Bracing for breaches: plan for the worst

It is said that data breaches can be prepared for, but not prevented. When the worst happens and a data breach occurs, what can an organisation do to mitigate damage?

(Crime Scene image by Yumi Kimura, CC BY-SA 2.0)

The first and arguably most important step in dealing with a data breach is pre-emptive: nominate a "first respondent" to take command when a breach breaks.

"Appoint a team leader to manage and oversee the investigation," computer forensics professional and founder of Inves-te-gate, Scott Mann, said. "The team leader will be responsible for keeping all risk owners and the business informed of the outcomes of the investigation."

That respondent is the person in the hot seat when the breach happens.

Ducks in a row

The second step, also pre-emptive, is to ensure that you have access to the right technical information. Network access rights, logs, content filters, personal accounts, portable storage devices and content management systems are just a few of the many components that an investigator will seek information on.

If you have the correct information it's possible to do a risk exposure assessment almost immediately once a breach has occurred.

"Accounting for all computer devices owned by the organisation is a good first test — if you can't identify all the computers you own or that are connected to your network, there is a good chance that you don't have good visibility of where data assets reside," Mann said.

This information may be hard to come by if the IT shop is outsourced, according to Klien & Co director Nick Klien. "There may be a disconnect between the business and the outsourcer, and between the outsourcers themselves," Klien said.

The third step, once a breach is hit, is to establish contact with outsourcers, suppliers and contractors. Data breaches might have hit your internal systems by compromising a third party that has poor security standards.

Conversely, third parties may be at risk if your organisation has been compromised.

Technical teams should be informed of the type of breach, whether it's an external attack or internal theft and the relevant controls that have been bypassed.

But it is pertinent to keep the breach need-to-know, according to Verizon Business chief investigator Mark Goudie. In an internal breach, a team may need to keep news of the breach and investigation quiet from other arms of the business to avoid tipping off the perpetrator.

"They should keep information to themselves, so they are not tipping off internal staff," he said. "The facts change daily, hourly, [and] they may compromise the investigation if information is leaked outside".

Suspects must be identified, and managers and colleagues interviewed.

"Don't take the person assumed to have committed the crime to be the suspect," said Logica chief technology officer Ajoy Ghosh. "Ask: Why them? What were they working on? What did they have access to and who else may have known about the data that was stolen?"

Document everything

The fourth step is to ensure that a contemporaneous journal of all events and actions is recorded. Mann said that it will help to make incidence response more controlled, consistent and defensible.

There will be enough internal and possible external uncertainty and rumour around the incident, so ensure that any information, statements or decisions made about the incident are supported by legally-obtained or factually-based evidence.

The fifth is to preserve the integrity of the evidence. For this, the first respondent must cordon off the digital crime scene to prevent employees from altering sensitive data trails that are crucial for evidence collection.

"If users have caused change to an asset, and they are not clear of what was changed, then that asset cannot be valued, and that avenue of inquiry is closed," Mann said. "New processes must be followed and that is expensive."

It is instinctive for staff to launch ad hoc investigations into breaches, according to Mann, but this almost always compromises evidence. He said that court cases have failed because of tampered evidence.

The last step is to seek legal counsel. If intellectual property is stolen, then an intellectual property lawyer can help prevent copyright infringement at a later date. Forensics professionals agree that this is an often overlooked component that can bite an organisation years later.