CIOs: How to Deal with a Data Breach

When it comes to data breaches, experts agree that prevention is the best cure but what steps should CIOs take if the unthinkable happens?

The 5.30am electronic rumble of a BlackBerry set to vibrate. The sound no CIO wants to hear at that hour as it can only mean bad news.

The chief security officer apologizes for waking you but she is clearly agitated. She has just been woken herself by the security consultants you called in to carry out a data audit. The team pulled a late shift last night and discovered some anomalies in the main customer database. The CSO is doing a poor job of covering her panic as she stumbles out with: “It might be nothing”. But you both know that you wouldn’t be having this conversation now if that’s what she really felt.

Despite the security breach at HM Revenue and Customs (HMRC) in November last year, it seems that many companies are still failing to heed the lessons learned from the incident. The Information Commissioner’s Office (ICO) has been notified of almost 100 data breaches by public, private and third sector organisations since HMRC. “Data is the lifeblood of many organizations but it is not often looked after very well,” says CIO Peter Birley of law firm Browne Jacobsen on his personal CIO Blog. Recent high-profile breaches include the loss of the personal details of around 5000 prison officers in September this year and allegations of a significant data loss at US hotel chain Best Western.

While the organization itself claims it only affected a handful of customers, what ever the real number, Best Western has suffered damage to its brand as a result. And this is damage that other firms could well face if they don’t take the necessary preventative steps to secure data and react in the right way if the event of a breach.

Firstly, don’t panic. “People immediately start to think the world is about to end – all kinds of scenarios are played out in people’s minds. These thoughts are crippling and will get worse the longer they fester, so ditch them and get on with the job. The reality is a professional and energetic approach will do more to protect you than hiding in a corner,” says Peter Chada, director of the Technology Advisory Service for financial services specialist BDO Stoy Hayward.

In the first hour after a security breach it is vital to make an assessment of the damage the data could cause, experts say. For example, that means thinking about who would be interested in that data and what effect it might have on not just the individuals concerned but also other effects. For example, in the recent incident at the Prison Service, the safety of prison officers’ families who may have been targeted if the data fell into the hands of criminals.

“What would you do in the golden hour after discovering a data breach?,” asks Geoff Donson, former High-Tech Crime Unit detective and now security manager for datacentre host TelecityGroup.

“Well for me, I would definitely want to know what the data was because you are going to want to know what collateral damage you have got. Does it help you to get the data back? Probably not, but it might as the nature of the data might determine who was interested in it. You would want to know what private data was included. Was it names, was it addresses, was it bank account details?”

How you react in the first hour is also massively dependent on your preparation and planning. The best companies will already have thought about what happens in exactly this kind of scenario and will have come up with contingencies to respond immediately and seamlessly.

“The key to successfully managing any incident is to ensure you are always prepared for any eventuality by having written and tested plans. I cannot emphasise enough the value of testing. Our experience in advising clients in both the public and private sectors is that the quality of plans is significantly improved by testing them,” says Neil O’Connor, principal consultant at information security specialist Activity. “You don’t want to be testing your plans for the first time in a real crisis.”

The first 12 hours

If you are able to identify what the missing data actually is, and there is no guarantee of that as it depends on having maintained an accurate map of the data in your organisation, the next step is to try and work out who might have accessed it, someone external or internal, and work out what they might be able to do with that information.

“Some computer forensics might need to happen. Certainly you could look at the logging,” says Donson. “The logs within any Microsoft Windows system would let you see who had accessed that data last. You would probably be able to see if it had been copied in, and you would certainly be able to see if it had been printed.”

According to Dave Martin, managing security consultant at IT services company Logica, it’s also important to consider the most negative scenario and adapt your response accordingly. “At the start of the investigation of an incident, we must always assume the very worst, and that we may have to defend our actions in a court of law,” he says.

On the basis that your organisation may not only want to seek a prosecution for the data breach but may potentially face litigation itself, it’s important to preserve any potential evidence. “As soon as the severity of an incident escalates, organisations must ‘freeze frame’ and ensure that evidence is preserved. The preservation of evidence must be undertaken using very specific equipment used by a trained computer forensic service,” Martin advises.

To ensure that any data can be forensically analysed and be eventually admissible in a court, it is vital to physically secure any computer or media to ensure “continuity of evidence”, he explains. The easiest way to do this is to physically lock away any servers, PCs or other hardware that might be related to the breach.

As well as locking away the evidence it’s also important to contain news of the security breach. Given that the majority of breaches are still, whether intentionally or not, carried out by employees, it makes sense to make sure that the minimum of people are informed about the breach or data loss. “Keep only one or two people informed of the investigation as you might be tipping off a culprit who, in turn, may start destroying evidence,” says Martin.

The first 24 hours

Having identified what data is missing, what impact it might have on the organization and even, potentially, who might have been responsible, the issue of whether to report the incident will come to the fore. The decision on whether to report will depend on several factors, not least what kind of data has been lost or exposed.

“There is always a problem with the reporting issue within a private-sector company because of the confidence loss with customers and shareholders. The other side of the coin is that you have a duty of care if you hold personal data on people and you lose that data, then yes, you have to make it public very quickly,” says Telecity Group’s Donson, who spent 27 years in divisions such as the National Hi-Tech Crime Unit, the National Crime Squad, and the Computer Crime Unit, and also teaches Computer Forensics and Information Security at Westminster University.

Donson claims that in his experience a lot of data breaches that don’t involve personal data go unreported. “I think there are lots of other kinds of data that aren’t personal and don’t get reported,” he says.

However, law enforcement agencies are obviously keen that organizations report the loss of any kind of data – whether it be data covered under the Data Protection Act or not – as it helps enormously with the data intelligence gathering process, according to Donson. And reporting the incident to police doesn’t have to mean it will be made public. “We had non-disclosure agreements in place so we were saying to people, ‘Report it to us, even if you don’t want any action taken that is fine’,” says Donson. “We wouldn’t act on it if the company didn’t want us to act on it.”

At present, the UK does not have the data breach notification laws that exist in the US and some other countries and so there is no imperative for businesses to have policies and procedures in place for reporting, according to Robert Bond, head of intellectual property, technology and commercial practice at City law firm Speechly Bircham LLP. “However the lack of breach notification law is not a reason to ignore the need to put in place crisis management practices. Leading insurers like Hiscox and AIG are all insisting that data-loss policies and procedures are mandatory if businesses want insurance cover.”

The UK government is currently debating the introduction of data breach notification laws to match similar legislation that exists in over 40 states in the US. The US government is also considering the introduction of nationwide data breach notification legislation to provide harmony in reporting between the states. But despite the growing international backing for legislation that forces companies to be more open about breach incidents, not everyone is convinced it makes sense.

“Take the prison database that fell out of someone’s hands: did it do anybody any good to know data was lost? I don’t know,” says former FBI agent and now Microsoft chief security advisor Ed Gibson.

If the incident was accidental, as in the case of the HMRC breach, then there is less pressure to report. However, if the data was stolen by an employee then companies may want to take steps to have that individual prosecuted unless the incident is small enough that a mere dismissal will suffice. However, if it is discovered through computer forensics or other means that the data was stolen by an external party, then there may be little choice but to involve the law. “There are companies in the UK, let there be no doubt, that have been blackmailed and extorted that we never hear about,” says Microsoft’s Gibson.

After the initial fire-fighting has died down, attention will inevitably turn to working out what went wrong.

“Many of us think when something like that happens: ‘let’s fire the guy’,” says Gibson. “But let’s say you have got a government employee who lost a USB device and that person happened to be a pilot and received hundreds of thousands of pounds of training and he or she was just doing their job... You want to fire that guy?”

Rather than negligence, many recent data breaches can be traced to a basic lack of training – one of the conclusions of the Poynter review into the HMRC incident. “Time and again we have seen that staff are clearly incapable of handling confidential documentation, proving that it is not the technology but the human element that is fallible,” says Richard Millett, head of security at Firebrand Training.

Aside from training, companies may want to rethink their basic approach to IT security, and consider developing trends such as de-perimeterisation. The approach, championed by CSO groups such as the Jericho Forum, is based on the idea that instead of trying to ring-fence all a company’s IT assets it should concentrate on protecting the most important elements.

“De-perimeterisation strategies will allow us to adapt security mechanisms to the way business works rather than throw up too many barriers” says John Meakin, group head of information security, Standard Chartered Bank, and Jericho Forum member, in a recent statement.

However, all experts are in agreement that the best approach is to have the systems in place to prevent data being leaked or stolen in the first place. Anyone in a senior IT or information management role should consider the recent spate of high-profile breaches as a wake-up call or get ready for an early morning call of their own one day.

This story, "CIOs: How to Deal with a Data Breach" was originally published by CIO (UK).


Copyright © 2008 IDG Communications, Inc.

Security vs. innovation: IT's trickiest balancing act