These are 4 questions you need to consider after a data breach
By Albert KuoIn the moments after a security breach is detected, moving quickly is incredibly important for Singapore businesses, especially now that the Personal Data Protection Commission (PDPC) plans to revise the Personal Data Protection Act (PDPA) to require companies to notify it of breaches within 72 hours.
Before these incidents occur, it’s vital to make a plan that will enable you to investigate incidents quickly and with greater accuracy. The decision-makers of the company need to understand where critical assets lie and the information that may need to be reported ahead of time, so that the Incident Response (IR) team isn’t significantly burdened after a breach.
To ensure that IR teams are prepared when an attack happens, here are four questions these teams should be prepared to answer from the moment a breach occurs to ensure all of the information needed for disclosing it to relevant stakeholders is readily available:
1. What’s the scope of this incident?
There’s only one thing worse than announcing leaked records, and that’s needing to make the same announcement more than once. Organisations need to understand exactly how extensive the breach was in order to avoid this faux pas—or, like some companies, be comfortable with announcing the maximum possible number of affected users before investigations are complete. There are pros and cons to playing it safe, but the best solution is to see what roadblocks exist in the IR team’s ability to investigate breaches and remove them wherever possible.
2. What kind of violation is it (e.g. PCI-DSS or HIPAA)?
If the IR team only has 72 hours to gather as much information as possible about a breach before reporting, it’s critical to know which policies to address. Requiring companies to report breaches does not just mean there’s less time before customers know about an incident. It also means that the organisation will be expected to answer more specific, technical questions about the incident in a shorter timeframe.
3. Who is affected?
Identifying which customers have been affected will require precision in order to mitigate the damage to the company’s reputation. Security breaches are a fact of modern life, but customers still expect stringent protections and data privacy. When a breach does occur, company leaders across functions will need deep visibility to answer these questions right away.
4. What did the attack campaign look like—and are the attackers still present?
According to a report from PwC, business leaders in Singapore who had experienced a cyber attack noted that these incidents primarily occurred through the exploitation of mobile devices and phishing. In addition to understanding how an attacker made it past the organisation’s defenses, these organisations also need to determine whether the attacker is still inside the environment. This goes hand in hand with the current breach detection gap. In 2018, attackers could dwell inside an environment for three months on average before the breach was detected.
As Singapore and other governments around the world continue to strengthen consumer protections and privacy rules, this last question will grow more and more important. We’re moving away from a time when security was primarily considered the responsibility of companies and the increase in publicised breach reporting will ultimately lead to customers putting their trusted organisations under more scrutiny.
Implementing frameworks like the Center for Internet Security (CIS) Top 20 Critical Security Controls can help organisations answer these questions quickly, but many need help extracting value from ambitious frameworks that require better visibility and a more efficient use of security resources. We have seen how an emerging category of security and analytics can help.