Of all the security incidents that can affect a small business, a data breach of sensitive information is perhaps the most severe and can have the most significant negative impact. Every business likely processes some Personally Identifiable Information (PII), whether it be of employees, customers, or likely both. Other forms of sensitive information can include trade secrets, company financial data, and reports on new products and discoveries. All these types of information are prime targets for threat actors, who can exfiltrate the data and post it online, on the dark web, or sell it to competitors. Data breaches can result in all kinds of negative consequences, from financial ruin to reputation damage and customer loss, to legal consequences if the breach resulted from negligence on your part. Data breaches are growing in frequency as more organizations move online and embrace new technologies.
Due to the serious negative consequences of a data breach, your business needs to have a comprehensive Data Breach Response Policy in place. While your Incident Response Policies and Playbooks already cover many of the key points, a data breach is usually a more severe incident with a larger array of victims. Therefore, it requires more specialized response measures.
The first step is to ensure that your organization has communication channels established with all parties whose data is processed and stored in your systems. This includes all customers, employees, and company stakeholders. These communication channels should have been established earlier in this framework. They can include mass email groups, SMS alerts, and even emergency phone calls. If a data breach does occur, alerting all parties affected reflects well on you and can stem some of the anxiety caused by the breach.
Your Data Breach Policy should include a clear definition of what a data breach is, as well as definitions of what kind of data constitutes a severe breach. The policy should outline and encourage a reporting process for all employees to follow if a breach is detected. With the help of the RACI Matrix created in Cybersecurity Roles & Responsibilities, you should next outline a clear hierarchy of responsible parties at different stages of a breach report.
Next, your policy should provide a playbook to be followed to assess the validity of the breach, identify the affected assets and individuals, determine the root cause of the breach, and determine the mediums through which the data has been exfiltrated and revealed. This playbook should also clearly define which roles are responsible for the different steps and to whom they should report.
The next phase of the policy should outline the basic containment and eradication measures to eliminate any attack methods still present in your systems and networks. Different breaches can result from different tactics, techniques, and procedures, which can have a wide array of potential remedies. The exact response measures will be determined through the root cause analysis and the details gathered during the initial detection. However, your policy should outline some basic universal measures, such as patching systems, isolating affected workstations from the network, performing malware scans, and reviewing system logs for suspicious activity and indicators of compromise. Throughout this process, all involved parties should keep proper documentation of what they have discovered and its implications.
Finally, the policy should include guidelines for contacting the necessary personnel and bodies. These include customers, employees, stakeholders, law enforcement, and regulatory bodies, if applicable. Breach notifications should be clear and concise, and clearly inform the receivers what occurred, what data was affected, when the breach occurred, when the breach was detected, what steps have been taken for response, and what the individuals should do. Breach notifications are very important for damage control, and some regulatory bodies require notifications to be sent within a specific period. For example, GDPR requires notification within 72 hours of detection.
A data breach can potentially be the worst crisis to impact your business, and this framework aims to help you take all the measures possible to prevent one from occurring. However, there is no guarantee that one won’t occur, which is why you must have a clearly defined policy in place for when that dreaded day occurs.