Data breach checkup: How’s your incident response plan?
As I see Home Depot’s initial response to what appears to be the latest massive credit and debit card breach, it reminds me of a best practice that many businesses fail to implement: An incident response plan.
In the past it might have been easy to gamble that your business was below the radar of the cyber-crime rings stealing credit card information. But a scan of even a partial list of 2014 breaches should tell you that you cannot hide: Dairy Queen, P.F. Chang’s Restaurants, Sally Beauty, Goodwill Industries, California’s Department of Motor Vehicles, Michaels Stores, Aaron Brothers, and, of course, Target.
Do you have an incident response plan? Organizations, including the U.S. Department of Defense, are moving beyond the notion they can prevent every attack and are instead protecting their networks as best they can, while also developing response plans that are approved by stakeholders to help them cope in the event of a breach.
Here are my top 5 tips for developing a basic incident response plan that may help improve decision making and internal and external coordination in the event of a breach:1. The plan: Incident Response Plans help to provide the overarching approach to managing various types of incidents your business may experience, such as a breach of customer information, a prolonged website outage, or a smoke screen attack, to name a few. The plan should ideally be in electronic and printed form and readily available to those team members who might be involved in managing through a breach. 2. Stakeholders: Who needs to be involved and when? Plans can include key IT staff, senior managers, finance team members, as well as others who need to be involved, and indicate at one point each person needs to be contacted, with up-to-date contact information such as phone numbers, email addresses, physical addresses, and social media information, such as Twitter handles. 3. Communication: What to say, when, and to whom is essential in any crisis that can harm the reputation and financial well-being of a business. Talking points for managers to staff, and, as needed, for employees to speak externally, whether that’s to clients, the media, or the public are important to have in advance of an event. The plan may include complete scripts for customer-facing staff to ensure the information your business provides is consistent. 4. External Partners: Your business probably won’t go it alone in a breach or other significant incident. Plans that include contact information for law enforcement; journalists and bloggers, as appropriate; and knowledgeable third parties, such as IT consultants, legal experts, or outside media relations experts that you have signed contracts with can be helpful to enlist others help on short notice. 5. Technology: Itemizing the tools that will be used to investigate, mitigate, and quantify a potential incident, will better prepare you and your organization for future threats and make your incident response plan stronger.
Once your organization has a plan, try testing it. Conduct an initial drill to see if the plan is complete and functional, and then schedule follow-up drills — annually, or with whatever frequency is appropriate to your business, to help ensure the plan remains up-to-date and effective.
If you want a deeper dive into incident response plans, McKinsey & Co. developed some helpful parameters late last year. Breach events these days come in many shapes and sizes. A little advanced planning can make the incident a much more manageable experience for you, your team members, and, most importantly, your customers.