When your organization is experiencing a cyberattack or breach, protecting privileged information and intellectual property is crucial.
As Incident Responders, we can state clearly that in the aftermath of a data breach, events can move very quickly. You'll be asked a litany of questions such as, "how.., who.., why.., etc..". It's best to be prepared.
However, appropriate steps should be taken to ensure that confidential and strategic plans are secured and held with great discretion.
As we too often see, shortcuts taken for the sake of getting back to "normal" can lead to greater problems later, particularly in the event of litigation.
Here are our top tips for protecting sensitive data in the context of a data breach:
- Don't keep your incident response plan on the servers! If the servers are infected with ransomware, it might be impossible to access the plan. Print the plan and place it in a fire-safe for use, when necessary.
- Protect all potential evidence! This would seem rather obvious, but we've observed hard drives and other resources become "wiped" to restore backups.
- Avoid using the internal network. Following the previous statement of preserving the "crime scene", avoid using internal systems after the malicious activity is recognized. It's possible that internal emails or messaging related to the ongoing attack will be observed by the threat actor(s). We recommend using an uncompromised email address and phone service. This should be established and documented in the incident response plan.
- Engage legal counsel as soon as possible. A data breach should be treated as a legal incident for the organization, with counsel being notified immediately. Legal counsel should provide proper regulatory guidance and customer guarantees. This will include engaging the Cyber Insurance carrier, third-party vendors, and preparing the communications director on how to engage with the media.
- Control the dissemination of information within your organization. How and when information is shared is critical in notifying staff of an incident. If payroll will not be disrupted, we highly suggest leading with that information. In these uncertain times, staff could become very concerned about their finances in the event of a cyber incident. Privileged communications should not be shared with any parties that will lack the utility of the information. It is also very important that those informed be reminded that the information is not to be shared outside of approved channels. All communications and any notes or other documents regarding the breach should be marked as "confidential."
- "Don't Try This At Home. Use a trained professional for engaging media outlets and customers! If the incident regarding BP in the Gulf of Mexico has taught us anything, it's that we aren't all properly prepared to speak with the media. A trained professional knows how to correctly and efficiently distribute information regarding a breach without inducing unnecessary panic or creating additional liability to the organization.