There’s nothing that will make a CISO’s blood run cold more than being told by staff the organization has been hacked. At that moment, however, the eyes of the entire enterprise are now aimed at at him or her.
What do to first? Ilia Kolochenko, CEO of Geneva-based Web application security vendor High-Tech Bridge offers these tips to help chief security officers keep their heads:
— Avoid panic and focus
Many companies aggravate the consequences of a data breach and disrupt legal investigation through enormous internal panic, he says. Keep in mind that you are not the first victim of hacking, nor the last one. “Now your role is to focus your and your team’s efforts on minimizing the consequences of the actual data breach. Moreover, the fact that you have identified the breach is positive, as many companies do not even know they have been compromised due either to highly sophisticated hackers or the internal technical team’s negligence.”
— Gather your team and assign roles
Each company structure is unique, but make sure that your technical, legal, public relations, and sales teams are present. Technical teams will obviously be in charge of the technical aspects of the incident handling, the legal team will assure compliance of your investigation with the law, PR needs a clear corporate position for the media, while the sales team needs to be clear about what to say to your customers. It is very important to synchronize all teams, make sure that no team takes an initiative without your approval and without notifying the others.
— Understand what happened, which data was compromised and how
Sometimes companies panic on hearing of fake hack announcements organized by unhappy customers or unethical competition, he said. Others deny data breaches until all compromised data appears online and makes headlines. Your technical team should be able to tell you which systems and data were compromised, which vulnerabilities were used by hackers to get in, assure that compromised systems are properly isolated, and ensure that hackers didn’t leave any backdoors or logic bombs.
–Carefully collect logs and other evidence
Make sure your security guys don’t erase or alter any logs during the investigation process, otherwise a court of law may reject them as evidence later. If you don’t have enough in-house expertise to properly conduct incident forensics – call an external company to perform the technical aspects of the work. If you know which systems are breached – disconnect them from the network (including the local one) as hackers may still be here mining your data, installing backdoors, and erasing logs.
–Analyze and evaluate the origins of the breach
It is very important to understand how hackers got into your network, he says.” Depending on the entrance path, you need to take urgent action to prevent them re-using the same vulnerability or similar hacking method.” For example, if one of your trusted supplier’s accounts was hacked and used to login into your network, make sure that all the accounts of this supplier are blocked until they perform their own incident forensics. Make sure that other systems and networks under your control cannot be compromised in the same way.
–Analyze the consequences of the incident and prepare a disclosure plan
When you know what happened and how happened, look at the business, legal, reputational, and financial consequences of the breach. Make sure your legal team participates fully, as legislation on data-breach disclosure can be different from province to province and from one country to another. “In any case it is better to disclose the breach to all concerned parties, as even if you’re not legally obliged to declare the incident – your reputation will suffer much more if someone else (including the hackers) discloses the hack instead of you.”
Remember, he adds, that if you disclose the breach you will be able to present information properly and even reinforce your business reputation by demonstrating that you are handling the incident seriously. You don’t need to shout on every corner about the data breach, he believes. If a limited number of customers were impacted, make sure all of them are notified in a proper and timely manner.
–Disclose the incident to concerned parties and notify law enforcement agencies
Disclosure in Canada is in flux because federal law is about to change and expand corporate obligation. Regulations will make it explicit when organizations that come under federal law have to disclose a breach. Kolochenko says it’s very important to choose the right timing because disclosure might help hackers and scare customers. The regulations will make this clearer. Organizations covered by provincial legislation will have to follow those rules.
Regardless, Kolochenko says, when disclosing the incident make sure that all customers, or any third-parties that suffered from the breach, feel that you do care about them, about their data, and that you are doing your best to help them, to punish the criminals, and to prevent such incidents in the future. He also notes that a properly performed incident forensics may be extremely helpful for law enforcement agencies who may be looking for a missing piece of puzzle to uncover a hacking team breaching companies in your industry.
–Revise your security policies and strategy
No security policy is perfect, and the data breach confirms the need for your security policy and strategy. Even if your systems were not breached directly, but a third-party’s with privileged access – now it’s your task and responsibility to prevent such similar hacks in the future. Use the data breach as a lesson to prevent more expensive hacks in the future that may cost you much more.