A significant data breach can be compared to Thanos from Avengers Infinity War; big, bad and with the ability to wipe out half a company with a snap of its fingers (albeit it probably would not be purple). For many companies, breaches are still viewed as an incident that should be dealt with by IT alone, leaving them as the lone hero to be overwhelmed.
When it comes to managing a breach, it’s not Thor and The Hulk that you call upon, but your own Avengers, the post-breach response team. A diverse team made up of pre-selected members from different sectors, the team operates as the greater sum of than its parts, combining expertise to minimise the threat of a breach.
Previously, data breaches could be handled in private; companies had the ability to take their time with the situation or even hide the fact that the leak has happened. But GDPR makes companies liable to give a detailed account of what has happened within 72 hours of the breach happening or face being fined by the Information Commissioner's Office (ICO). A serious data breach could now lead to your company being decimated if the right steps aren’t taken.
Raising the signal
Selecting the right superhumans for your team is, of course, essential for handling GDPR and your entire security strategy in the right way. As is structure - much as in the Avengers’ latest outing, often battles need to be fought on multiple fronts and so the team needs to split in two, ensuring that all bases are covered.
Team One, also known as the business team, should be made up of representatives from the C-level of the organisation, the legal team, PR/comms and finance. This team needs to be able know what to do and be able to make the right the call from both a business and regulatory perspective. The business team essentially works the frontline and is in charge of handling communications inside and outside the company - that’s why it is important to have people who have had media training on the team. Crucially, the business team gives Team Two, the technical team, the time and opportunity to handle the breach without constant interruption.
The technical team is made up almost exclusively of IT and Security staff, with occasional input from risk management experts. Its job is to focus on the details of what happened, ensuring that the business team have up-to-date and ruthlessly accurate information.
With both of these teams, it’s important to note that there are the core members - C-level and legal for the business team and IT for the technical team - and other members that may get involved later on in the process, such as comms, finance and risk management. Much of this depends on the business and the scenario that it finds itself in, as there are no hard and fast rules. Some members may just appear later on to give more information, like a post-credit scene.
Whilst the division between the teams is crucial to success, constant communication between the two teams is vital. Each team needs to communicate its priorities in order to effectively deal with the investigatory bodies, customers and the wider business. So, as the business team handles the frontline, IT works the background, launching the investigation.
Going to work
There are three key stages in the battle against the titanic data breach. To begin with, the technical team needs to work out what - if anything - has happened within the network. From a false positive, to a close shave, through to a full loss of data, an accurate assessment needs to be made before the reactive measures can be put into action.
Second, internal communications need to be managed, which is where the business team comes in. The wider business needs to be made aware of what has happened, what the company line is and what they should or should not do, meaning that everyone is on the same page and working towards mitigating the damage.
Third, there has to be an accurate assessment of whether personally identifiable information (PII) was lost or not - if so, then there is the aforementioned ticking clock to get in touch with the Information Commissioner’s Office (ICO) and report the incident, to avoid the repercussions GDPR can bring. The investigation process is an integral part of any incident response plan and should be able to answer the Who, What, When, Where and How questions - all the information the ICO would require as part of their own enquiry.
From a technical perspective, there are four stages to getting your business back up and running. This starts with isolating the issue to make sure that it does not impact other areas of the business network. Next is eradication - ensuring that backdoors, malware and any other lingering threats are killed off as fast as possible. This is followed by recovery: getting back to full working order. Finally, you need the investigation, where you look at what happened, how it was managed and what should be done to make sure it doesn’t again. Importantly, each stage in the investigation should be reported back to the business team, helping to build a full picture and remain updated.
Practice is important; there is no worse time for implementing a plan than during a live incident response. Much like Doctor Strange, the team should think about all the different outcomes that may occur before they even happen and find time to test them out. Penetration testing and practice scenarios should be carried out in order to prep the organisation before the day its own supervillain arrives.
GDPR may seem to have exacerbated the danger for organisations, but is not something business should fear, especially with a super team prepped and ready for action. The law acts like a force of good nature; urging companies to make good practice their daily standard.
So, with this plan in pocket, businesses can rest a little easier knowing that they have their own data Avengers ready in waiting for the day disaster strikes. It may never, come, but modern, forward-thinking organisations should be always ready. Time to suit up.
Jamie Graves, CEO & Founder of ZoneFox
Image Credit: Ai825 / Shutterstock