Most mid-to-large sized companies understand the importance of planning and preparedness when it comes to the safety of their customers, their employees, and their facilities. To that end, it is the rare organization that does not have a written evacuation plan, and which does not hold fire drills at regular intervals.
And yet data—which increasingly constitutes the lifeblood of so many companies—is somehow treated differently. According to the U.S. Fire Administration, there are approximately 1.4 million fires a year in the United States. According to PwC, there were 42.8 million cyber incidents in 2014. Despite the fact that a cyber incident is 3000% more likely, many U.S. companies do not have a written cyber breach response plan, and fewer still actually practice them. In fact, according to data recently reported by the Ponemon Institute, nearly half of the companies with a breach response plan have either never practiced the plan, or regularly wait more than two years to practice the plan.
If the fire analogy does not hit home, perhaps this will: the number one question asked by regulators after a data breach is whether the target company has an established breach response plan, and, if so, whether the plan was ever practiced in advance of the breach.
Lesson 1: Get Started, Develop a Plan
For companies struggling to navigate the rapidly evolving privacy and data security landscape, the first lesson is simple: just do it. Find time in your schedule to develop a plan and commit it to writing. Bring together internal and external experts, including your IT staff, lawyers, key business leads and executives, outside security consultants, and even insurance carriers, to solicit input from everyone who may be required to respond to a breach.
When drafting a breach response plan, try to balance the need for clear and decisive direction with the ability to maintain flexibility to react to unanticipated events. Your breach plan should be something between a framework and a playbook, addressing a variety of issues, including for example: who should be on the response team; how notice of a breach will be given internally; what immediate internal steps should be taken to minimize the impact of a breach, if any; how to document actions taken by the breach response team; if and when to resort to back-up data to eliminate harmful elements inserted into your system; what other back-end technological responses may be warranted; when to notify the board of the breach; when to contact inside or outside counsel; when to notify an insurance carrier; if and when to notify law enforcement; when to notify customers; how to maintain confidentiality and privilege; how to cooperate with regulators; and how to prepare for litigation.
Understanding the regulatory schemes to which your organization may be subject is key to developing a good plan. Many cybersecurity experts, however, advise clients to focus on complying with standards—like the NIST Framework, PCI DSS, or ISO 27001—rather than spending time trying to keep up with the ever-evolving patchwork of state, federal, and international privacy laws. The rationale this advice is that privacy and data security industry standards will always outpace and outperform government-created mandates, so compliance with standards should theoretically ensure compliance with laws.
Lesson 2: Test, Revise, Repeat
Once a plan is in place, test it. Perhaps the only thing worse than realizing your company has experienced a data breach is not knowing what to do next. Testing your plan is critical to: ensuring the appropriate people take ownership and are well trained; identifying and correcting any errors or deficiencies in your plan; and updating your plan to ensure it does not get stale as threats and vulnerabilities evolve.
Whether you engage in a full blown simulation, or a simple table top exercise, the experience of testing your plan is sure to help minimize risk and ensure better outcomes. It will also demonstrate to regulators that you take cybersecurity seriously, and can help to strengthen your defenses should litigation ensue.
Most valuable, however, may be the training and experience gained by key personnel on the breach response team. Should a breach occur (and particularly in the event of a large-scale breach), people have a tendency to panic. The best laid plans of mice and men often go astray. Preparing people to maintain calm, think clearly, and use good judgment to react to scenarios not expressly presented in the plan will only strengthen the organization’s response and minimize losses in the event of a breach.
Regardless of size or industry, all organizations face an increased risk of cyber-attack. By preparing a breach response plan, and testing it at regular intervals, companies can ensure that, if a breach occurs, they won’t get burned.