The do's and don'ts of data breaches

Second in a series of stories on key security issues being discussed at The Security Standard event on Sept. 10-11 in Chicago.

Believe it or not, a data breach isn’t the worst thing that could happen to your organization. Reacting poorly to the incident could be, however.

Experts agree every organization that stores personal or financial information about customers, partners or employees, or that has intellectual property in electronic form should be considered a target — that’s arguably just about every organization doing business. Instead of assuming data breaches happen only to large financial services companies or retailers, companies large and small in every industry should be prepared to react to help minimize damage and quickly restore customer confidence, they say.

“It makes all the difference in the world” if a company is prepared to respond to a data breach or other type of cyberintrusion, says Tom Bowers, managing director of Security Constructs, a security services firm based in Philadelphia.

Here is a list of what companies should do and what they should avoid doing in the case of a data breach, besides putting a computer-emergency response team in place to react to such incidents (see “How to create a computer-emergency response team”).. The list is compiled from interviews with consultants and security experts who have had to deal with these incidents or who have been called in to help companies immediately following an attack:

DO confirm and contain the problem.

This seems obvious, but in the stress and confusion of the moment, the importance of knowing exactly what happened can get lost. Once evidence of a potential data breach has been uncovered (customers complaining of fraud alerts on their credit cards, server logs showing unauthorized access to sensitive data, and so forth) security professionals should work with the IT team to determine whether a breach happened and how it happened, and to fix the weakness if possible.

“You need immediate containment; that’s where the network and system folks jump in, and you need to let that team do its job,” says Ed Zeitler, executive director of the International Information Systems Security Certification Consortium (ISC2) and former CISO of Charles Schwab.

DON’T contaminate the crime scene.

Decide whether the IT team can plug the security leak without modifying the computers from which the data was stolen; if not, call in security experts — preferably a company you have hired beforehand and have put on retainer to help in case of an incident. While this may delay reacting to an incident, it could help your company down the road.

“Often we see [an incident] could be an open-and-shut case, but the company muddied up the crime scene and so law enforcement won’t achieve prosecution,” says Bryan Sartin, vice president of investigative response with security services provider Cybertrust, which in May Verizon Business announced plans to acquire.

DO communicate with and rely on other departments.

You don’t want legal counsel involved to the point that they are combing through log files, but security professionals who alert other key departments — legal, compliance, human resources, public relations, marketing and of course, the executive team — will put themselves on a better footing if they alert key departments in the breach’s early stages, rather than at a point that could be construed as after-the-fact.