By M. Scott Koller – BakerHostetler
The new year will arrive in a few short days and when the bell tolls, it will mark the end of another extremely active year of data breaches. High-profile breaches such as Anthem, Ashley Madison, and the Office of Personnel Management serve as a reminder that it is a matter of when, not if, your organization experiences a data breach. Here are a few relatively simple ways to improve information security and reduce the impact of a potential data breach when that day comes.
Review Your Incident Response Plan
First and foremost, review your incident response plan. An incident response plan should be a flexible playbook that evolves over time and helps guide your response to a potential data breach. As 2015 comes to an end, take this opportunity to see if there are any ways in which your incident response plan can be improved. Does the plan provide enough detail? Are there procedures that should be changed or updated? Consider the impact of new business relationships or product lines, or whether systems were recently deployed or upgraded. Contact information for your incident response team, especially after hours, is a vital part of your response plan, yet personnel changes are frequently overlooked. The worst time to find out your CTO got a new cell phone number is when you are trying to reach him or her at 2 a.m. on a Saturday. Even if nothing has changed within your organization, new vulnerabilities are being discovered and laws are frequently amended. In just the past year alone, 10 states have formalized amendments to their breach notification laws. For a detailed breakdown of these amendments, check out my prior article on the subject, “State Law Roundup: Legislatures Across the U.S. Revamp Data Breach Notification Laws,” and BakerHostetler’s state-by-state Survey of Data Breach Notification Laws. Bottom line, no matter how good your incident response plan was a year ago, there is likely something that should be updated or changed. Don’t wait until you are in the middle of a data breach crisis to review your incident response plan.
Conduct a Tabletop Exercise
There is a reason most buildings conduct yearly fire drills. Through practice and repetition, your response to an emergency can become second nature. Similarly, most data breaches are highly stressful events with serious ramifications for the organization. Tabletop exercises provide an excellent opportunity to practice your response in a low-stress, informal setting. Moreover, tabletop exercises can help identify gaps in your incident response plan and highlight ways in which you can become better prepared in the event of a data breach. Therefore, consider making a data breach tabletop exercise an annual event.
Review and Test Backup Procedures
A properly implemented backup procedure can help safeguard the availability and integrity of company data, as well as protect against the growing threat of ransomware viruses. According to a report by McAfee, reports of ransomware infections have grown exponentially over the past year. Even though backing up data is second nature to most IT professionals, many still forget the critical step of testing those backups to ensure the information was successfully backed up, is capable of being fully restored, and includes all critical data. Remember that some variants of ransomware will encrypt network shares, so it is important to segregate backup systems from your primary network.
Audit External Service Providers
As Target learned the hard way, external service providers represent an alternative way hackers can infiltrate your network. Consider auditing your service providers to ensure they are using appropriate safeguards. If possible, try to limit their access to only the data and systems needed to fulfill their function. Remote access should be provided “on demand” when needed but otherwise disabled when not in use. In addition, service provider agreements should be reviewed annually to ensure that the indemnification, limitation of liability, and cyber liability insurance provisions are appropriate. These provisions should reflect a balance between the amount of data at risk, the extent of the service provider’s access to that data, and the potential costs associated with a data breach. If a service provider has agreed to indemnify your organization for data breaches, make sure the vendor has the financial resources to do so, and if not, require cyber liability insurance provisions to cover any shortfall. Be mindful of limitation of liability provisions, which routinely limit liability to the amount of fees collected under the service agreement or within a certain period.
Perform a Risk Assessment
If you do not know what sensitive personal information and business data you have, where it resides, and who has access to it, you cannot implement appropriate safeguards to protect it. When facing a potential data breach, the inability to provide an accurate network diagram and describe the company’s sensitive data flow will complicate the forensic investigation. Risk assessments can help address these issues and should be performed on a regular basis to account for new vulnerabilities, changes to the organization’s structure or business operations, and the ability of existing security controls to detect and defend against likely cyberattacks.
No amount of advance preparation can entirely prevent a data breach from occurring. However, it is possible to reduce the frequency and severity of incidents by following the steps discussed here.