Are you prepared for the inevitable? Odds are it’s merely a matter of time before your business experiences a computer security-related breach and you need a solid data breach response plan. How are you going to handle the situation? Especially if you’re a smaller business, your IT resources probably are minimal. But even your outside resources might not have the expertise to help when you’re in a data security bind. In today’s connected world, there’s a lot that can go wrong when it comes to technology.
Before the bits hit the fan, you need to understand what a breach really means to your business. What it means depends on the industry you’re in and the contracts and compliance regulations you’re held accountable for. Regardless of the type of sensitive information that’s exposed (credit cards, Social Security numbers or intellectual property, for example), you need to define what a “breach” means for your company so you’ll know when to enact your incident response plan. It might be a malware infection, a defaced website or a lost laptop. You also need to remain aware: Data breach statistics show that someone else probably will notify you before you even know about the breach.
Once you do discover a breach, your data breach response plan should allow you to respond quickly and wisely. You can’t just restore a system from backup, or sweep a loss or theft under the rug. You’re going to have to dig in deeper to see what actually happened (by hiring a forensics expert, for example, or calling law enforcement or hiring a technical resource to help), and determine any additional steps you might need to take. These include the way you will pursue the culprit and notify the affected parties based on what the data breach notification laws require.
Going forward, be smart about how you address the breach. That’s what regulators, business partners and customers (and their lawyers) are going to be looking at. Don’t expect perfection — but you do need to keep good notes on what has been done already, what you plan to do to remediate the problem and how you’ll prevent it from reoccurring.
Perhaps most importantly, get your lawyer involved. Even if he’s not tech-savvy, he needs to know about the data breach laws, the compliance regulations you face and how the breach affects your existing contracts.
In other words, don’t just react — respond. Being prepared is the best way to not drop the ball on incident response. When it comes to computers, business applications and sensitive information, something is bound to happen — eventually. This is true regardless of the size of your business. Even if you think you’re not a target or at risk, you are.
An employee is going to lose an unsecured smartphone — even though policy mandates that all smartphones are to be password-protected and that no business information should be stored on them. A contractor is going to lose an unencrypted backup tape — even though your contract says that all media shall be encrypted and transported securely via a third-party service. A cloud provider is going to overlook a SQL injection hole in their system — even though they passed their SAS 70 or SSAE 16 audit with flying colors.
When you prepare for the inevitable with a data breach response plan, you can respond to these problems and more in a professional way, and minimize the impact on your information systems. This should be your ultimate goal.