You’ve Been Breached, Now What? Best Practices for a Successful Incident Response Program


Post By: Dean Gonsowski

The latest breach of Lady Gaga and Madonna’s personal records stored by celebrity law firm Grubman Shire Meiselas & Sacks (GSMS) is a wakeup call, not just because of the celebrity status, but because it shows it can happen to anyone. Maybe the idea that collecting too much personal information causes more harm than good, coupled with looming enforcement of the California Consumer Privacy Act (CCPA), will actually make a material impact.

In the meantime, below are my top-5 incident response (IR) tips for compliance officers to keep in mind. Now is the time for every company – small or large – to reevaluate their data collection/retention policies and start thinking about how to build a sustainable IR program.

  1. Understand Your Entire Data Estate. It’s great to have processes in place to protect your perimeter – but what about protecting the data that you don’t know you have? Unstructured or “dark data,” which Gartner defines as “the information assets organizations collect, process and store during regular business activities, but generally fail to use for other purposes (for example, analytics, business relationships and direct monetizing)” can pose unknown risks to an organization. Forgetting to protect unstructured data is a big mistake and one that organizations frequently make. By creating a clean data inventory of unstructured assets, compliance professionals can minimize risk by identifying and deleting unnecessary data.
  2. Minimize Your Data Footprint. Successful organizations are proactively reducing their information surface area to reduce the scope of data they need to protect. It’s important for companies to strike the right balance between keeping data for value extraction and deleting it for risk mitigation. Proactive data minimization practices will continue to gain momentum as the velocity and veracity of cyber-attacks continue.
  3. Classify Your Data. A common trait of a successful IR program, yet one that is frequently overlooked, is data classification. Would you protect a $20 ring that you got at the mall the same way you’d protect an expensive family heirloom? No. That same logic applies to data. A successful IR program considers the classification of data and assigns an appropriate protection scheme. By defining the different actions needed, based on data value and sensitivity, organizations are better positioned to respond effectively.
  4. Identify the Players. We often hear that “IR is a team sport.” Your team needs to be made up of the right players, both people and technology. Attackers are evolving quickly, and the right combination of people and automation allows organizations to rapidly change their approach depending on the situation. The same goes for using managed services or keeping work in-house. While relationships need to be maintained with external third-parties, such as forensic experts, what to keep in-house ultimately depends on an organization’s security maturity. Creating an effective incident response program requires substantial work with the required dedicated project resources. Whether kept entirely in-house, or contracted to a third-party, all effective incident response plans need executive buy-in. This is the long tail of the actual work that must get done, particularly post-breach.
  5. Practice, Practice, Practice. “If you fail to plan, you are planning to fail.” All successful incident response programs share one thing in common – they’ve been tried and tested. One of the biggest mistakes a company can make is creating an IR program but forgetting to battle-test with employees. Review your IR program quarterly, conduct mock training sessions, and put measures in place to ensure that there are no points of failure for when a real-life situation occurs.

These tips are not the only actions that will help you mitigate the risk of a data breach, but they will get you on the right track to begin getting your data estate in order. With new data protection regulations being implemented globally, and hackers getting more sophisticated, what are you waiting for?

About the Author: Dean Gonsowski, Esq. is the Chief Revenue Officer for Active Navigation which is headquartered in the DC Metro area.