Greg Gaglione has witnessed the legal clean up side of organization’s devastating cyber security attacks.
Benjamin Franklin once said, if you fail to plan, then you are planning to fail. The same is true when it comes to an organization’s data security program. An organization that is well prepared for a security incident with a robust data security program will not only reduce the likelihood of suffering a security incident, but also significantly reduce the cost of a security incident. Below are four proactive measures your organization can take to prepare for a security incident and reduce your organization’s overall risk.
1. Develop an Incident Response Plan
An Incident Response Plan (“IRP”) will establish the method and procedure for identifying, responding, and reporting a security incident. An IRP will set forth, in writing, each key stakeholders’ role in responding to an incident and ensure that every stakeholder is on the same page. An IRP should include the following:
- The scope of the IRP within the organization.
- Establish an Incident Response Team comprised of key stakeholders charged with following the IRP when responding to a security incident.
- Identify key external resources available during incident response such as outside counsel, cyber forensic investigators, and crisis communications specialists.
- Outline the organization’s procedures for identifying, responding, and reporting a security incident.
- Identify and set forth legal obligations for reporting a security incident and notification to affected individuals and businesses.
- Establish a schedule for regular review of the IRP to update the plan according to an organization’s operations.
- Include a post-incident review process.
2. Test the IRP with Tabletop Exercises
Once an organization’s IRP is established, an organization should regularly test its IRP. This testing can be done through tabletop exercises that simulate a security incident and test the strength of an organization’s IRP. Following the tabletop exercise, an organization can adjust its IRP to make it better equipped to respond to a security incident effectively and efficiently.
The Ponemon Institute conducts one of the largest research studies on data security breaches every year and produces a yearly report on the cost of a data breach. Last year the Ponemon Institute reviewed over 500 breached organizations and found that the highest cost saver for a business suffering a data breach was incident response preparedness. Specifically, organizations with an Incident Response Team that also regularly tested its IRP saved, on average, $295,267 in incident response costs when suffering a data breach.[i] This cost savings underscores the importance of developing an IRP and regularly testing the plan with tabletop exercises.
3. Employee Training
An organization’s security system is only as strong as its weakest link. That weakest link can be an organization’s employees if they are not trained in best practices for security. Employee’s should be trained in identifying and preventing a security incident with strong passwords and password management, as well as identifying and reporting phishing emails and malicious links. An organization should also train its employees on how to recognize a security incident and report the incident to the proper stakeholders within an organization. This will help an organization efficiently address a security incident. An organization’s employee training should be completed during the onboarding process as well as yearly so that employees continue to be diligent in their day‑to‑day practices to keep an organization’s systems secure.
4. Vulnerability Scanning and Pen Testing
One of the best ways to reduce the likelihood of a security incident is to regularly test an organization’s systems. This can be done with regular vulnerability scanning and penetration testing. Vulnerability scanning will scan an organization’s systems for security weaknesses and determine the vulnerabilities within an organization’s systems. Penetration testing, also known as pen testing, takes a deeper dive into an organization’s system. Pen testing is where an ethical hacker attempts to gain access to an organization’s systems by exploiting its vulnerabilities. A good analogy is if an organization were considered a home, vulnerability scanning would test to see if the doors were locked and pen testing would open the door and see if the doors to the rooms inside the home were locked. It is recommended that an organization conduct vulnerability scanning at least twice a year and pen testing at least once a year. These preventative measures reduce the likelihood of a security incident because an organization can use the results from vulnerability scanning and pen testing to patch weaknesses and make system modifications to further secure its systems. In addition, the Ponemon Institute cost of a data breach study found that organizations that conduct vulnerability scans reduce the cost of a data breach by $172,817.[ii] Therefore, in addition to preventing a security incident, vulnerability scans and pen testing will reduce the costs of a security incident, if and when a security incident should occur.
In sum, take proactive measures to reduce the risk of a cyber security incident, as well as reduce the costs of an incident when it occurs. An Incident Response Plan, employee training, vulnerability scanning, and pen testing, are a few proactive measures an organization can take to secure its systems and best prepare for a security incident. If you have questions on how this specifically relates to your organization Greg Gaglione can help. As it is often the case in life, those that are proactive and prepare, will perform the best. The same is true for an organization and its data security program.
DISCLAIMER: This article is for general information purposes only. The information in this article does not, and is not intended to, constitute legal advice. Contact a qualified attorney to obtain advice with respect to any specific issue or legal question.
[ii] See id.