According to CNN Money, almost half of all the adults in America have had their personal information exposed in the past 12 months.  This includes information like debit/credit card numbers, passwords, phone numbers, email addresses, birthdays, physical address, etc.  You've seen the headlines.  And you've probably wondered what life is like for those poor souls who have to clean up the mess of having their personal information stolen.  Well, the reality is, if you haven't already had your information stolen, just wait...you will.

data-breach

Here are a few recent examples of companies that experienced data breaches:

  • One online auction site felt the effect of a spear phishing attack that turned into a major data breach. 
  • A major retail store is still reeling from the loss of millions of credit card numbers and other personal information.
  • A top clothing chain leaked out ~350,000 customer credit card numbers while they essentially ignored nearly 60,000 system security alerts over an 8 month period.
  • An online photo sharing site recently figured out it's better to say "sorry" than act like it never happened.
  • An arts and crafts retailer recently disclosed that 2.6 million credit and debit cards may have been compromised.  I thought only people like my mom and grandmother shopped at those kinds of stores?  Well, they do...and they get their card information stolen.

 

These are just a few of the many, many recent examples I could list. And it highlights an interesting point: is the bigger problem the fact that the data breach happened or is it the way it was handled after it happened?  The Institutional Shareholder Services (ISS), a prominent proxy advisor group, said one of these companies "should have been aware of, and more closely monitoring, the possibilities of theft of sensitive information" and they advised stockholders to vote out 7 of the 10 members of the company's board.  The CEO of that organization has already resigned.  Would the CEO still have a job if he had handled this problem differently?  Maybe, maybe not.

The fact remains that it's important to know what you are going to do in a cyber attack situation.  If you are a company that collects and stores personal information on your customers, you need to have a plan.  You certainly need to protect your customer's information as much as possible, but you also need to know what you will do when that information is stolen...because chances are really good that it will be.  This seems like a defeatist attitude, and it's one that I don't personally like to have.  But, unfortunately, it's the truth.

I won't outline a fully exhaustive data breach plan here, but I will mention a few important things to consider.  By the way, I took some of these ideas from a DDoS playbook written by F5's own David Holmes...so, thanks David!

  • Train your employees on cyber security issues (don't open suspicious attachments, look out for spear phishing attempts, etc)
  • Don't ignore security system alerts; you have them for a reason
  • Take note of the attack details; it's best to have as much information as possible
  • Know your applications; you can't reliably report on something you haven't mapped out yet
  • Develop a contact list of customers, business partners, stakeholders, etc
  • Be willing to work with law enforcement; they will probably get involved anyway, so you might as well welcome the relationship
  • Have a social media plan; we live in a world where social media is king...get on board and use it to your advantage
  • Don't be afraid to admit something happened; I get it that you don't want to admit anything happened, but it's better to be honest than try to cover it up

The last thing I'll say is probably the most important: practice your plan!!  Set aside some time to run through your plan with all the appropriate stakeholders...I guarantee it won't go as smooth as you want the first time around.