Avengers assemble
With a plan in place, thoughts need to turn to assembling a team to respond to the breach. This team should by headed up by someone who understands the technical aspects of security, including technical staff responsible for securing different corporate systems, according to David Emm, principal security researcher at Kaspersky Lab.
"However, given the increasing public profile of security breaches, it's also vital the incident response team includes HR, legal and PR teams," he adds. "I believe it's important for this team to have ongoing responsibility for evaluating the security posture of the company – rather than just assembling in response to a breach."
The role of the incident manager and their deputy is vital, says Emm. Sometimes, this will be the CISO, who understands both technical and business aspects of the organisation. "Although I think their formal title is less important than the fact that they have buy-in and support from the corporate executive team," he notes.
Regulatory environment
Andy Thomas, European managing director at CSID says that as the regulatory environment within Europe is changing with the adoption of the EU General Data Protection Regulation, a breach preparedness team becomes more important to navigate the changes in regulation and the new obligations that many companies will be faced with.
Thomas advises businesses to consider the following points: "What regulatory obligations does the company have regarding the breach? What data has been lost and does this require notification to the local data protection authorities? What timeframe do we have to make such a notification? What contractual liabilities and obligations do we have with our suppliers or customers?"
Fixing things
Post-breach, attention should turn to fixing things. Mitigating the damage is more important than placing blame, and speedy remediation is dependent on good visibility.
"The faster you can see and determine the size of the hole in your safety net, the faster it can be repaired," says Pedro Abreu, chief strategy officer at ForeScout Technologies.
"You'll want ideas from all corners of the organisation, as well as buy-in across the board when a mitigation plan is put into action. Lastly, anticipate the questions that will undoubtedly come your way from the media and all concerned parties, and prepare answers in advance."
Learning from mistakes
In the vein of "fool me once, shame on you; fool me twice, shame on me," cyber-defences must evolve intelligently, automatically and rapidly to prevent the same tactic from working twice.
"Pragmatic, real-world defence depends not on making a network impenetrable but on making it so challenging to crack that most attackers will eventually move on to easier targets," adds Abreu.
He says to that end, organisations should be as proactive as possible. This means taking a multi-layered approach to network defence that includes conventional components such as antivirus and firewall as well as endpoint protection that can limit the potential for malware to penetrate the network through known and unknown devices.
"Integration of your security systems is critically important. If your security systems are siloed, they're not sharing information and automating workflows for effective defence and rapid response," Abreu concludes.
