able to answer if they are to prevent future attacks. It’s all well and good stopping this incident, but if you don’t know how to address the root cause, it won’t be long before you’re back where you started.

9. Determining the potential business impact of the cyber security incident.

You need to know the financial implications of the breach so you can plan for the long term. The cost of recovery and the loss in productivity will affect your revenue, and could also affect your ability to meet deadlines.

Meanwhile, estimating the financial damage will inform your data breach response budget and your decision about cyber security insurance.

10. Conducting a sufficient investigation using forensics to identify those responsible.

Not all organisations will have the capabilities to conduct a forensic investigation. Those that do may not be familiar with the process. However, the process can be essential for discovering clues that could bring the perpetrators to justice.

How to overcome those challenges

CREST offers several tips to help organisations improve their understanding of data breach response management and their ability to manage security incidents.

Its first recommendation is to follow the advice and guidance provided on government websites, such as the NCSC’s tens steps to cyber security, as well as other publicly available guides, such as ENISA’s Good Practice Guide for Incident Management.

It also suggests attending conferences or training courses to gain a close-up look at cyber incident response management. This gives you the chance to engage in discussions, participate in workshops and ask experts to clarify any questions you have.

You might also consider working with threat intelligence sharing feeds. This is essentially a way for organisations to team up in the fight against cyber crime, with industry professionals contributing to a central registry discussing threats they’ve faced.

It’s beneficial for alerting organisations about new criminal campaigns and techniques, such as a variation on a phishing scheme. As soon as one organisation faces a threat, they can warn others who can pre-empt the attack.

Are you prepared for a disaster?

Anyone looking for specific advice on responding to a security incident should look at our Data Breach Survival Guide.

It lays out the six key steps that you must take to respond to a security incident in line with the GDPR’s requirements.

It also explains how you can reduce the impact of a breach and gather the necessary disclosure information as quickly as possible.


A version of this blog was originally published on 6 August 2018.

No Responses