Business owners have to constantly think about the “big bad wolves” who are looking to exploit a company’s vulnerabilities. In today’s tech-based world, cyber attackers have become a serious threat. One in five small businesses suffer a cyber attack each year, and of those, 60% are out of business within six months.1 However, business owners can help protect their organizations with a sound incident response plan. Remember those three little pigs? It’s time to follow third little pig’s example by being aware of the risks and preparing for a cyber attack.
Why You Need an Incident Response Plan
- Reported cyber breaches are on the rise. The Identity Theft Resource Center (ITRC) tracked 1,093 U.S. data breaches in 2016. That’s a 40% increase from the 781 reported in 2015, and a 596% increase since 2005 when the IRTC began tracking data breaches.2 The types of cyber breaches seem to be shifting from the mass theft of personally identifiable information and payment card data to smaller, data-dependent businesses in which stolen data or entire networks are held hostage by ransomware (a type of malware that locks users’ systems and disables critical data until victims pay a ransom). During 2016, there was a 300% increase in the number of ransomware attacks per day (more than 4,000 daily).3 Responding quickly and effectively to a ransomware attack is crucial to minimizing its operational impact.
- Cyber-attack costs are reported to be the highest yet. The Ponemon Institute (an independent company conducting research on privacy, data protection and information security policy) began tracking data breaches in 2006. On average, a single data breach can cost companies $221 per compromised record. Ponemon found that having an incident response plan could reduce the per-record breach cost by nearly $26, in addition to significantly reducing the overall cost of breach identification and containment.4
- It’s the law. To date, 47 states, the District of Columbia, Puerto Rico, Guam and the U.S. Virgin Islands have each enacted their own breach notification laws. In addition, there are also several federal notification requirements such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) for healthcare and downstream entities, as well as the Gramm-Leach-Bliley Act for financial institutions. All of these laws and regulations require that someone – the affected individual, state attorney general, department of insurance, federal government agency – be notified within a set amount of time, often as soon as 24 hours within the breach discovery. So while the laws and regulations might not specifically state that an organization is required to have an incident response plan, it is certainly implied that the organization better know how, and to whom, to respond following an incident.
Forming a Plan
The incident response plan is not a reactionary step in cyber security, but rather a proactive and continuous process. An organization’s incident response plan should be unique to the company, taking into account the organization’s size, structure and nature of the business. Once a data breach is discovered, time is of the essence. Therefore, it is important that the incident response plan be written at an unusually granular level, drilling down into the details of virtually every possible situation so that the incident response team can promptly respond. Given the complexity of data breaches and the significant implications on operations, organizations are encouraged to work with experienced data security legal counsel and information technology (IT) security professionals when developing an incident response plan. At minimum, the plan should include the following components.
- Internal incident response team information.
The response team is the foundation of an effective incident response plan. Because data breaches affect all areas of an organization, it is important to identify each group that might have a stake in the response and include them on the response team. Specific roles and responsibilities of each team member should be defined to provide guidance and prevent duplication or confusion during an incident response. Maintain a contact list for all incident response team members, including after-hours contact information and alternate contacts in the event a team member is unavailable.
- External breach resource information.
The complexity of data breaches often requires unique expertise and experience that exceed the skills and resources of the internal incident response team. Identifying and vetting external resources prior to a breach can save valuable time and improve response efficiency. External resources and stakeholders include IT forensic investigators, legal counsel, law enforcement, regulators, public relations firms and insurance carriers.
- Breach response guidelines and procedures.
Clear guidelines and procedures enable the incident response team to take action without fighting through red tape in the midst of an incident. The guidelines and procedures should provide detailed steps to be taken throughout the incident response life cycle (including detection, analysis, containment, eradication, recovery and post-incident activity). The communication procedure is especially important in defining the response strategy and protecting the organization’s reputation.
- Breach notification and a remediation plan for affected individuals. The breach notification process is complicated. As noted above, there are multiple state / federal laws and regulations that require notification following a breach of privacy. Many of these also require that identity theft and / or credit monitoring services be offered to affected individuals. Business contracts, industry licenses and user agreements may create additional notification obligations to partners and vendors. Given the variances in laws and penalties for violations, experienced legal counsel should be engaged for writing the notification plan and assessing each data breach. The breach notification and remediation plan for affected individuals should include:
- who and when to notify
- what to include in the notification letter
- remediation services to be offered (if any)
- the logistics of notification and enrollment for remediation services (if necessary)
Will It Hold Up? Put it to the Test!
The worst time to find out that your incident response plan doesn’t work is during a breach. After the plan is developed, it is imperative to practice, audit and update the written plan on a regular basis. A tabletop exercise enables the response team to identify areas of improvement and helps ensure that team members understand their roles and responsibilities. The incident response plan should be audited at least twice a year and updated as often as necessary.
Business owners are encouraged to take advantage of the many cyber security resources available (some at no charge). The Federal Trade Commission (FTC) and the National Institute of Standards and Technology (NIST) both recently released cyber security guidance to help businesses. The FTC’s Data Breach Response: A Guide for Business outlines steps to take after a breach has occurred, such as securing operations, fixing vulnerabilities and notifying appropriate parties. NIST’s Small Business Information Security: The Fundamentals is designed to help businesses take basic steps to better protect their IT systems with a simple risk assessment. These materials can provide invaluable information and guidance to help business owners protect their organizations.
Cyber insurance is also a key component in risk management programs because most cyber risks are not covered by traditional insurance policies. Many of the data breach costs are eligible for coverage under a cyber insurance policy, including first-party expenses and third-party losses. In addition, most cyber insurance products include access to pre-breach risk management services and post-breach, pre-vetted resources. The scope and cost of cyber coverage varies drastically depending on an organization’s industry and risks, so discussing these options with an insurance professional is strongly encouraged.
Outsmarting the Wolf
No business owner wants to learn that their organization is the victim of a cyber attack. However, the “big bad wolves” are quickly becoming more sophisticated and are attacking more frequently. Therefore, in addition to cyber insurance, it is essential to have an incident response plan in place that has been practiced and tested. Doing so could mean the difference between an organization crumbling or standing strong during such a tumultuous event. Are you going to hide behind sticks and straw, or build a brick fortress? The Professional Risk Services Team at SilverStone Group is ready to help you lay the foundation for an incident response plan that could help save your organization following a data breach.
1 “60% of Small Businesses Will Close Within Six Months of a Cyber Attack – Will Your Company Survive?” October 22, 2015. Financial Computer, Inc. website. Accessed on December 9, 2017 at http://www.financialcomputer.com/2015/10/60-of-small-businesses-will-close-within-six-months-of-a-cyber-attack-will-your-company-survive/
2 “Data Breaches Increase 40 Percent in 2016, Finds New Report from Identity Theft Resource Center and CyberScout.” January 19, 2017. Identity Theft Resource Center website. Accessed on February 21, 2017 at http://www.idtheftcenter.org/2016databreaches.html
3 “Ransomware.” United States Computer Emergency Readiness Team (US-CERT) website. July 11, 2016. Accessed on December 9, 2016 at https://www.us-cert.gov/security-publications/Ransomware
4 2016 Cost of a Data Breach Study: United States. Ponemon Institute and IBM. 2016.
This article originally appeared in the 2017 | ISSUE ONE of the SilverLink magazine under the title “If They Huff and Puff, Will Your Business Blow Down?” To receive a complimentary subscription to the SilverLink magazine, sign up here.