Given that large enterprises with the most advanced IT security defenses in the world suffer major data breaches, no organization should assume it could never happen to them. Sure, these are high-value targets, but a growing number of hackers are going after smaller companies with weaker defenses. Organizations should always operate under the assumption that a data breach will happen.
A disconnect in IT management is one of the primary reasons why many organizations are at risk, according to a recent IDG survey. When IT and cybersecurity are managed separately, the biggest consequence, according to survey respondents, is a slower response to security events. This creates a greater risk of data loss and prolonged downtime, and makes it more difficult to get to the root cause of what happened and address the problem. Poor management also drives up security costs.
Preparation and communication are critical if you want to reduce the risk and cost of a data breach. Not only do you need to take steps to prevent a breach, you need to assume it will happen anyway and develop an incident response plan. Incident response refers to the actions taken after a security incident to limit the damage and minimize business disruption. Every organization should have a documented incident response plan to handle these situations in a way that allows you to resume normal operations as quickly as possible.
Developing an incident response plan begins with assigning roles and responsibilities. Someone has to own the development of the plan, communicate with managers, lawyers, human resources, etc., and assign specific roles so incidents are properly managed. Once roles and responsibilities have been delegated, define your organization’s risk tolerance. What data, applications, systems and business functions are critical? Focus your efforts on these areas and determine how long you can afford to be without them.
The next step is to classify and prioritize types of incidents based on the level of risk they create. For example, a data breach that compromises sensitive customer data is a high-risk incident. For each incident, establish procedures for those involved to follow. This includes procedures for reporting the incident and containing, investigating and remediating the threat. You also need to define recovery point objectives (RPOs) and recovery time objectives (RTOs) and develop the appropriate backup and recovery strategy.
Finally, put a process in place for documenting and analyzing each incident to reduce future risk. What caused the breach? Was it preventable? Were systems restored according to RPOs and RTOs? If not, why? Are any security capabilities lacking? Is additional training necessary? An incident response plan should be continually evaluated and tested.
One part of incident response that is often overlooked is communication with customers. If customer-facing systems are down, they need to know. If customer data has been compromised, they need to know. Offer to help your customers understand and deal with the situation. It’s a good idea to disclose a breach to customers even if it has no direct impact on them. The more proactive and transparent you are, the less impact a security incident will have on customer perceptions of your company.
The SSD Assurance managed services program not only helps small to midsize businesses monitor and manage their IT environments but integrates robust security tools to detect and respond to threats as quickly as possible. Let us help you develop an incident response plan to protect your most valuable assets, including your reputation.