Preparing for Data Breach
by Sean Curiel, on Nov 10, 2021 3:43:38 AM
We all hope that it's not a self-fulfilling prophecy. We must hope for the best, prepare for the worst, and not be surprised by anything in-between (Maya Angelo). In fact, solid preparation helps us to avoid a worst case scenario with the devastating affects of data-breach. The immediate actions you take upon discovery of a data breach incident can facilitate a quick recovery, blunt financial and repetitional damage, and enable a fast return to business.
Types of Data Breach
From stolen passwords, phishing attacks, unpatched hardware or malware, data breach can occur any number of ways. How you respond, in part, may depend on the type of business you are conducting. Customers in government or highly regulated industries may need to follow a very specific flow of communication and notification to meet compliance standards, while Managed Service Providers may have to notify thousands of clients about actions to take and status of service. But in all cases of data breach you will need to identify the problem, communicate internally (and externally), mitigate the damage, enact business continuity measures, recover data, and analyze how this even took place.
Listen to a Podcast episode about MSP considerations when responding to data breach.
MSP Response to Data Breach
When a breach is first identified, an MSP must have a clear set of standard operating procedures. Leadership will be required to carry out important security actions.
- Define your businesses emergency response team
- Designate appropriate roles and responsibilities
- Construct a hierarchy and contingency plan should a member be unavailable
Not only who will be notified and when, but also via what methods. Automation is great for fast effective internal notifications, but cannot always be relied upon. This makes documenting manual procedures an important backup course of action. Once your response group communications have been established, is your plan clear enough that anyone could understand it? As you take on new IT team members it may be worth seeing if they are able to explain what needs to happen from a company-wide standpoint based on your documentation.
What is your responsibility to your customer in a data breach scenario? Yes, you'll want to secure their data and communicate clearly, but these are very broad concepts. Every new customer relationship should include signed agreements or contracts which set the appropriate expectation and define the minutia of the MSPs responsibility to the client.
Finally, businesses may find their password software or other security tools become unavailable at the worst possible moment. Document your security procedures manually as a backup to any applications that control access during an emergency.
Conduct a Practice Run
Are you aware of the most common methods of attack? Look at your situation from a potential attacker's perspective and build out the most likely scenarios. A vast amount of knowledge can be gained by running through simple table-top exercises that illuminate any foreseeable obstacles and address team concerns well in advance of a real problem.
TIP: Develop the 10 most likely data breach scenarios and run through 1 every quarter with team members in a simulated activity.
Scenarios should include the most common attacks, such as:
- Ransomware Attack
- Compromised Credentials
- Insider Leak
- Distributed Denial of Service (DDOS)
Should clients be involved in your breach response simulation? That's up to you. Will they see value in a partner who is taking every precaution to ensure the security of their data? Then by all means, show them the value you are providing and educate them on the actions they must take in a disaster scenario.
Your data response plan should define how your business halts the progress of a threat and maintains business continuity to critical systems. How will customers be notified? These types of notifications can be built-out in advance to save critical time. Other communications might include authorities or cyber insurance contacts. As an example, regulations like GDPR require that a data breach be reported within 72-hours.
It is also often important to consider how this crime will be investigated, recorded, and forensics eventually performed for legal reasons. At a minimum, your team should understand what actions to avoid that could interfere with an outside investigation.
Response planning should include the following steps:
- Categorize data and prioritize risk to critical data in the event of total loss, theft or sabotage
- Risk assessment extending to applications, devices, and users
- Business continuity plan in the event critical services become unavailable
- Security policies and procedures that will contain threats (short term / long term)
- Eradication and remediation of threat (enhancing protection / removing vulnerabilities)
- How self-evaluation of security response will be conducted
How liable are you during a data breach? There may be a range of requirements from your cyber insurance company that help to protect you during a data breach. Nobody wants to make a misstep that invalidates a potentially business-saving policy. Furthermore, these contracts should be reviewed annually to verify that no major changes have taken place that would require a policy update.
If at this point you are asking "Why do I need cyber insurance?", then we could discuss the obvious financial benefit in a ransomware extortion type scenario. But more compelling is understanding how cyber-insurance can work as a tool to close additional business and present your value to prospective clients. While all MSPs can promise the world to clients, fewer can produce proof of financial protection, and fewer still train with customers for a detailed response to data breach.
MSPs especially must pay close attention to the latest industry regulations regarding protected personal information (PPI) as they could become targets for greater regulation or found liable for damages. A recently passed Louisiana security law, for example, requires MSPs to register with the state, and notify of any ransomware payments made.
It's important not to fall behind and stay diligent about internal procedures. When new hardware is deployed your breach response plan must also be updated to reflect it. These documents must not sit static, but continue to evolve.
The NovaBACKUP Cloud team works with MSPs to build a clear course of action to restore critical data. Our backup-as-a-service solution has received the HIPAA Certification Verification from the Compliancy Group to ensure compliance with strict privacy regulations. We invite you to speak with one of our backup experts about testing NovaBACKUP Cloud for MSPs in your environment today.