In-depth

How to react to a data breach

Anonymous security execs outline steps to respond to a successful cyber attack

Organisations should have plans in place to deal with any security breach and its aftermath, delegates were told at this year's Infosecurity Europe conference. 

In a panel discussion held under Chatham House rules, security experts from high profile organisations were granted anonymity to tackle the task of dealing with a fictitious security breach.

The panellists were told they work at an imaginary telecoms operator, reacting to an incident in which a hacker had stolen a database of millions of customers and a ransom demand sent. 

Keep communication lines clear

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The panel said there was a need to have clear lines of communication between different departments. The legal advice was to not contact the hacker with the ransom demand, but to call in law enforcement to let them be aware that a situation had occurred.

Also, it was important to inform the Information Commissioner's Office (ICO) of any breach within 24 hours, even if any information about the incident is scant. Panellists warned that while the ICO would be helpful, it would ask questions of the organisation in order to get as much information about the breach as possible. Among the questions would be how the breach occurred, who was affected, what steps were taken to mitigate the attack, as well as questions over broader security policy.

One panel member said that law enforcement should only be brought in where an organisation is serious about a crime being investigated and suspects prosecuted, otherwise, it would be a waste of police resources when there were plenty of other investigations to be carried out elsewhere. He pointed out that the police are there to "help businesses get back to business as usual".

Don't pay the hackers

Panellists were quick to agree that any ransom demand should not be paid, as criminals cannot be trusted to make good on any promise they make about the data they have accessed.

Another panel member said that in terms of public relations, organisations have to be careful with what they share about an incident externally.  

Advertisement - Article continues below

One panel member acting in the role of head of the fictitious telco's security operations centre said that it may be a good idea to take any affected system offline temporarily to ensure criminals cannot access further data and to allow security professionals to carry out investigations. Potential insider threats should also be investigated.

During the exercise, panellists were told that news of the fictitious breach had got out to the wider world. It was important, delegates were told, that this would mean the organisation would have to know exactly what had been breached to counter false claims that would inevitably spring up around the incident.

After such an event, it was important then to brief the press, be honest and open about the incident and say sorry for the inconvenience caused by the breach rather than the incident itself. 

Anticipate a breach

Advertisement
Advertisement - Article continues below

Panellists advised any organisation to not only plan for when a breach would inevitably happen but to also practise dealing with a breach throughout the organisation. This would better prepare businesses should a breach happen to them. It would be important not only to plan for a breach response with senior people within an organisation but also their deputies, as a breach may occur when senior staff are not around.

After the session, PwC partner and panel chair Richard Horne, said the most important thing companies need to be prepared for is how to handle a breach and limit the impact on customers, the company, and its value.

Advertisement - Article continues below

"Badly handled breaches can have a significant impact on companies and their value," he said.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/mobile/5g/354286/why-5g-could-be-a-cyber-security-nightmare
5G

Why 5G could be a cyber security nightmare

6 Dec 2019