Is Your Data Breach Response Plan Ready?

Michael Bruemmer, Vice President of Data Breach Resolution & Consumer Protection at Experian

Fifty-six percent of organizations experienced a data breach involving more than 1,000 records over the past two years, and of those, 37 percent occurred two to three times and 39 percent were global in scope, according to Experian. In 2017 in particular, there were more than 5,000 reported data breaches worldwide, and there were more than 1,500 in the U.S. alone.

In an effort to help businesses prepare for data breach response and recovery, Experian launched its new Data Breach Response Guide last month to provide in-depth strategy and tactics on how to prepare and manage incidents.

Security asked Michael Bruemmer, Vice President of Data Breach Resolution & Consumer Protection at Experian, how cybersecurity has changed recently and how enterprises can revamp their security strategies to be resilient and ready.

Security: How have typical responses to data breaches changed over the past five years?

Bruemmer: Fortunately, responses to data breaches are immensely better. There has been great progress in preparation, as 88 percent of companies say they have a response plan in place compared to just 61 percent five years ago, according to our 2018 annual preparedness study with the Ponemon Institute.

One of the biggest changes in data breach responses over the last few years is that organizations now have a breach-ready mindset and know it’s not about whether a breach will happen but rather when it will occur. Thus, many organizations now have a data breach response team in place, which is key to implementing a quick and adept response.

Businesses have also started to include public relations personnel on their data breach response teams, which has helped companies maintain more positive relationships with their stakeholders post-breach. There is still room for improvement: while companies have a plan in place, a large majority don’t practice their plans in a real-life drill setting, and the C-suite and boards are still not engaged enough in the process.

Security: What still needs to occur to improve enterprises’ data breach response protocols and practices?

Bruemmer: A few areas for improvement include actually practicing the data breach response plan and therefore, feeling confident the company can handle an incident successfully. In our 2018 annual preparedness study, only 49% of companies said their ability to respond to data breaches is/would be effective. One of the reasons may be that most boards of directors and C-suite executives are not actively involved in the data breach prep process, nor are they informed about how they should respond to an incident.

Another dynamic that requires attention, and is relatively new, is the passing of the General Data Protection Regulation (GDPR) overseas. Companies that operate internationally must understand the legislation and make sure they are equipped to handle a data breach that involves individuals globally. They should hire legal counsel who have knowledge and experience in this area and enlist partners that have multilingual capabilities and a presence in key countries. That way, operations such as notifying affected parties and setting up call centers can be executed quickly. Organizations are still catching up here.

Security: When auditing their data breach response plan, what in particular should security leaders be looking for?

Bruemmer: Businesses should conduct an audit of every component of a response plan. Security leaders should also assess whether external partners are meeting the company’s data protection standards and are up-to-date on new legislation. For example, healthcare entities should guarantee that business associate agreements (BAAs) are in place to meet the Health Insurance Portability and Accountability Act (HIPAA) requirements. Additionally, vendors should maintain a written security program that covers their company’s data. Realistically, an organization could have up to 10 different external vendors involved in a data breach response, so keeping this circle secure is important.

Security: What are the top three issues business security leaders should plan for next year?

Bruemmer: Businesses should keep an eye on artificial intelligence (AI), machine learning (ML) and cryptomining malware next year. In a continuously evolving digital landscape, advanced authentication, or added layers of security, have become increasingly important for businesses to adopt when it comes to safeguarding against potential data breaches. However, while AI and ML are helpful in predicting and identifying potential threats, hackers can also leverage these as tools to create more sophisticated attacks than traditional phishing scams or malware attacks. Criminals can use AI and ML, for example, to make fake emails look more authentic and deploy them faster than ever before. Cryptomining has also become more popular with the recent rise of Bitcoin and more than 1,500 different cryptocurrencies in existence today. Cybercriminals are taking every opportunity, from CPU cycles of computers, to web browsers, mobile devices and smart devices, to exploit vulnerabilities to mine for cryptocurrencies.

Security: Are there any key tools or strategies security leaders can use to better engage with the C-Suite?

Bruemmer: Unfortunately, the lack of engagement by the C-suite and boards seems to be an ongoing issue. In today’s climate, companies should employ a security leader in the C-suite such as a Chief Information Security Officer to ensure protection is a priority and administered throughout the organization.

There should be ongoing and frequent communication about security threats by this officer to leaders and the board. In this instance, it’s better to over-communicate rather than hold back vital information that could help mitigate potential reputation damage and revenue loss.

Security: The cybersecurity talent gap continues to be a real struggle for many security leaders. How can security professionals recruit the appropriate stakeholders and staff?

Bruemmer: There are a variety of factors that can come into play when a business is recruiting cybersecurity talent and pulling together a data breach response team. The size of the organization, the current technologies used in the workplace, budget and business vertical can all impact the qualifications needed for the right hire.

It’s important for the security professional to be on top of current and future trends in the cybersecurity space, and this executive needs to be someone who is fluent across all potential vulnerabilities that should be addressed. Additionally, it’s beneficial for a business to consider bringing on external partners, such as legal counsel, communications firms, and a data breach resolution provider.

Having these teams in place prior to an incident can make a significant impact on the organization’s preparedness. At the end of the day, data breach prevention and response should be a strategic team effort.

Security: Regarding response exercises and drills, what suggestions do you have for security leaders looking to involve multiple departments? What after-action steps are necessary to get the most out of these exercises?

Bruemmer: It’s very important that a data breach response plan be updated and practiced annually. Not only that – it should also have buy-in from all of the key personnel and departments involved. A data breach response is a company-wide effort. To make sure the thread runs across the organization, there should be a representative from the key departments on the official response team.

To practice the plan, businesses should dedicate half of a day to conduct a simulation exercise. For an effective drill, businesses should consider engaging an outside partner to facilitate and moderate. It’s also a good idea to include external partners in a drill, such as legal counsel and a data breach resolution provider.

When businesses conduct a drill, they should see if they can address different scenarios that the organization could face. These scenarios should be pertinent to the industry, the type of data collected and the way the business’ IT infrastructure is set up. However, not every scenario will take place in a realistic time frame. A true response will likely take weeks to address, not hours, so there is a degree of imagination. Companies will still have the desired outcome of honing response skills and testing key decision-making protocol.

Afterward, businesses should plan a de-briefing session to review what went well, and what didn’t. This is a good opportunity to identify changes that need to be made to a data breach response plan, and it’s important to incorporate these changes when the next drill takes place.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.