August 28, 2016
Data breaches have become commonplace. No one expresses surprise or outrage anymore. These incidents have merely become an expected segment of the network administrator's daily news feeds. Another political outrage? Check. More news about climate change? Check. Data breach of the day? Check.
But it won't seem ordinary or mundane when it happens to you. The immediate aftermath of a data breach is generally a somber occasion. The CIO meets with other top executives to discuss the situation, and it's a grim conversation, indeed. Where did we go wrong? How bad is it? What do we do now?
While the first two questions don't always have obvious answers, you can be the CIO or network administrator in the know by giving them a decisive answer to that last question – here are the steps you can take directly after a data breach to get the response and recovery process off on the right track.
Assess & Communicate
Meet with only the essential employees to begin with. After you've assessed the damage and communicated what needs to be explained to the executives, you can begin disseminating information to the other workers, who are likely scared and confused. The only way to stop the rumor mill is by communicating the truth.
This isn't a two-step process. It's one and the same. You have to communicate with your people to thoroughly assess the damage that's been done, and you have to communicate those findings back to the rest of the C-suite. You're the one with the technical knowledge and skills, so it falls to you to translate all of the tech gobbledegook into easily understood business language.
Remember, they don't care anything about how many gigabytes of data was corrupted or stolen or other tech geek speak. Give them the business side, which can generally be boiled down to:
- How much time it's going to take to get us back to productivity
- How much all this is going to cost
Granted, you probably won't have those answers immediately, but those are really the only answers that are going to stop the flood of questions. Meet with your IT managers and network administrator to assess the damage, and then communicate as clearly as possible the situation as you currently understand it. No fluff, no sidestepping, no sugarcoating – just the facts.
After the initial assessment, you will have the information you need to contact the authorities. It's important to note, this is done before any of the restoration process actually begins. That's because they will need to collect valuable forensic evidence before your IT team and network administrator begin removing malware and restoring systems. Anything you do in the interim can damage the authorities' ability to collect the evidence needed to determine who was responsible and, if possible, bring them to justice.
This may seem meaningless, especially if you're relatively sure the hack came from the remote corners of the Earth, outside the jurisdiction of our authorities. However, the evidence can be used to assemble better information on how these well-funded foreign cyber terrorist groups operate. That information can help other companies fend off future attacks, and can also be used by other governments to help track down and stop hackers responsible. It's important that authorities get access to that forensic information, even if it can't immediately be used to enact justice on those responsible.
Put Together a Response Team
After the authorities have the information they need, it's time to roll up some sleeves and start getting everything back to normalcy. Your disaster recovery plan should have a designated team to respond to such emergencies. Ideally, disaster recovery plans assign roles to various team members, so that each person knows what piece of the recovery puzzle they are responsible for. By assigning roles rather than specific tasks, the person responsible for that role can adapt to the situation as it presents itself, instead of trying to follow a specific step 1, step 2, step 3 pattern that doesn't necessarily fit the situation at hand.
Begin the Recovery & Restoration Process
Now it's time to step back and let your trusted team do their thing. Chances are, they're as upset and offended by the breach as you are. If you give them time and support, they'll fix things better than new in no time.
During the recovery process, the CIO's job is one of support and guidance. Peeking over shoulders, lording over restoration efforts, and nagging or bullying the network administrator, IT managers, or workers is guaranteed to do more harm than good. The best thing you can do to aid and speed recovery is to assure that IT team members have all of the equipment, supplies, tools, and other resources they need. Make sure they take breaks, eat well, and get the rest they need. Given time and support, they will almost always amaze you.
For the immediate recovery effort, identify and isolate any machines that are or could be infected with malware. This may mean temporarily shutting down certain users whose accounts have been compromised. All users should be required to reset their passwords before being allowed to log back into the system. Have your network administrator immediately disable network access to any machine or user that could be compromised.
This is probably a good time to begin enforcing a stricter policy governing password creation and use. No more spouses' names, dog's birthdays, or names of favorite actors. Passwords should be long, and strong – including eight or more characters, with a combination of upper and lower case letters, numbers, and special characters. Also, companies need strict policies governing password sharing. There's a reason for establishing user levels of access, and sharing passwords negates the whole purpose. Enforce strict rules against sharing passwords or storing them irresponsibly (ahem, no more sticky notes on monitors).
Determine What Data Was Stolen & the Potential Uses for That Data
Unlike people, all data is not created equally. Some data is of relatively low value (such as simply names and addresses), other data is of medium value (names and credit card numbers), and still more data is of high value (names plus social security numbers). Not only is data valued differently, it can be used differently. Some data is more likely to be used by identity thieves or sold on the black market. Other data can be used for purposes like social engineering to gain access to even higher value targets. Determine what data was stolen, what might have been corrupted, and what data, if any, is completely missing.
If you have a good backup plan in place, very little valuable data should be completely gone. Backup sources that have been kept disconnected from primary data stores are also unlikely to have been compromised by the breach, unless, of course, the breach went undetected for a considerable period of time. That's why modern network monitoring solutions are so important – these tools can detect anomalies in network traffic that help the network administrator identify a breach in progress far before it ends in disaster.
Notify Those Affected & Begin Making Restitution
If you're open, honest, and take all possible steps to make things right again, your customers and the general public will most likely forgive and forget the incident. Denying, lying, or trying to sidestep responsibilities are the things that get companies in hot water.
Once you know what data has been breached, what its potential uses are, and who has been affected, it's time to begin the notification process. It's best to turn to your legal team and PR team to determine whom to notify and in what order. For instance, they may recommend a public press release, followed by contact with individuals, or they might recommend reaching out personally first, and then following up with a public announcement.
Either way, now the longer, harder part is underway – making reparations. Commonly, companies offer victims a year of free credit monitoring. Just be sure that you make good on any promises, and that you address any claims of the data being used in wrongdoing quickly and decisively. It's far cheaper and better in the long run, to pay up for damages as they occur than to wait and let the public get wind of your company failing to make good on your promises and responsibilities.
As grandma always said, an ounce of prevention is worth a pound of cure. Preventing a data breach is by far preferable than trying to address one that's already occurred. Learn more about what the CIO and network administrator can do when you download our e-book: The Importance of Monitoring and Managing Cloud Applications and Shadow IT