In the EU, GDPR is requiring organisations to disclose data breaches within 72 hours in an effort to protect personal data. Other areas of the world – notably the US - are also considering ways to introduce regulations that compel companies to disclose data breaches sooner. In Singapore, the Personal Data Protection Commission (PDPC) plans to introduce revisions to the Personal Data Protection Act (PDPA) mandating that companies notify the PDPC of breaches within 72 hours – like the EU standard – and customers sometime after.
This means that regardless of where your business is located, it’s time to make a plan that will enable you to investigate incidents quickly and with greater accuracy. The decision-makers of the company need to understand where critical assets lie and the information that may need to be reported ahead of time, so that the Incident Response (IR) team isn’t significantly burdened after a breach.
Here are the four questions IR teams should be asking from the moment a breach occurs to ensure all of the information needed for disclosing it to relevant stakeholders is readily available:
1. What’s the scope of this incident?
There’s only one thing worse than announcing leaked records, and that’s needing to make the same announcement more than once. Organisations need to understand exactly how extensive the breach was in order to avoid this faux pas—or, like some companies, be comfortable with announcing the maximum possible number of affected users before investigations are complete. There are pros and cons to playing it safe, but the best solution is to see what roadblocks exist in the IR team’s ability to investigate breaches and remove them wherever possible.
2. What kind of violation is it (e.g. PCI-DSS or HIPAA)?
If the IR team only has 72 hours to gather as much information as possible about a breach before reporting, it’s critical to know which policies to address. Requiring companies to report breaches does not just mean there’s less time before customers know about an incident. It also means that the organization will be expected to answer more specific, technical questions about the incident in a shorter timeframe.
3. Who is affected?
Identifying which customers have been affected will require precision in order to mitigate the damage to the company’s reputation. Security breaches are a fact of modern life, but customers still expect stringent protections and data privacy. When a breach does occur, company leaders across functions will need deep visibility to answer these questions right away.
4. What did the attack campaign look like—and are the attackers still present?
According to a recent report from Enterprise Management Associates (EMA), only 23 percent of organisations investigate all critical security incidents after the initial detection. That means over 75 percent of organisations don’t really understand how an attacker made it past its defenses, and often aren’t certain if the attacker is still inside the environment. This goes hand in hand with the current breach detection gap. In 2018, attackers could dwell inside an environment for three months on average before the breach was detected.
As Singapore and other governments around the world continue to strengthen consumer protections and privacy rules, this last question will grow more and more important. We’re moving away from a time when security was primarily considered the responsibility of companies and the increase in publicised breach reporting will ultimately lead to customers putting their trusted organizations under more scrutiny. Implementing frameworks like the Center for Internet Security (CIS) Top 20 Critical Security Controls can help organisations answer these questions quickly, but many need help extracting value from ambitious frameworks that require better visibility and a more efficient use of security resources. We have seen how an emerging category of security and analytics can help.
Albert Kuo is VP Asia Pacific, ExtraHop