Stealing credit card and financial data is a profitable business. Everyone has seen headlines about breaches at Sony, Target, USPS, and JPMorgan. With JPMorgan Chase, personal information for 83 million customers was stolen. The recent attack at Sony Pictures is a stark reminder that the theft of IP is a real possibility — and the recent FireEye FIN4 report characterizes activities of a group that has been infiltrating Wall Street to steal confidential information on business deals and financial markets.
Once you assume that your enterprise will be breached despite even the strongest security team and the best defenses: it’s time to get ready. Here are five tips on how to prepare for a data breach.
1. HAVE A STRONG INCIDENT RESPONSE PLAN
It’s important to create an incident response plan in advance, before a breach occurs. It cannot be an afterthought. Your organization will need a command center, established decision makers, and powerful investigative tools. You’ll need data to do the forensic analysis—so you should be collecting network traffic data now, in advance. And key to your brand and reputation is: what is your communication plan? Who do you need to notify? What will you tell board members? What will you tell customers?
2. ERADICATE COMPLACENCY
The military uses war gaming techniques to prepare for battle, and many corporations use dry-runs to improve skills. Adopt these approaches. Simulate cyber attacks to find holes in your incident response. You shouldn’t be executing your plan for the first time when your business is under attack. And while you may not be able to prevent all breaches, you should be diligent in your efforts to reduce the human errors that make it easier for cybercriminals to gain access. Make sure your security patch management is a well-oiled machine, and that your process for cutting off lost employee devices is swift and immediate. One way criminals skirt defenses today is to steal an employee’s credentials via a sophisticated spear phishing attack. The time may have come to adopt two-factor authentication to mitigate the impact of stolen password credentials.
3. COLLECT DATA TODAY—SO YOU CAN INVESTIGATE IN THE FUTURE
To fully investigate a cyber attack, you need to be able to look back in time and figure out what happened: how did the attackers get in the door? Did they move laterally across systems? What did they take once they got inside? Every day in the investigation costs money. One tool that should be part of your security portfolio is network forensics. If you collect network traffic data today (and preserve it), then you will have the data you need in the future to figure out what happened. A security analyst I know refers to network traffic data as “pure gold.” With network traffic data, high-performance storage, and good analytics, you can reduce investigative cycles down from weeks to hours or minutes—and minutes matter.
4. USE DATA TO LOOK FOR BAD BEHAVIOR
It’s a good idea to proactively analyze the network traffic data to look for anomalous behavior. Some organizations look for network access from countries they do not do business with. Other organizations scrutinize any access from the Tor anonymity network. Cybercriminal activities can be hard to detect, and hunting for suspicious behavior in network traffic requires skill, but it can and should be done.
5. MAKE SECURITY A PRIORITY FOR EVERYONE
Cybercriminals are raising the level of their game, and defenders need to do the same. Today’s infiltrators are taking advantage of human weakness, using spear phishing emails that play to the concerns of their targets—such as concerns about shareholder perception in the recent FIN4 Wall Street attacks. One way to prepare for a cyber attack is to make sure all employees are trained and knowledgeable—not with “check-the-box, one-size-fits-all” training but rather with an approach tailored to reach all employees, even if they have different learning styles. Use several communication vehicles: newsletters, emails, meetings, web, social media, phone. And don’t just train employees once, but again and again. You need to make sure all team members know what types of threats exist and what defensive measures to take. Because cybersecurity is everybody’s responsibility.