Organized crime and other criminal enterprises consider cyber-intrusions to be a "low-risk, high-reward proposition" that pose a serious threat to every business that is connected to the internet or uses electronic systems. The U.S. Department of Justice (DOJ) has joined the growing list of federal agencies to weigh in on cyber-security "best practices." On the heels of The Federal Trade Commission and the HHS Office of Civil Rights and Office of the National Coordinator, DOJ just released its own guidance on steps to take before a cyber-intrusion or data breach occurs, as well as a template response for cyber-intrusions and attacks.[1] Following an accepted protocol of "Preparedness, Response and Recovery" the Guidance identifies steps a business should take before, during and after cyber-intrusions to minimize risk and defuse the impact of breaches when they do occur.

Preparedness:

  • Do it now. The DOJ emphasizes that all organizations must prepare now, before an incident occurs. Trying to develop a data breach response plan in the midst of a data breach is a disaster, and wastes precious time.
  • Identify your "crown jewels." Determine which information, data, assets, or services warrant the most protection, and tailor your plan accordingly.
  • Make it specific. Your plan must be "actionable," which means it must be clear who is responsible for what action during a cyber-intrusion or data breach. Discovery of a cyber-intrusion creates a lot of stress. If the response plan is not concrete, with clear allocation of responsibility, it will be much more difficult to respond swiftly and correctly.
  • Train your people. Organizations should train everyone involved in the data breach response so that they know their roles. Conduct regular exercises or drills to make sure that the data breach response team functions well together and can learn from its mistakes before a real data breach occurs.
  • Line up the right professionals. Engage legal counsel who are "cyber-savvy" with both knowledge about data breach incidents and experience working with organizations that have suffered data breaches. Lawyers with this knowledge and experience can provide more timely and accurate advice to the organization during a data breach response.

Response:

  • Take stock. The first step should be completion of an immediate assessment of the nature and scope of the data breach.
  • Fix it. Ensure the cyber-attack is blocked and cannot be replicated. This may include rerouting network traffic, blocking access, isolating the network, closing ports, reconfiguring the network, or tracing the attack to its source. Do not attempt to communicate using the compromised system.
  • Save the info . Record, collect, and preserve information from affected computers and relevant logs, and ensure the information is preserved in a forensically sound manner.
  • Notify promptly. Notification to affected individuals and entities, as well as law enforcement, will ensure not only that certain legal obligations are met, but also that enforcement efforts will be supported by appropriate government resources.
  • Never, ever fight back. Even if a victimized organization can identify the entity that hacked it, hacking back is never safe, and probably illegal. It is not worth the risk.

Recovery:

  • Don't let down your guard. Be on the watch for a repeat attack, take steps to prevent similar attacks.
  • Learn from the incident. Conduct a post-incident review to assess how the breach response team performed during the incident. Identify any deficiencies and the best manner to address them.

Footnote

[1] The full title of the guidance is "Best Practices for Victim Response and Reporting of Cyber Incidents." This document is available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.