top of page
The Inevitability of Cyber Breaches: How to Prepare for When it Happens
By David Wheeler, Of Counsel for Greenberg Traurig
In May, experts gathered to discuss the characteristically quiet but significant changes in accounting and IT standards and they impact how we do business. In this article, David Wheeler challenges firms to consider how to sound the alarm when their most valued asset is threatened: their information.
With just a few keystrokes, today’s technology allows you to access essential business data from your device of choice and take your business anywhere. With so much information in mass transit on the cyber highway, a breach or an incident is bound to occur. Can your firm respond swiftly and effectively to a cyber-threat? Do you know who needs to be involved to mitigate staggering damage to your business?
With so much valuable information accessible through cyber-networks, the implications of a breach cannot be resolved with only a technical solution. Data threats require a concerted response involving c-suite leadership to secure company information. Organizations that preemptively develop a response plan before a security incident occurs can significantly reduce the duration, disruption and recovery costs of such incidents. Below are thoughts and practical recommendations that should assist as a guide to strong cyber incident response planning.
The Incident Response Team Should Have Comprehensive Expertise
As a good practice, responding to cyber incidents should be quarterbacked by the organization’s incident response team under the direction of a team coordinator. Although the first responders may be members of the organization’s information technology staff or other company employees, the incident response team’s responsibility is to provide overall strategic and tactical response guidance. Ideally, the team should be comprised of c-suite members, including chief information security officer, chief privacy officer, or chief security officer, human resources, risk management and information technology, and may also include an outside cyber forensic partner, public relations consultants, as well as in-house or outside legal counsel.
This team’s first priority during an incident is to take control of the situation with the intent of mitigating potential harm to the organization, its clients, business partners, or affiliates. After the attack is effectively contained, the team can implement improvements that prevent attacks from reoccurring and report to executive management the outcome of any security incidents so appropriate actions may be taken. The team should use a phased approach to address the cyber incident:
Phase One: Detection, assessment, and triage
Phase Two: Containment and reduction of continuing harm
Phase Three: Remediation and recovery
Phase Four: Post-incident concerns
An Incident Occurs: Controlling Risk and Limiting Damage
Phase One involves detection, assessment and triage; critical activities for a successful response to a cyber-security incident. Indications of cyber incidents can come from many different sources, lost or stolen technology, the Intrusion Detection System (IDS) may trigger an event, the network monitor may indicate a spike in unauthorized traffic, or a server may be hit with a Distributed Denial of Service (DDoS) attack. The incident response team should always consider that cyber incidents may have legal, human resources and public relations implications, and initially, should not be disclosed to anyone without a specific need-to-know, e.g., other team members. An important result of the activities in this phase is the determination of the severity of the incident. Based on available data, the team must establish whether or not an incident has occurred. All security events should be evaluated and verified by reaching one of three conclusion-action points:
- Verified and Proceed;
- Undetermined and Proceed; or
- Refuted and Terminated.
- A statement of the circumstances surrounding the incident
- A summary of the incident activities and timeline
- Conclusions and supporting evidence
- Recommendations for short and long term mitigation
bottom of page