Surviving a Breach

The Target breach is making many in the IT security field take a closer look at their company’s information security and compliance practices. I’d like to share here some of the questions and answers from a recent media interview looking at “How to Survive a Breach.”

1. Are most companies prepared for a cyber breach?

We find that many companies are not fully prepared to detect and respond to a breach. The companies who have not implemented a well-thought-out and documented logging and monitoring program cannot detect a breach – and hence will not be able to pro-actively react. This leaves the company in a high risk position, in that it will have to react to notifications from its partners, vendors and customers (not very pro-active).

During the Target breach, a monitoring system detected the breach. However, the monitoring alert was not reacted to because the system was not fully implemented.

For incident response, companies that are highly regulated are better prepared than companies that are not. It should be noted that companies that capture, process and store customer Personally Identifiable Information (PII) are required by most states to have incident management processes in place to notify customers of breaches. Most companies do not appear to be aware of the state requirements, and therefore handle breaches in more of an ad hoc fashion without having any formally documented incident response policies or plans.

2. What can a company do to prepare themselves for a cyber breach?

This first step is to establish and implement the ability to quickly detect a breach, with a strong Logging and Monitoring Program.

The next critical item is to establish and implement a process to react to identified security events, escalate to executive management, and notify customers, media and partners as appropriate.

3. Who should be in charge of managing the Incident Management Program?

There are many types of incidents (e.g., disgruntled worker with a gun, bomb scare, cyber breach) and there are many groups within a company that should be involved with the different required decisions that come up over the course of an incident. The program should define a core cross-functional group responsible for the overall process, generally including:

  • Executive Management
  • Legal
  • Public Relations (for controlling media attention)
  • Information Security
  • Information Technology (for technology-related incidents)
  • Human Resources (for personnel-related incidents)
  • Facilities (for facility-related incidents)

A single group should champion the incident management process to ensure that:

  • General staff are educated about identifying and reporting suspicious events
  • The process is adequately documented and readily available to the members of the incident response team, which may be different for each incident.
  • Staff (that would be selected to address an incident) are trained in the incident response process

4. What are the general compliance requirements associated with an Incident Management Program?

The Payment Card Industry Data Security Standard (PCI-DSS) mandates:

  • Security incident response and escalation procedures
  • An incident response plan
  • Annual testing of the incident response plan
  • Personnel be available 24/7 to respond to alerts
  • Training on breach response responsibilities
  • Linkage from security monitoring systems
  • A process to evolve the incident response process

The Health Insurance Portability and Accountability Act (HIPAA) mandates:

  • That a Security incident process be in place
  • A documented set of procedures to identify, respond to, mitigate, and document security incidents and their outcomes
  • That a breach notification process be in place to notify impacted individuals, the media and the Secretary of DHHS upon the discovery of a breach of Protected Health Information (PHI)
  • That the company enforce a breach notification process over its business associates

For Financial Institutions, that must comply with the Gramm-Leach-Bliley Act (GLBA), the institution must implement response programs that specify actions to be taken when the institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies

5. What will a breach cost a company, in terms of money, reputation, and continued ability to do business?

I would point to the Ponemon Institute, as they provide numerous studies on the impact of breaches. For example, a couple weeks ago, Ponemon published the Fourth Annual Benchmark Study on Patient Privacy & Data Security.