Responding to a Data Breach (Part Two)

How Immediate Response to a Data Breach Improves a Company’s Ability to Regain Trust, Rebuild, and Thrive

Dealing with a data breach is a complex process. In many cases, companies experiencing a breach do not know what they will find. They will have trouble assessing how much damage has been done to their infrastructure, their bottom line, their ability to continue providing services, solutions and products, and, most of all, their reputations. In this second of three articles, LIFARS, LLC. and FORTRESS STRATEGIC COMMUNICATIONS, LLC. look at how companies can effectively respond to database breaches.

2015 was a busy year for data breaches and Forbes Magazine (December 31, 2015) highlighted a few of them:

1. Anthem – 80 million patient and employee records compromised
2. Ashley Madison – 37 million client records compromised
3. Office of Personnel Management – 21-25 million federal workers records compromised
4. Experian/T-Mobile – Records of 15 million people compromised
5. Premera BlueCross BlueShield – 11.2 million subscriber records compromised
6. LastPass – 7 million users compromised
7. CareFirst BlueCross BlueShield – 1.1 million records compromised
8. Kaspersky – multiple customers affected by the compromise
9. Hacking Team – million emails compromised
10. Slack – 500,000 email addresses and other personal account data compromised

Data breach detection requires an immediate response. Having the appropriate steps in place with a policy, procedure, or guideline set is important and can greatly reduce time. Often, however, this isn’t the case until after a breach is suffered. Additionally, having tools and trained staff is another overlooked but greatly helpful component of the breach response strategy.

• The first step is to identify the situation. Often this means having the user step away from the keyboard and calling IT immediately. IT will then look into the issue and act as a filter before escalation. Usually it is a false positive or something minor that is not a breach, but once the severity has been determined, and the affected machines are known, then the Immediate Response Team in conjunction with an IT security team member should begin documenting everything they can, as well as saving files and collecting logs. This includes descriptions of the user and the actions they have taken, times, what is on the screen, what immediate actions were taken, and any additionally relevant information that they think is important and then escalating that to the relevant parties. Often this is just an IT manager, but it can include the security staff as well. The goal is to ensure that all immediate steps have been handled properly before moving to the organized response. The key factors that the immediate response team will look for to determine if a breach occurred include external connections that have been established to unknown destinations, data loss or corruption, apparent or suspected remote control, downloading files or suspicious objects, and any anti-virus or other alerts.

• More often than not, incidents are outside the scope of the experience of many IT teams, even those in IT security. In many cases, companies have external technical teams placed on retainer for advice, or for immediate response to lend specialized expertise to the ground forces. It also helps companies to have the additional technically trained IT security staff who are appropriately skilled, as most IT teams are not able to handle the additional workload of a breach while simultaneously maintaining their day-to-day jobs.

• Once a situation has been determined, the next piece is to find out who is involved in the response, both from a non-technical and technical perspective. In many cases, this will be legal and the IT security department if it exists. Sometimes, it can involve C-Level executives, directors or the like who need to make the decision on killing a connection or keeping customers online. This is determined by weighing the costs of down time to lost revenues, cleanup time, customer trust, and business responsibility (as in SLAs). This step is extremely important and often forgotten, and if the response is improper it can have serious consequences. One example is an IT technician wiping a “routine virus” that has actually exfiltrated PII or PHI and not investigating further. This will most likely end up with lawsuits against the company for negligence or maintenance of improper security standards.

• The next step is an attempt in containment. Once the proper parties, such as legal, business, and of course IT security have determined the scope and the nature of the breach, response may begin. Sometimes this occurs beforehand, usually by disconnecting the network cable or shutting down if data destruction is a risk, but such identification requires training. Containment’s goal is not to remove the infection but to stop its spread, both from the outside and from internally. Often this is not done and lateral movement, the movement of traffic within the network from host to host as opposed to in and out of the network, overwhelms a team as the attack vector spreads.

• Once containment is completed, the next objective is to determine indicators of compromise, data that was targeted, and potential motives and methods of the attack. This will help with classifying the attack and giving an appropriate response. Determining the motive can help understand what the goal was and give hints on how to find other areas of infection.

• A preliminary response to this must be created and deployed. This involves the actual cleaning of the machines to a working order and removing the malware. It is to remove as much of the attack as possible before beginning the remediation phase and preventing further spread.

• Bringing systems back up that were taken down requires careful planning. Any immediate security concerns should be addressed and remediated. These machines need to be cleaned and it must be ensured that they are ready for redeployment; otherwise, they may need to be scraped and made fresh again. While this is painful, it can help keep the environment secure and be a good excuse to move to more up-to-date systems.

Crisis communication becomes critical as soon as the company is aware of a data breach and activates the Immediate Response Team. The affected company needs to get out in front of the news and establish itself as the primary source of trustworthy information. A proactive crisis management perspective allows a company to control the messaging to the greatest extent possible. Of course a company cannot control how others may spin or spread the messaging, but the more it communicates clear, straightforward information of value, the better the chance of a positive outcome.

In the wake of a data breach, a company should focus on the following four strategies:

1. Activate the crisis communications and management team. Some believe that the crisis team should only be activated if it looks likely that a data breach will have a major impact on the company. This approach is not recommended. The crisis team should be activated whenever a critical event or a non-critical event that could potentially cascade into a full crisis is identified. As soon as an initial assessment determines the threat the breach poses, the team should be activated. All team members should have predetermined roles and responsibilities to enact per the crisis plan (see part one). To do their job properly, the team will need access to accurate, regularly updated information.

2. Gather information. Immediately after the alarm is raised about the data breach, the company should gather as much information as possible about what happened. This important process will impact how it manages the crisis, formulates messaging, and communicates to keep all parties updated and trusting in the business, its reputation, and its leadership.

As soon as the Immediate Response Team conducts a preliminary assessment of the data breach and its potential impact and damage (if possible), this initial evaluation must be sent to the crisis communications team so they can create the necessary messaging to proactively communicate with the company’s stakeholders. Time is of the essence. In most circumstances all the facts will not be known at first. While this is normal and not a cause for alarm, lack of information must not be allowed to slow the communication process down. As new facts are gathered, they can be passed on to the crisis communications team for dissemination, provided the information is not sensitive and/or should not be divulged to the public as requested by law enforcement.

3. Communicate honestly, openly and widely. All parties, both internal and external, should receive the same messaging and information to ensure complete and absolute message uniformity.

Information used in the messaging must be based on what is known at the time. This is why it is so important to hold regular internal briefings among the IT team, crisis communication, and management team, executive management, and all external consultants and industry partners brought in to help address the unfolding crisis.

Messaging must include critical information that will answer media and stakeholder questions. In addition, the messaging should be completely open and honest and tell people what happened, how it was discovered, what was impacted, what the implications are for stakeholders, and what the company is doing to help those impacted. The company should communicate specific steps it will take to safeguard customers’ interests, demonstrate that it understands the risks stakeholders face, and show that it has their best interests at heart.

While employees need to receive the information before it is disseminated to media and stakeholders, there should not be a significant lag time between internal and external communications. Companies must anticipate that their messaging will be leaked to external parties, which is why messaging uniformity is so crucial.

A core part of the communication process is to show that the company is open for communication by telling customers, stakeholders, the media, and individuals and companies directly and indirectly impacted by the crisis how to contact the company. People want to know that they can speak to someone for the duration of a crisis and thereafter. Giving parties a telephone number to call where they can speak to a real person can diffuse frustration and anger and minimize inclinations to rant and rave on social media or in the press. The company spokesperson should be available for media interviews at every possible opportunity.

Companies should leverage their social media assets with three objectives in mind: to proactively disseminate information, drive people to their website for more information, and monitor what is being said about the breach.

Regular updates are essential. Businesses need to frequently update their websites with new information, instructions, and news. Reliable updating helps prevent massive speculation and creates a sense of situational control. In certain cases, companies may need to adjust or curtail regular marketing activities to focus on the crisis.

4. Monitor and respond. Forward-thinking companies invest in reliable media and social media monitoring services or applications before a crisis hits. These tools measure social sentiment, provide critical intelligence, and allow companies to see what aspect of the data breach the media is covering and how various venues are portraying the company. Media monitoring applications provide companies the opportunity to respond to incorrect statements and rearticulate or change their messaging–all while remaining truthful and open–so that it better resonates with stakeholders.

In severe crises, the overwhelming volume of communication on social media platforms coupled with multiple stories in local, regional, and national media make effective technology-based monitoring and response solutions indispensable.

The way a company responds to a data breach, coupled with the messaging it transmits and the processes it puts in place to ensure that the crisis will never repeat itself, can determine its future viability and reputation value. Despite having the best plans available, a company can only walk away from a crisis with at least a portion of its reputation intact if it optimally handles the actual crisis management effectively.

In the next and final article, we will look at how companies can regain customer and stakeholder trust, and how they can best rebuild their business in the event they are hit by a data breach.

— ENDS –—

Additional reading:

Please click on Data Breach Readiness to read part one in this series of three articles. You can also click on Data Breach Reputation Management if you would like more information about the impact of data breaches on a company’s reputation.

###

Fortress Strategic Communications provides specialized strategic public relations and crisis communications consulting to startup, medium and large companies that offer products, services, and solutions designed to manage and mitigate all types of risk. For more information please visit: www.fortresscomms.com or contact us at– [email protected] or 315 744 4912

LIFARS helps businesses defend their networks and reputation by providing elite cybersecurity solutions with military-style Incident Response and Digital Forensics. Through decades of hands-on experience with high-profile cases, we are uniquely positioned on the cybersecurity battlefield and our mission objective is clear: protecting your business. For more information please visit: www.LIFARS.com or contact us at- [email protected] or 212 222 7061