Breach Prep & Incident Response
preparation is key
breach prep & incident response
Listed here are actions you should take ASAP to ensure you have done your due diligence to lower the risk of a cyber-security incident or breach, to ensure all employees have a working knowledge of how to protect information, to ensure you have a solid incident response plan when a breach occurs, and to lower your potential liability and protect your reputation when a breach does occur. In a perfect world, this project should involve a representative from each section of the company, to include the company leadership, and MUST be driven from the Top. This is just a summary assessment to get you started and help put some pieces in place for your security program now while you plan and budget for a full security assessment/audit. Again, this assessment is just a start to help you understand what information you have and how it is or should be protected. For questions or issues, you do not have an answer to, I encourage you to reach out to experts for help. We are available to assist, Security is a process, not a “set and forget” concept. Do not let it overwhelm you. You can plan for and manage small pieces at a time. Remember, there is no clear definition of “reasonable security.” As stated, it is a process and to lower risk, reduce liability and protect reputation you must be able to show what actions you took to identify, address, and react to various risks and threats. For corporate directors, “reasonable” is what makes sense for your company if you can provide a rational justification and that you made the effort to address. See due diligence and corporate judgement rule.
Prepare a Message in Anticipation of a Breach –
Owners, CEO’s, executives, managers, and others: what would you do and say if you found out tomorrow your organization was breached? Remember, most companies find out they have been breached from someone or an entity outside of the company. Normally you will have extraordinarily little time to react and to put out a statement once a breach is identified. When someone asks, comments from the leadership such as, “I don’t know, ask my IT guy or the IT company I hired,” will not instill confidence in anyone and may destroy your reputation, make you look incompetent, and cause your liability regarding the breach to soar through the roof. When preparing a message in response to a potential data breach, think about what you would want to say if hacked. What can you say to convey that you did everything you could to prevent the breach, and, that you are taking control of the situation to fix things now? Also consider how what you say will help you protect the company reputation.
- Once a breach occurs or a potential breach is identified, if you or anyone from the company is asked to or makes a statement, do not admit to anything. It is likely, once you are notified of the breach or potential breach, that you have no idea what may have occurred, how much data was lost or stolen, if any, or impacted, etc.
- When preparing your incident response plan, generate a few versions of the message you want to put out in the event of a breach, whether to media, board members, shareholders, clients, or customers. These situations are usually fluid, so generally any prepared message will likely have to be modified depending on the facts. But it is much better to be prepared and have a sense of what you will say versus trying to develop a statement as you are being pressured.
- The trend in the courts after a breach, is to look at the “reasonableness” of your security. There is not a one-size fits all or even a silver bullet to security. Cyber-security is a process of determining, based on threats, vulnerabilities, sensitivity of information, budget, workflow, organizational culture, and more, what works best for your organization, and then being able to defend that program or process. But you must first understand it. “Never Ready, Always Prepared!” (You can never be Ready for everything, but you can always be Prepared for anything.)