Developing a Data Breach Incident Response Plan

Major cyberattacks hit North America in 2019, including the Capital One breach, which affected approximately 100 million individuals in the United States and nearly six million in Canada. Since these attacks are not going away anytime soon and getting more sophisticated and harder to track, organizations should be prompted to at least have the right incident response plan in place.

The average loss of a cyberattack comes out to about $120,000, which can either be a dent in the side of a major company or the complete financial status of a smaller business. No matter the size of the company, having an incident response plan in place, as well as coverage supplied by a data breach insurance broker, should be in every company’s list of priorities heading into a new decade.

Here are some tips to consider when developing a new data breach incident response plan.

What is A Data Breach?

First, it’s important to go over the basics. A data breach affects an entity by releasing private, secure and confidential information to an untrusted environment. Data breaches, while usually intentional, executed by cyber criminals, can also be unintentional, brought on accidentally by unwitting employees. And even though a data breach can vary in severity, they almost always reveal some sort of weakness in a company’s organization.

A company should decide what level of severity will guide their plan of action when it comes to a response plan. A small, phishing email scam may not need a multi-level response, whereas large-scale attacks that hold millions of dollars for ransom should include many different approaches.

Response Steps

  • Analysis: The IT section of a company should review the logs for vulnerability tests or other issues related to abnormalities. Companies should look at what systems have been attacked, what was the origin, and what stage of the attack was executed. Getting the boilerplate information will help to clear as much confusion as possible.
  • Containment: This step provides the company time to determine what next steps to take after gathering information. This will also help to limit the spread and impact of the breach in real-time. An IT team should focus on isolating the system if possible and make a backup for any forensic investigations.
  • Communication: Anyone included in the Incident Response Team should be alerted, including IT, HR, Legal, and Operational representatives. Also, this is where companies should consider contacting law enforcement, third-party vendors, and the public and stakeholders.

Timely Efforts

In general, a company has 72 hours to get communications out there to the public and authorities. A response plan should include a detailed cyber crisis communication plan, detailing who is the point of contact in case of an incident, what message will be conveyed, and who has the authority to communicate on behalf of the company.

  • Clearing: All systems should be scanned for malware. Isolate and disable all accounts and parts that have been affected by the attack and remove all access to systems by any suspected employee logins. Companies should be proactive and change passwords, apply any patches, and reconfigure firewalls.
  • Post Analysis: Recovery from an attack may take a while. In the meantime, companies should examine their options for moving forward. This includes looking at any changes to policies, procedures, or equipment in use. This is also a good time to look at how effective the response plan was and make any adjustments for future attacks.