As data breaches continue unabated, companies need to have a proper incident management plan that involves open and prompt communication with affected stakeholders as well as taking steps to ensure that there will not be a repeat, industry watchers urged.
The trend is unlikely to be arrested anytime soon. Steve Durbin, global vice president at the Information Security Forum, said in an e-mail that "it is somewhat inevitable that data breaches will continue to occur". In this light, organizations need to understand "how best to deal with such an eventuality", he pointed out.
According to him, organizations need to have an "integrated incident management plan", one which is linked to crisis management and covers technology as well as public relations.
"This should be a part of an organization's infosecurity governance and should be planned and rehearsed regularly," Durbin pointed out.
He also said data breaches are becoming less of a security issue and more of a business one as companies are likely to suffer from reputational damage and lowered shareholder confidence, not to mention any legal and regulatory liabilities that may arise, from these attacks.
Prevention no longer a cure
Gerry Chng, advisory partner at Ernst & Young Advisory, concurred. The consultant observed that organizations have traditionally placed "a lot of emphasis on preventive controls to mitigate the risk of compromising sensitive content" such as customer data and corporate intellectual property and strategies.
However, the preventive approach--while still an integral aspect of information security--is no longer enough in the context of advanced persistent threats and state-sponsored attacks, he stressed in an e-mail interview.
"An incident investigation and response program is critical to data breach recovery and business continuity," said Chng.
Such a program would require the active involvement of business, IT, information security and other corporate functions, he noted. When initiated, the key actions should include open communication with affected stakeholders, ensuring business as usual and keeping a "chain of custody for handling digital evidence" according to relevant legal requirements.
Durbin added that the incident response program must be driven from the top, preferably with a board-level executive appointed to be accountable for the organization's cyber crisis management. "[This representative should be] someone who understands both the business and technological implications. If not a deep technologist, this person needs deep technology input as well as strong business understanding and relationships," he elaborated.
However, Graham Titterington, principal analyst at Ovum, argued that most data breaches are disasters not in the operational continuity sense but from a business standpoint. This is because most don't stop operations after a breach, "unless the business deems it wise to close down operations to prevent further breaches", as in the case of Sony, which shut its Playstation Network in April and only resumed it fully last week.
"Putting [data breaches] in the disaster recovery plan implies that you can foresee what disaster may occur and, in that case, you should be fixing the problem, not writing recovery procedures!" Titterington pointed out in his e-mail.
That said, businesses should conduct a comprehensive risk analysis to "identify any foreseeable problems and determine how much effort should be put into preventing any such problems", he added.
Timely outreach crucial
For Titterington, good communication with stakeholders is the key requirement in resolving a major security breach, apart from dealing with the specific vulnerability that led to the breach.
Organizations involved in a major security breach not only need to be open and honest, but prompt in notifying those likely to be impacted, he explained. To minimize damage, whether in terms of financial cost or reputation loss, companies should also be "able to show that improvements are being made and that the incident is not likely to be repeated". In addition, third party security audits and compliance with regulations should be ongoing "in the background", the analyst said.
At the end of the day, actions taken are meant to minimize damage to an organization, because in any major data breach, the business will suffer financial costs as well reputation loss, he pointed out.
Communications was also cited by Steve Elefant, CIO of Heartland Payment Systems, as a key element of the company's response after it discovered its systems had been breached two years ago.
According to DataLossDB, Heartland Payment Systems, together with Tower Federal Credit Union and Beverly National Bank, hold the dubious honor of being victims of the biggest data breach incident in history, with some 130 million records compromised.
In an e-mail interview, Elefant told ZDNet Asia that following the disclosure of the breach on Jan. 20, 2009, the entire company was mobilized and worked around the clock to notify and address concerns from various stakeholders--employees, merchant customers, investors, industry and the media. The "immediate one-on-one outreach" with its 250,000 merchants and business locations was the most crucial aspect of its response program, he noted.
Other steps the organization took included the launch of 2008breach.com Web site for easy access to information relating to the compromise as well as expediting the development of its E3 end-to-end encryption technology to help protect the payments ecosystem, including merchants, consumers, banks and financial institutions.
In addition, the company saw "an apparent need for industry collaboration and better information sharing" on data breaches, Elefant noted.
"If Heartland had known about how those attacks were executed, it would have been able to better protect itself against the attack on its system," he said. "For this reason, Heartland was the driving force behind the creation of the Payments Processor Information Sharing Council (PPISC)."