How to react to a data breach
Anonymous security execs outline steps to respond to a successful cyber attack
Organisations should have plans in place to deal with any security breach and its aftermath, delegates were told at this year's Infosecurity Europe conference.
In a panel discussion held under Chatham House rules, security experts from high profile organisations were granted anonymity to tackle the task of dealing with a fictitious security breach.
The panellists were told they work at an imaginary telecoms operator, reacting to an incident in which a hacker had stolen a database of millions of customers and a ransom demand sent.
Keep communication lines clear
The panel said there was a need to have clear lines of communication between different departments. The legal advice was to not contact the hacker with the ransom demand, but to call in law enforcement to let them be aware that a situation had occurred.
Also, it was important to inform the Information Commissioner's Office (ICO) of any breach within 24 hours, even if any information about the incident is scant. Panellists warned that while the ICO would be helpful, it would ask questions of the organisation in order to get as much information about the breach as possible. Among the questions would be how the breach occurred, who was affected, what steps were taken to mitigate the attack, as well as questions over broader security policy.
One panel member said that law enforcement should only be brought in where an organisation is serious about a crime being investigated and suspects prosecuted, otherwise, it would be a waste of police resources when there were plenty of other investigations to be carried out elsewhere. He pointed out that the police are there to "help businesses get back to business as usual".
Don't pay the hackers
Panellists were quick to agree that any ransom demand should not be paid, as criminals cannot be trusted to make good on any promise they make about the data they have accessed.
Another panel member said that in terms of public relations, organisations have to be careful with what they share about an incident externally.
One panel member acting in the role of head of the fictitious telco's security operations centre said that it may be a good idea to take any affected system offline temporarily to ensure criminals cannot access further data and to allow security professionals to carry out investigations. Potential insider threats should also be investigated.
During the exercise, panellists were told that news of the fictitious breach had got out to the wider world. It was important, delegates were told, that this would mean the organisation would have to know exactly what had been breached to counter false claims that would inevitably spring up around the incident.
After such an event, it was important then to brief the press, be honest and open about the incident and say sorry for the inconvenience caused by the breach rather than the incident itself.
Anticipate a breach
Panellists advised any organisation to not only plan for when a breach would inevitably happen but to also practise dealing with a breach throughout the organisation. This would better prepare businesses should a breach happen to them. It would be important not only to plan for a breach response with senior people within an organisation but also their deputies, as a breach may occur when senior staff are not around.
After the session, PwC partner and panel chair Richard Horne, said the most important thing companies need to be prepared for is how to handle a breach and limit the impact on customers, the company, and its value.
"Badly handled breaches can have a significant impact on companies and their value," he said.