Johannesburg, 11 Feb 2015
Businesses are potentially more vulnerable to IT breaches during the festive season and the peak sales period in the New Year than at any other time of year.
Cyber criminals will use the spike in online shopping to target employees using company devices with malicious e-mails purportedly from reputable retailers.
IT managers should be particularly vigilant during this time. What steps should businesses take upon discovering a data breach in order to limit corporate reputational damage and maintain customer trust? The following is my 10-step data breach reaction plan for IT teams dealing with a cyber attack on their organisation - at this time of year, or any other time too.
1. Don't panic: A clear head is what's needed. You might be finding out your entire IP/credit card system/customer database has been breached. You need to stay calm in order to react correctly. Too many mistakes are made while the adrenalin is pumping.
2. Damage limitation: Take immediate stock of what's been breached ? identify exactly which systems and which data. Seek to remove all access to those systems to prevent further breach. If you believe there's a criminal offence being committed pull the plug on the server - don't shut it down, you want to preserve the OS, files and DBs in a forensic state. A graceful shutdown will overwrite too many files that forensic solutions can interrogate offline.
3. Patch holes: Once you know what's been breached, seek to patch the holes in your perimeter. This means everything from forcing password resets, through to removing remote access or modifying firewall rules.
4. Team reaction and impact assessment: It's likely that IT will need many business assets to deal with this problem, so convene a response team. You'll need IT, C-suite, PR, marketing, customer operations, legal, security and support. Get your team together and assess the impact. What's been breached, what data is missing, who is affected?
5. Full damage report: Get a small group of technical experts together who can quickly provide a full 'sit-rep' on the problem. This needs to be done quickly, without fuss, and safely.
6. PR (or no PR) and notifications: If you have customers who are affected you'll need to tell them. Too many organisations try to cover these things up, but that's impossible and inadvisable today. So decide what sort of PR you'll need to run and be open, honest and transparent. Once you have identified who or what has been affected, you'll need to tell them what's happened and what to do about it.
7. Offer damage limitation to affected: If customers are affected personally, i.e. their personal details could have been stolen, or their credit rating could be affected, you'll need to offer some form of damage limitation to help them deal with the fallout of the issue.
8. Notification to regulator: If applicable, you'll need to tell your regulator. This could be external, but also internal. You'll need to explain the problem to your business, the board and investors. Also tell them what you're doing about the problem.
9. Clean up: Clear up the situation but don't be tempted to cut corners. We know advanced malware can remain resident on networks for an average of 260 days, so restoring a system from last week's backup is not an option. It's likely you're looking at a full bare-metal recovery of affected systems to ensure they're really clean.
10. Improve protection: Get additional professional advice to bolster the levels of protection you had in place. One breach means you'll always be a target for others trying the same tricks, so stronger defences are required.
Share