The goal of an incident response plan is to address a suspected data breach in a series of steps.
Let’s look at each phase in more depth and point out the items that you need to address.
This phase is integral to your incident response preparation, and is the most crucial step to protect your business. Part of this plan includes:
Your response plan should be well documented, thoroughly explaining everyone’s roles and responsibilities. The plan must be tested in order to assure that your employees will perform as they were trained. The more prepared your employees are, the less likely they’ll make critical mistakes.
This is the process where you determine whether you’ve been breached. A breach, or incident, could originate from many different areas. Having access to a breach coach and forensic specialists is important here. Consideration to involve counsel should be considered to maintain privilege and confidentiality where possible.
When a breach is first discovered, your initial instinct may be to securely delete everything so you can just get rid of it. However, that will likely hurt you in the long run since you’ll be destroying valuable evidence that you need to determine where the breach started and devise a plan to prevent it from happening again.
Instead, contain the breach so it doesn’t spread and cause further damage to your business. If you can, disconnect affected devices from the Internet. Have short-term and long-term containment strategies ready. It’s also good to have a redundant system back-up to help restore business operations. That way, any compromised data isn’t lost forever.
This is also a good time to update and patch your systems, review your remote access protocols (requiring mandatory multi-factor authentication), change all user and administrative access credentials and harden all passwords.
Once you’ve contained the issue, you need to find and eliminate the root cause of the breach. This means you should securely remove all malware, harden and patch your systems, and apply relevant updates.
Whether you do this yourself, or hire a third party to do it, you need to be thorough. If any trace of malware or security issues remain in your systems, you may still be losing valuable data, and your liability could increase.
This is the process of restoring and returning affected systems and devices back into your business environment. During this time, it’s important to get your systems and business operations up and running again without the fear of another breach.
Questions to address
Once the investigation is complete, hold an after-action meeting with all Incident Response Team members and discuss what you’ve learned from the data breach. This is where you will analyze and document everything about the breach. Determine what worked well in your response plan, and where there were some holes. Lessons learned from both mock and real events will help strengthen your systems against future attacks.
Insurance carriers will often ask about “lessons learned” during the underwriting process.
No one wants to go through a data breach, but it’s essential to plan for one. Prepare for it, know what to do when it happens, and learn all that you can afterwards.