Blog / Advice on Data Breaches – Big Mistakes Made by Organizations
Breaches happen all the time. It’s hard to tell if they’re more common these days or if we hear about them more, as it’s often a legal requirement to report them. GDPR put in the lawful stipulation in Europe. A little later, other places followed suit (Canada, California, and others.) Yes, Canada has a legal prerequisite to report and go public when personal data gets breached. We’ve done so for a while now.
Ignorance of the law will not get you out of any legal issues that come up if you have a Breach. It’s not considered a valid defense. Depending on the court and the charges, it may make things much worse.
There is plenty that can be learned by having a Breach, but don’t wait. There are some things you can grasp and do before this happens:
1) Have an Incident Response Plan – In order to be useful, it needs to cover what to do, in the event of a Breach. It should also be as specific as possible. It’s an emergency plan after all; you don’t want to be wasting time going “Okay, now what?” Make sure you have specific individuals or positions called out to being responsible for precise tasks. Double-check that those assignments are described in as much detail as possible.
2) Make sure everything is logged – PIPEDA and PCI-DSS both have regulator preconditions for logging and log retention. At the end of the day, the situation you’ll be investigating is a Breach of Data. You need to have enough logs to hopefully identify how it happened. This may imply putting in additional safeguards and steps for various things, simply so you have those records. It may also mean looking into a logging solution (spending actual money directly on logs.) Not all logs are electronic; sign out books, camera footage, and parking records could all be potentially useful in different situations. Look at the information you’re protecting and how you are using it, to decide on effective methods of recording access.
3) Active hardware and software monitoring – A spreadsheet and a stack of receipts is not active monitoring. You need to be keeping a close, ACTIVE eye on what gets installed on your organization’s computers, as well as the hardware that gets connected to internal networks. As this is usually completely ignored, I can’t stress the importance of it enough.
Once you have a Breach, it’s also important to handle it properly. Again, plenty can be learned from the mistakes that other organizations have made over and over and over again:
I) Get your initial Breach Notification out quickly – Once it is discovered, you need to acknowledge the Breach quickly. The number of times companies discover a Breach and think it’s more important to contain it and find out details, before acknowledging they even had a Breach, is staggering. This is dangerous for several reasons:
a) There are regulatory specifications to get that Breach Notification out quickly.
b) By delaying the notification, it makes it look like you are more concerned about your reputation.
II) Offer users useful advice – In order to do this, you need to be certain about the nature of the data that was leaked. If there were any emails, then advice about being mindful of Phishing Attacks would come in handy. If the data included passwords (in any form), then advising people to reset their passwords could be good. If there was enough data for an attacker to reasonably perform some type of Identity Theft, then you may need to consider offering Credit Monitoring for a determined period.
There are no form letters or one-size-fits-all methods to deal with a Breach. They’re all different, because the business is different and so is the data that gets breached. However, there are strategies that you can use in order to minimize your risk of a Breach occurring and the monetary cost, if they happen. Breaches are not only expensive, but they are time-consuming too. You need to do everything you possibly can to prevent one, but as you shouldn’t assume that your defenses are perfect, you also need to plan for one.
“There is no darkness but ignorance” (from “Twelfth Night” Act IV, Scene II – Will Shakespeare certainly had something for everything!)
If you have any questions about Breach Defenses, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.