6 Steps for Responding to a Data Security Crisis
Heartland Payment Systems, Inc. paid $5 million to Discover Financial Services Company earlier this month in a settlement over a data security breach, a situation that a better initial response might have minimized.
The settlement resulted from a 2008 incident. Hackers installed spyware on Heartland's network, disclosing critical data such as account numbers and customer names for Visa, MasterCard, American Express, and Discover Card accounts.
Too often, companies that experience a data security breach only make the situation worse by not responding correctly. With more than 30 years of experience in the computer industry, Mike Theriault, president and CEO of B2B Computer Products in Addison, Ill., knows what businesses need to do as soon as they realize there's a data security problem.
"First of all, don't panic," he said. "People make the mistake of reacting before they know exactly what the problem is. Don't take any unnecessary action until you can accurately define the problem and know the scope."
Theriault has boiled the best response down to six steps. He says that although they're generally sequential, the order will depend on how regulated your industry is and the types of security risks your company faces.
1. Review Your Compliance Documents
In tightly regulated industries, organizations must document their compliance with government mandated security standards. If this applies, be sure you can demonstrate compliance in order to avoid fines and regulatory action.
2. Identify an Incident Response Team
Hopefully, you have a computer security incident response team ready to go. If not, assemble a team that, in addition to IT, may include: attorneys, C-suite executives, public relations, and a representative from each of the business lines affected; include HR if the breach involves employees. Having a team will reduce the chances of an erratic response.
3. Assess the Damage
Determine who and what is affected and the potential effect on your business. An external attack on your public website might not be a big deal if it's an informational site, but it can break your business if you're dependent on e-commerce. Also, an insider attack on the company's personnel database may have a different impact than a hacker's theft of a client database.
4. Notify Stakeholders
Who you tell and when you tell them can make a difference as to whether you're able to quickly find and fix the problem. If yours is a highly regulated industry, you'll need to call government
officials immediately. If a crime may have been committed, law enforcement will be one of the first calls. If you are planning to bring in third-party consultants, such as security or computer forensic experts, bring them in as early as possible. Most states have specific deadlines--up to 30 days for disclosure--for informing customers and others who may be affected by the breach. This mean you'll have time to get the situation under control before the information becomes public.
5. Identify the Cause and Minimize the Damage
Many severe security problems appear mild at first. In fact, your IT staff may think it's just a nuisance and apply a routine fix. Initial signs may include an increase in overall traffic - especially an unusual amount of outbound activity and an increase in help desk requests. More overt signs include crashing Internet and intranet sites. In the extreme, nothing will work at all. Unless the breach is actively hurting your business, don't begin remediation until you fully understand the cause and its potential impact.
6. Document the Incident
Lack of documentation will not only make it difficult to rebuild your systems, it can also hurt your chances of successfully prosecuting an attacker. Throughout the assessment and remediation process, you should record everything, from how the incident was detected to what the members of the response team did.
If the attack came from outside the company and your security hardware and software is up to date, documentation will occur automatically through firewall log files, IDS/IPS/IDP systems, and other security information management tools. Your job will be much easier if the tools you have in place are sophisticated enough to record the intrusion; the ensuing infections or downloads; and the configuration changes that stopped the attack.
"The situation usually isn't as dire as people initially think it is," Theriault said. "Once you have a handle on the problem, it's time to start thinking about avoiding a similar situation in the future. Your clients might understand if it happens once, but they won't be as generous if it happens twice."
The Crisis Management Plan
Crisis Management Planning and Execution
Organizational Crisis Management: The Human Factor
Award-winning B2B Computer Products LLC was identified by Inc. magazine as one of the fastest growing businesses of its type in the U.S. and by Crain's as one of the largest privately held companies in the Chicago metro area. B2B Computer is a single-source provider of products and manufacturer-certified services that include virtualization, VoIP systems, data deduplication, disaster recovery, and SAN storage. As a national business-to-business reseller of computer hardware and software representing hundreds of manufacturers - B2B guarantees a best practice combination of competitively priced customized products and expert services. In addition to its Addison, Illinois headquarters and multiple distribution points, B2B Computer's offices are in Chicago; New York; Davenport, Iowa; Philadelphia; and San Francisco. To contact B2B Computer, call 1-877-222-8857 or visit www.B2BComp.com.