How does your data breach response plan measure up?

Organizations should conduct regular stress tests for peace of mind and to quickly, efficiently mitigate threats

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Many savvy orga­ni­za­tions are invest­ing time and thought into data breach response plans.

But plans rarely sur­vive first con­tact with the ene­my. That is why it’s impor­tant to stress test your inci­dent response plan to iden­ti­fy weak­ness­es while time is on your side.

Stud­ies show that a swift response to a secu­ri­ty inci­dent retains cus­tomer trust—and saves costs. Breach­es con­tained with­in 30 days of dis­cov­ery cost an aver­age of £2.15m ($2.7 mil­lion), accord­ing to the Ponemon Insti­tute. If it takes more than 30 days to con­tain the breach, the aver­age cost increas­es to £2.89m ($3.6 mil­lion).

But speed can’t be man­dat­ed by the plan. For this rea­son, plans should be stress-test­ed on a semi-annu­al or annu­al basis, as if you were expe­ri­enc­ing an active data breach.

Focus on most like­ly sce­nar­ios

You’re more like­ly to encounter ran­somware via a phish­ing email than a ded­i­cat­ed nation-state pen­e­trat­ing your fire­wall. As such, focus your stress test on the sce­nar­ios that are most like­ly and threat­en the worst poten­tial con­se­quences.

By the time you work your way down to less-like­ly and less-cost­ly threats, you’ll already have cov­ered the com­mon ele­ments of your response. Know­ing how to adapt your plan to a spe­cif­ic threat is an exper­tise unto itself; one that won’t emerge nat­u­ral­ly in the plan­ning phase.

Make it more than a tech­ni­cal exer­cise

By the time Tar­get alert­ed its cus­tomers about its his­toric breach in Decem­ber 2013, sev­er­al days already had passed. The delay impact­ed con­sumer faith and the retailer’s bot­tom line, and was a con­se­quence of Target’s lead­er­ship treat­ing the breach as a pure­ly tech­ni­cal issue.

Non­tech­ni­cal staff, such as legal, pub­lic rela­tions and human resources, should par­tic­i­pate in stress-test activ­i­ties, too. Try to strike a bal­ance between inter­nal staff, who may be more famil­iar with the com­pa­ny, and exter­nal spe­cial­ists, who have exper­tise and can take on extra work.

Apply lessons learned

The true ben­e­fit of a stress test is the analy­sis fol­low­ing the expe­ri­ence. The whole point is to make improve­ments to your plan by respond­ing to what went wrong and rein­forc­ing what went right.

Your breach response plan should include time for the inci­dent response team to reflect and dis­cuss the exer­cise. Addi­tion­al­ly, ensure that any of the team’s rec­om­men­da­tions are reviewed and imple­ment­ed with­in a spec­i­fied time­frame.

The ben­e­fits of orga­niz­ing and test­ing your inci­dent response plan could far out­weigh the costs. Fac­tor in the peace of mind your C-suite and response team will gain when they feel con­fi­dent in their plan, and we believe you’ll arrive at a com­pelling argu­ment to place stress tests near the top of your to-do list.

More sto­ries relat­ed to inci­dent response:
Com­pa­nies must have an inci­dent response plan to counter cyber real­i­ty
Why inci­dent response plan­ning is vital for small and mid­sized com­pa­nies
Ran­somware attacks are a fact of life, so real-time detec­tion, response is crit­i­cal