By Joe Dysart
We’ve Been Hacked!
What To Do When the Unthinkable Occurs
While hackers regularly make digital corpses of computer systems run by global giants and mom-and-pops alike, the hard fact is that few businesses have a plan in place to handle a cyber break-in.
“Organizations in most business sectors do not have an actionable incident-response plan focused on a data breach—or they have a plan that is printed and filed away and they can’t find it when a crisis incident occurs,” said Mark Greisiger, president of NetDiligence (www.netdiligence.com), a firm specializing in cyber security and data-breach resolution.
Don’t let that disaster story be yours. According to service providers specializing in mitigating data breaches, you can minimize the damage that a hack can and will do to your company’s system, business and reputation by putting together an incident-response plan before a breach even happens.
“It’s a turbulent time for all industries with sensitive data, with companies of all sizes becoming targets for cyber attacks,” said Jeremy R. Henley, vice president of breach services for ID Experts (www2.idexpertscorp.com). “While you can’t stop breaches 100% of the time, you can be better prepared.”
Below are the key components every incident-response plan should have, according to the experts.
Bring in Your Legal Team the Moment You Begin Planning an Incident-Response Plan: “We recommend working hand in hand with legal counsel and enlisting outside counsel before a breach occurs in order to help mitigate risk, meet legal requirements, tailor your response, and help preserve your company’s reputation,” said I.D. Experts’ Henley, and Michael Bruemmer, vice president of Experian Data Breach Resolution (www.experian.com/blogs/data-breach), agreed.
“Attorneys, much like other outside partners, should be engaged well before a breach even occurs,” Bruemmer said. “With the increased action by attorneys general and other state regulators, companies need to be up to date and aware of the growing risk of legal action that can occur when a breach takes place.”
“Handling a data breach internally versus bringing in an outside expert is like car repair,” said Jeremy R. Henley, vice president of breach services for ID Experts. “Just because you’re a handy person and can rotate a car’s tires and change the oil doesn’t mean you have the qualifications to repair a car after a major collision.”
Getting legal help even before an incident occurs also enables your company to stay current on changes in any laws and regulations regarding companies that have been hacked, Bruemmer added. And an attorney consultation prior to any incident also enables you to be ready for pressing concerns such as how quickly you need to inform your customers about a cyber break-in, how much info you’ll need to release about the break-in and what your responsibility is if a key vendor of your business is hacked.
“Attorneys, much like other outside partners, should be engaged well before a breach even occurs,” said Michael Bruemmer, vice president of Experian Data Breach Resolution.
Currently, the laws on such requirements vary state-to-state, so you’ll need an attorney who knows your state’s laws cold to respond to those and similar concerns with confidence, according to Bruemmer.
Put Together the Facts: There’s a good chance that attorneys from other businesses are going to want to look at how you handled your data breach, so you’ll want your IT person to take an image—and a backup image—of all computer systems impacted by the hack. Ideally, you’ll also want your attorney advising your IT department on this process.
Make an Initial Damage Assessment: Here, you’ll want to determine if the hack was benign or malicious, see whose data on your systems was impacted and determine which data in particular was impacted, such as names, social-security numbers, etc.
Document Everything You Do: Again, outside attorneys from other businesses and perhaps even government officials may want to look at how you handled fact-gathering and assessment, so document every aspect of the fact-gathering process, including who was involved in the process and how.
Do a Deep Analysis of the Damage: Have your IT person meet with your attorney to determine if the data breach legally requires your company to officially notify owners of the data breached. Then also consult with marketing and PR for their take on whether or not your company should inform them, even if you’re not legally required to.
Get Your Attorney to Sign Off on Liability: During the deep-analysis phase, have your attorney check on the latest legal requirements regarding data-breach responses. Besides federal laws, 47 states and three U.S. territories have their own laws on how breaches should be handled, according to ID Experts’ Henley.
“More than 60 carriers offer standalone cyber insurance policies,” said Dr. Robert Hartwig, special consultant for Insurance Information Institute.
Prep for Burden of Proof: Federal and state regulators may want to see why you made the decisions you made regarding how you handled your breach. So verify with your attorney at this stage that you can prove due diligence and regulatory compliance.
Assemble Any Outside Help You Require: In addition to your own attorney, you may want to bring in a second attorney who specializes in data breaches. Also, bring in any other legal help you think you may need as soon as possible to establish attorney/client privilege.
You also may want to hire a PR firm to handle any backlashes, and bring in extra people to handle calls to your call center. Or you may want to hire a data-breach response vendor that can offer many of these services under one roof.
You also may want to hire an outside firm such as ID Experts, which specializes in handling every facet of your data-breach response.
“Our primary role is to offer data-breach response and resolution software and services to manage data breaches of all sizes,” Henley said. “Our team works closely with companies to manage every aspect and phase of a data-breach response. We coordinate with outside counsel, breach coaches and cyber insurance carriers. We provide digital forensics investigation and analysis to help contain the damage, determine the scope of the breach and plan the best response.
“Handling a data breach internally versus bringing in an outside expert is like car repair. Just because you’re a handy person and can rotate a car’s tires and change the oil doesn’t mean you have the qualifications to repair a car after a major collision.”
Notorious hacker groups such as Anonymous have succeeded at keeping company executives on edge.
Experian’s Bruemmer agreed.
“Many of the most common data-breach response failures surround communication mistakes,” he said. “For example, divulging information to the public too soon when all of the facts of a breach are not known. This is where having experts to guide your communications efforts can be instrumental in saving your business from further reputational damage.”
Added Aloysius Tan, product manager for Advisen, a market research and consulting firm for the insurance industry: “For organizations that lack the resources, full-service breach-response vendors can help. Respondents are most interested in help with forensics, protection services, pre-breach services and call center.”
Create an Incident Notification Letter: By law, you may be required to inform all parties affected by the breach via U.S. Mail and/or email. Put this notification letter together and have your attorney look it over, of course. And be sure that you’re in compliance with federal and state laws in terms of how you verify the addresses of all the parties that should be contacted. The letter should include details about the breach, how your company contained it, any information regarding your plan to continue the investigation of the breach, and the remediation you’re offering to impacted parties.
Consider Reaching Out in Other Ways: Some breached companies also establish a special website to handle questions and concerns about the data breach. And some create special call centers for the same purpose. Federal and state law may also require you to notify the Department of Health and Human Services, the Federal Trade Commission, your state attorney general and the state attorneys general of the impacted parties.
Consider Offering ID Protection, Credit Protection, ID Monitoring and Credit Monitoring to All Impacted Parties: To minimize problems, encourage impacted parties to be proactive about protecting their identities. Currently, only Connecticut requires hacked companies to provide free credit monitoring to customers impacted by a breach, according to Experian’s Bruemmer. But he said that offering free credit monitoring for a year is seen as a good business practice, given that the vast majority of states require hacked businesses to notify their customers of a computer break-in.
“Once consumers are notified, the general expectation by the public is that the company will provide impacted customers with some sort of protection,” Bruemmer said. “While not universally required, the reputational damage for not providing these services would be detrimental to an organization.”
Offer Enhanced Help to Parties Whose Data Has Been Plundered by the Hack: Some firms even go so far as to offer identity-recovery services to parties whose identities have been stolen as a result of a hack, including resolving disputes and filing complaints.
Test Your Incident Response Plan: “There are a few ways to do this,” said Jeremy R. Henley, vice president of breach services for ID Experts. “Initiate a mock breach where you call IT and say your laptop was stolen and you think it had 500 patient records on it, including social-security numbers and health-insurance numbers. See how your incident-response team responds.”
Another option is to have an expert come in and run through your breach response live.
“The benefit of this approach is that the outside perspective and feedback may be more useful to help your organization refine your incident-response plan and educate your executive team,” Henley said.
Added Experian’s Bruemmer: “It is vital to revisit and revise your plan regularly to take into account not only internal company changes but also changes in the breach landscape when it comes to new threats. Lastly, it is vital to conduct drills at least twice per year and practice a response.”
Here are some additional resources you can use to put your plan together:
- Experian Data Breach Response Guide: (http://bit.ly/2c4kvZy).
- ID Experts Breach Response Resources: (www2.idexpertscorp.com/resources/category/guides/r-data-breach-response).
- ID Experts “Successful Data Breach Response”: (www2.idexpertscorp.com/resources/single/12-actions-to-take-when-a-data-breach-strikes/r-data-breach-response).
Don’t Get Punked: Safeguarding Your Business From the Web’s Dark Side
Businesses uneasy about the increasing frequency of unsolved hacker cases can take heart. With the right moves, you can significantly reduce your vulnerability to a computer break-in via the internet.
Job one: Begin hardening your online digital perimeter by realizing that the person or staff responsible for your web security is the overarching factor in keeping your business safe—and not necessarily the security technology they administer and oversee.
“Fundamentally, good security really is just good systems administration,” said Ira Winkler, founder of Internet Security Advisors Group, a computer security consulting firm. “And if you can’t afford or can’t get a good system administrator, I recommend outsourcing that.”
In fact, Winkler said that the smallest of businesses will probably be best served by an outsourced, third-party computing solution, given that the entire focus of a topnotch network systems provider is on configuring, maintaining and securing computer systems 24/7. In other words, Winkler said, you may want to move the critical computer applications of your business to the cloud so that you can take advantage of the relatively sophisticated web security offered there.
At minimum, install a quality internet firewall that’s properly configured and internet security software that guards against viruses, malware and spyware, said Sharon D. Nelson, Esq., president of Sensei Enterprises, a computer security consulting firm. Both are available with software packages such as Symantec’s Internet Security, Kapersky Security, Trend Micro Security and the like.
Also, be sure that your staff gets the message that your business security has to be taken very seriously.
“Education of your employees is key,” said Rich Conklin, owner of Executive Computer Solutions.
Staying a step ahead of hackers also means being careful with any custom-made software, Nelson added, since these programs are rarely subjected to the rigorous security testing that popular, established software endures. For example, Content Management Systems (CMS)—software designed to enable businesses to easily update their websites—are often custom-made.
“A custom CMS is usually a bad idea,” Nelson said.
Many employees also tend to get lazy about passwords. Surprisingly, one of the most commonly used passwords still in use today is P-A-S-S-W-O-R-D. It’s a seemingly trivial oversight, but it has spelled the undoing of countless, otherwise stellar computer security systems.
Nelson recommended using complex alphanumeric passwords of more than 12 characters, which are tough to crack even by software specifically designed to crack passwords. And she reminded people to use different IDs and passwords to enter different gateways.
If you’re looking to be especially vigilant about passwords, you can also use free, online password generators such as Secure Password Generator (www.passwordsgenerator.net), which will instantly generate long, complicated passwords for you. Or, you can purchase password-management software that auto-generates complicated passwords and centralizes all of your IDs and passwords into a single, easy-to-use program. Top programs in this genre, according to PC Magazine, include Dashlane 4 (www.dashlane.com) and LastPass (www.lastpass.com).
You’ll also need policies in place to establish lockouts after a system user has entered a predetermined number of incorrect IDs or passwords, Nelson added. And the same lockout failsafe needs to activate the moment an employee departs or is terminated from your business.
For protection of especially critical data, Winkler also advised multiple authentication, such as the use of two or three passwords rather than just one to access a website-maintenance account. And he said that companies whose data privacy is especially critical should consider investing in data leakage prevention software.
Employees should also stay on the lookout for “social engineering” ploys—a fancy term for a hacker who forsakes the digital black arts and simply tries tricking someone at your business into surrendering key passwords and similar information with a friendly phone call or a seemingly innocuous email.
“Look at the link to see where it’s coming from,” Winkler advised. If you don’t recognize the company or the link seems hinky, don’t click it.
As a failsafe, you’ll also want to look into cyber-security insurance.
“More than 60 carriers offer standalone cyber insurance policies,” said Dr. Robert Hartwig, special consultant for Insurance Information Institute (www.iii.org). “Businesses, experts and consumers around the world are paying close attention to the risk of cyberspace and developing a corresponding response.”
There are, of course, other ways to further toughen your security. But at a certain point, you’ll probably need to concede that your defenses will never be perfect—but good enough, you hope.
“Anybody who sells you ‘perfect security’ is a fool or a liar,” Winkler said. “What security is about is risk management. The more you elevate security, the more you’re raising the bar and the more exponentially you’re decreasing your risk.”