There are always a few things we can learn from data breach incident lessons. As you know, data breach incidents are on the rise and often, the successful attacks result in the theft of millions of personal data records. These attacks seem to be very targeted, sophisticated, and perpetrated by highly technical, organized and resourceful criminals.
As an organization, we respond to data breach incidents in one of two ways: 1) take reactive action to make the incident go away as soon as possible with the least amount of publicity and impact, or, 2) take action based on an established plan and learn from incidents and related patterns to update the plan. The smartest organizations are the ones which have a plan of action and update their response plan regularly based on new threats and control gaps elsewhere to improve their own controls.
1. Accept that attacks are inevitable. This is especially true when a company is viewed as having valuable data and weak security controls. Also, companies usually understand their own risk environment based on the human and technology investments that they have made to secure their information. When a company consciously decides to accept the risk of an incident by not planning and investing the necessary resources to prevent and respond to data breach incidents, it is accepting the risk of an incident while hoping that incidents will occur elsewhere.
When an organization or a country is perceived as having valuable information and weak security controls, it often becomes the target of hack attacks. For example, can you guess why credit card fraud is higher in the US when compared to some other countries? Because as the US is considering the EMV standard to implement the chip and PIN credit cards in October 2015, other countries upgraded their credit card security years ago which shifted criminal activities from more secure countries to countries like the US where the target data is more easily accessible.
2. Don’t underestimate hackers. We know that hackers are extremely organized and international in nature. They are well-funded and technically capable of identifying targets and executing a well designed attack. Good hackers are the best possible versions of information security professionals and the best thing that we can do is learn from their capabilities and thought process. If we understand how they think when it comes to identifying and taking advantage of security vulnerabilities, then we can protect ourselves before they take action. Also, hiring the most qualified security professionals and offering them the necessary technologies and continuing education is very important to protect information assets.
3. Incidents will get publicized. In countries where there is a legal requirement to notify government agencies as well as consumers, it is highly likely that incidents will be publicized in the media. Part of an incident response plan should include communication with and response to media requests. In addition to the high number of attacks against US companies for the reason that were described above, the robust incident notification laws in the US make their incidents much more visible.
4. Know your target. Lately, credit card and debit card information is the primary target of attacks and the U.S. accounts for about 50% of all breaches. It’s important to know what the main target is in the majority of the attacks and where it resides in order to assess the security controls. Big databases are often the main target because one single successful attack can result in higher return on investment. If hackers consider ROI in their plans, shouldn’t companies also assess their ROI with regards to security management resources and invest the necessary resources when the ROI justifies the investment?
5. Understand your weaknesses. Identify the gaps in your security controls and take steps to reduce risks as much as possible. Periodic risk assessments are required to determine the required minimum security improvements and costs. When security weaknesses are understood, management can decide to accept or reject a risk by taking the appropriate action.
6. Have a plan B. In addition to a being prepared to respond to a data breach incident, big part of a plan B is to compensate for compromised security controls by having policies and procedures to prevent identity theft which results in financial losses and other negative consequences. Design and implement an identity theft prevention program to prevent stolen information from being used against your company. Certified Red Flag Specialist professionals are the most qualified experts to help prevent identity theft in any organization.