Among the important things a business must do in responding to a cyber attack or data breach is contain and analyze the problem, and notify employees, vendors, customers, legal authorities and the media about the problem and what is being done to resolve the issue.
These and other issues were touched upon during the “Responding to an Attack – Damage Control” panel discussion at yesterday’s Cybersecurity Summit, presented by the New Jersey Business & Industry Association and held at the APA Hotel Woodbridge.
Moderator Warren Cooper, senior communications specialist at Evergreen Partners, opened the discussion with the question: “What processes must an organization have in place after a breach is detected?”
According to Eric Levine, an attorney with Lindabury, McCormick, Estabrook & Coooper, P.C., “A company must have a plan in place well before a cyber attack occurs.” The company should identify key staff people to respond and deal with the various parties to “contain and analyze” the situation. “The important thing is you need a plan in place, even it’s just one page,” he told the audience.
“The company should also test the plan on occasion by having ‘cyber fire drills,’ this could protect it against liabilities,” Levine said.
While the main comments of the day focused on the importance of educating employees on cybersecurity efforts, John Verry, managing partner at Pivot Point Security, said that security breaches are increasingly coming form third-party providers, as they handle more and more companies’ data processes on the cloud. Because of this, “your company’s incidence response plan must dovetail with your third-party providers’ … For the small company, the source of your data breaches will be coming from outside your door,” he said.
Angelo Mendola, chief operating officer, Priority Payment Systems Local, added that third-party connections are very dangerous if the right security steps are not taken. At the same time, the third-party provider can help in the investigation of the security breaches, he said.
Regarding small businesses, Verry said it is a fallacy that they do not need security systems in place at the level of larger companies. “If you want to do business at that level, with those companies, you need to have in place the security practices that they expect. … that is an unfortunate reality,” he said.
Regarding individual employees, Levine said that a company should not have its workers feel intimidated and not report a security breach that may have been their own fault. An environment of openness must exist where employees are then educated on security best practices, he said.
Warren commented that cyber security and related company reputation issues are top priorities in corporate boardroom discussions today.
Verry added that someone with cyber security experience should be sitting on the corporate board.
On the technical side, he said companies should shut down systems immediately as soon as the breach is detected. He added that servers that haven’t been corrupted should be protected.
To help law officials, he said data and systems should be preserved for the investigation, which could take months to pinpoint when and how a breach occurred. “This will be all used as evidence later on,” he said.