From the Ground Up
by: Guest Columnist Jason Chang
This month will be a guest post. Jason Chang, Founder of Variable Path, Inc. – an information security consultancy, will discuss the value of planning for a data breach. Since cyber security is a topic of growing importance, it is something I want to make sure my clients, colleagues, and friends are all aware of, and able to plan for. I hope you enjoy it. – David Hale
“There are risks and costs to a program of action – but they are far less than the long range cost of comfortable inaction.” —John F. Kennedy
It behooves us to know how we are going to respond to any emergency. A data breach is no different. The ultimate question is: will we be caught flat-footed? Or will we be prepared?
Breaches are much more than a loss of data, they are a race against time.
Once a breach occurs, you may find that you cannot trust your internal systems, controls, or even personnel. It is a best practice for breached organizations to have a neutral third party experienced at incident resolution waiting in the wings.
Here are 5 things to consider that should make your response to the inevitable data breach more effective:
1) YOUR FINITE TIME
The goal of breach resolution is a fast response. You still have to run your business, plus get enough sleep to be able to make critical decisions quickly. Some of those decisions may be the most critical of your company’s life. You may have a financial war-chest to spend, but you will have limited time. Plus, in your hour of need, consultants’ fees can skyrocket, so your war-chest may not be as big as you originally thought. The bottom line is to re-set your schedule over the next 10 to 15 days. Shelve everything that is non-essential and clear space around you so you can focus on what to do next.
2) ONLY THE MOST TRUSTED
Gather only your most trusted employees. This is one of the most important decisions1. The worst possible thing you could do at this point is start delegating to an inside threat. Next, determine the capabilities of your staff. This is essential. Which members of your staff can work when, and where. Who can work from on-site, from HQ, in remote branches, over VPN, or off-site. Who can work at night, on weekends, and during standard business hours? 24/7 coverage will be vital to helping you plan your response.
3) WHO YOU GONNA CALL?
We know 911 will connect us with trained professionals when there is an emergency. Problem is, they don’t cover data breaches. Do you know who you can turn to if you suspect you may have a breach? If not, make some contacts ASAP, before a breach happens. When you have limited time to react, it is better to know who you are calling ahead of time.
It is also to your advantage to work out a cost of breach resolution ahead of time. Do not expect a reasonable hourly rate if you are finding a professional at the last minute. Do not use your existing internal IT as your “trusted professionals”, you need specialists that understand how to calculate risk, not generalists that are focused on uptime.
4) SECURE COMMUNICATIONS
Once, you’ve figured out WHO you can trust, now we need the HOW. We need a secured method of communication. SMS/Texting from cell phones is a decent stopgap as long as your phone doesn’t sync to anything on the corporate network. Don’t forget, in this exercise we are assuming that the corporate resources have been compromised. So don’t use Outlook from your phone2! An easy upgrade to your security, download and use a secure “app” for your smartphone communications.
Due to its infancy, breach/cybersecurity insurance is one of the fastest advancing, least regulated, and most misunderstood lines of business insurance. Unlike more traditional lines of insurance, there is no standard coverage or formula. There is a great deal of variance in policies as a result. Your coverage can vary wildly. Policies cover anywhere from 1st party to 3rd party liability. Attorney costs, data loss, customer notification, customer loss, PR, civil penalties, government penalties, forensics, damages, breach of trust, and other losses are all part of the formula.
Generally, when it comes to fire, robbery, or life insurance, your insurance company will not pay out if it finds evidence of negligence or fraud. If I have no front door, it is unreasonable to expect to get reimbursed for a robbery. If I lie about breach controls, it may disqualify claiming any insurance payout3. If an accident happened, I would not have the help I was counting on. Many carriers of breach/cybersecurity insurance will not honor claims where reasonable controls have not been established or maintained. So..buyer beware4. Pay extra attention to the list of questions you are presented with by your prospective insurer. The complexity of best practice controls varies among insurers.
In conclusion, businesses with action plans written and shelved will be less operationally and financially impacted by a breach. These are the businesses that will save time and make efficient use of staff and resources to securely lock down the breach in the fastest possible time. While breach insurance cannot replace operational security, it is also worth looking into. By following the best practices that some insurance underwriters promote, you can provide yourself with the best chance that your claims are honored. Together, all these resources may help make the difference between survival, and failure.
Jason Chang, Founder, Variable Path, Inc.
- Brian Lapidus, Managing Director & Practice Leader for Identity Theft and Breach Notification; Data Breach Prevention Tips; Kroll, Inc. 2015
- IT Research Desk; University of California at San Diego; Security Concerns with the Outlook Mobile App; April 29, 2016
- Lisa Vaas, We Don’t Cover Stupid, says Cyber Insurer that’s Fighting a Payout; Naked Security; May 28, 2016
- Press Release, Nearly Half of Organizations Unsure if Cyber Insurance Will Payout for Evolving Email Attacks; Minecast, Corp (symbol: MINE); June 7, 2016