Your business has suffered a data breach. Now what?

Mandiant executives offer insight into how the enterprise can minimize the impact of a data breach both before and after a cyberattack.
Written by Charlie Osborne, Contributing Writer

WASHINGTON, D.C.: It's not a matter of 'if' a business is going to be breached. In today's networked world, it's a matter of 'when.' The Internet has proven to be a catalyst in business growth, but with the expansion of the web, cyberattacks have risen in sophistication and volume to the point where companies are now forced to prepare for the inevitable.

According to the Ponemon Institute , the average cost of a data breach for businesses is $6.5 million, with each stolen or lost customer record costing a company up to $217. The more records lost, the more extreme the financial implications of a cyberattack for enterprise players in both the long and short term.

It seems that every week we hear of yet another company or organization which has fallen prey to attack -- whether it be Sony, NASA, Ashley Madison or Anthem. While the average consumer may be becoming desensitized to the idea of their data being stolen, it's another matter altogether when it actually happens -- and a change in customer perception is only one possible consequence of a company suffering a data breach.

Speaking at the FireEye Cyber Defense Summit in Washington, D.C., Mandiant consulting directors Jamey Dillon and Jim Aldridge offered advice on how today's enterprise players can minimize the impact a data breach has on current and future business.

According to the directors, security is no longer an IT problem but is instead a business problem -- and as such, executives must have a firm plan in place to recover from data breaches as they occur.

Preparing for a data breach

Recognize the business impact: The first thing executives and members of the board need to ask themselves is how a data breach could impact their business. The potential loss of future business, a bruised reputation, market share slides and the cost of fines, remediation and potential lawsuits are only some of the factors associated with a successful cyberattack.

Other consequences, such as changes in customer perception and the necessity of offering free credit monitoring if records are stolen, are long-term and could drag on for years which destroys the potential for growth.

"The consumer remembers," Dillon noted. "They may not be in the know but they remember it, and how they felt about it."

Own the risk: Once a business has considered these factors, the next step is to ask whether the firm is prepared and protected, or even already compromised. According to the executives, today's businesses have to operate through a security lens and determine what data is required to be successful -- and how to effectively protect it.

Compliance with security protocols and practices demanded by regulators only goes so far; instead, executives and decision makers must improve their decision-making by considering network and data protection at the same time as satisfying business needs.

Set a plan in motion: If enterprise players do not have an incident response plan in place -- and test it to make sure it does what it says on the tin -- data breaches can be far more costly in the long run. The Mandiant executives say having an incident response plan in place, organizing human resources and assigning roles clearly and increasing collaborative efforts between internal teams can help a company react quickly to intrusion and lessen the damage caused by a data breach.

It is also important for the enterprise to consider whether it makes sense to support an internal security team or outsource to another firm which specializes in network protection.

Either way, planning for the worst-case scenario and including subsidiaries and suppliers in security-based decisions is paramount in creating a solid response plan.

We've been breached: Now what?

Stop and think: When communicating with your IR team and disclosing a data breach, using clear and precise language is paramount. If business leaders are vague or panic, data breaches or minor security incidents could be blown out of proportion -- and potentially reach outside sources which will make containment and bringing the breach down to a realistic level difficult.

Focus on the evidence you have of a data breach, make sure PR and legal become involved immediately and work out how best to communicate with customers and the media.

Disclosure: Prior to declaring a security breach, confirm the nature of suspected illegal activity on your network and the potential impact of the incident. Document the facts, the next steps the business needs to take and establish timelines in recovery and remediation. It is also important to remove other tasks from the desk of your incident response team -- if they are distracted, it will take far longer for network security to become reestablished.

Manage and educate stakeholders: In the case of any corporation suffering a data breach, stakeholders will need to be informed. Rather than attempting to scare them, educate them -- and be clear. If you use imprecise language, according to Dillon you are "setting off alarms for executives and legal teams."

It is also important for technical language to be transformed into business speak if you are going to ensure stakeholders and executives are on the same page in the wake of a security incident.

When questioned about cyberinsurance and whether companies should consider insuring their businesses against data breaches, Dillon told ZDNet that cyberinsurance represented a "natural maturing of the field," and being insured is likely to be an important component of modern-day protection against threats and their consequences.

Dillon said:

"Customers are shopping around to offset the costs if a data breach occurs. Cyberinsurance helps you with some level of recovery, as well as provide a safety net behind them in the case of a data breach. [However], it tends to cover the investigative costs but not necessarily remediation costs."

Enterprise players also have a responsibility to stay current in the realm of cybersecurity. Threat actors are constantly refining and changing their techniques, malware and infection techniques become more sophisticated, and now nation states are in on the game. Proactive, rather than reactive responses are necessary to keep a business as safe as possible from the risk of long-term ramifications, but in the meantime, the steps above are a good place to start.

Disclosure: FireEye sponsored the trip to the Washington cybersecurity summit.

5 things you should know about VPNs

Read on: Top picks

Editorial standards