"The threats come from almost any direction -- rogue emails and websites that capture personal information or malicious mobile apps that gain access not just to a personal address book, but also to log-in and network credentials."
And once the inevitable happens and a breach is discovered? The critical overall goals following the discovery are to make your organization secure again, preserve evidence (like you would for a crime scene because, after all, that's what it is) and protect your brand, market share and profitability.
To achieve that, the consensus among online posts and experts who spoke with CSO say the response in the first 24 hours should include the following:
- Document everything, including the date and time of the breach, when it was discovered and when your response began.
"Good information about what happened and when is going to be critical for your response team, for reporting to management, for law enforcement efforts and, potentially, to help protect yourself during legal proceedings," according to Bianco.
- Interview the person(s) who discovered the breach.
- Secure the premises where the breach occurred to preserve evidence. "This includes preserving memory, live response data, and taking offline forensic images, even if they are simply stored for later analysis," Rafferty said.
To that, Zaichkowsky adds, "quickly preserve data with a short lifetime before it's overwritten such as captured Internet traffic and volatile data from known compromised endpoints."
- Determine what was stolen or compromised and how.
- Determine what security measures, such as encryption, were in place when the breach occurred.
- Align compromised PII with customer names and addresses for notification.
- Notify your legal counsel, privacy and compliance teams, and determine if you need to notify law enforcement.
"Make sure investigative materials can be labeled 'attorney-client privileged' and disclosure and notification requirements are tracked from the onset of an incident," Rafferty said.
- Prepare to meet your notification requirements.
- Choose a spokesperson.
- Be upfront and transparent. If you delay or try to cover up news of a breach, it will simply prolong media scrutiny and increase damage to your brand.
- Notify various stakeholders, including investors, management, IT, HR, external consultants, third-party partners and customers. Remember that data breach notification can require much more than sending out form letters. Different states have different requirements.
- Provide a call center for identity protection and fraud resolution for affected individuals.
Lists like that will probably be necessary for a long time, Avenessian said, since there are "massive problems" within the IT professional community.
The majority of defenders, he said, don't think strategically because they are technicians and "think in terms of tools and tactics."
Sign up for CIO Asia eNewsletters.