Written by Malcolm Newdick, Riverbank IT Management MD.
What businesses must do in response to the discovery of a breach – immediate, short term and long term.
When you discover a security breach the immediate action is fire-fighting – stop the breach and stop the cause of the breach. This might mean simply turning things off, even if you know it will have an impact on your users or customers. Then you’ve got two jobs to do; one is the technical work to fix the problem, the other is the PR job of contacting people affected and dealing with external enquiries from the press and others.
It’s at this point you will either be glad that you did all that preparation and rehearsal or you will be wishing you had done some preparation and rehearsal…
The short-term response is the sticking plaster. What do you have to do to ensure that this breach has been stopped and the immediate cause has been eliminated?
For example, has the disgruntled employee caught leaking data been barred from the system? Has the hacked firewall been replaced with a more secure unit? Or maybe you have to create a workaround if one part of your IT systems has had to be turned off while you identify and implement the long-term solution.
You might also be looking at your systems and processes around this breach to see where there are gaps and weaknesses. Examples here could include financial controls so you cannot fall victim to that phishing email again, introducing multi-factor authentication to stop someone successfully using a stolen password or adding a layer of physical security to stop people getting into the server room.
At this stage, you will also need to deal with all the administration around insurance and legal issues. In addition to this extra workload, you could find yourself in an unwelcome spotlight. You could be the focus of attention from your board directors unhappy about reputational damage to the organization. You might have issues with IT staff who are being asked to work at 150% of capacity. You might have departmental managers angry about the disruption to their work. It’s a stressful time and preparation is key to the smooth operation of your recovery plan.
In the long term, you might have to make changes that are more structural in nature. For example:
- Do you need to educate your board so the directors understand the threats and will dedicate time and money to IT security?
- You might need a new staff training plan to increase their awareness.
- You might need additional budget to pay for enhanced security.
- You will certainly be reviewing all other aspects of your IT security. Fixing the area of the breach might make this area stronger but that just means that the weakest point in your security now lies somewhere else. You need to identify these other weaknesses before the next breach occurs.
And finally, don’t overlook that preparation and rehearsal that you wish you had done before. It’s your decision whether next time you look like a professional firefighter or a headless chicken.