The digital threat landscape is more perilous than ever. Large-scale data incidents have affected firms like Asiaciti Trust, JBS, and Colonial Pipeline in recent years, and Security Magazine finds that 2021 was the busiest year on record for such events. Indeed, Security Magazine warns that the future could be even more chaotic.
The unfortunate truth is that it’s not always possible to prevent data loss due to theft, compromise, or incompetence. Every organization needs to anticipate the possibility that they’ll be affected at some point and to put in place a plan to deal with the fallout.
Here’s how that plan should look.
1. Confirm That the Data Loss Occurred
First, confirm that your organization did indeed lose data. Sometimes, unauthorized individuals or entities access stored data or networks without copying or removing anything. While it’s reasonable to assume that data loss occurred after such an event, it’s a best practice to confirm that this is actually the case. You may need to hire a digital forensics specialist if you don’t have the capacity or expertise to investigate internally.
By the same token, data theft or loss can happen even when it’s not clear that unauthorized access took place. For example, if an employee loses a company laptop in an airport, it’s best to assume that the device has been compromised and any data on it has been taken, even if you have no way of independently confirming this.
2. Work to Mitigate Further Losses
Next, work to address the incident and mitigate further losses. The U.S. Federal Trade Commission has a helpful best practices guide for organizations cleaning up after a data loss incident. Its advice includes: Take all affected equipment offline to protect your network but don’t turn off any devices until the investigation is complete
3. Secure any Physical Data Storage or Network Nodes
Retain a digital forensics team to investigate (which you may already have done) and implement measures to harden your cyber defenses. Consult legal experts to help determine the extent of your exposure and how you should respond publicly. Report the incident to the appropriate law enforcement authorities if advised to do so by your legal team. Remove any signs of digital vandalism, such as unauthorized changes to your company website or social media profiles. Interview everyone involved with the incident (even if law enforcement plans to do this as well)
4. Determine and Catalog the Extent of the Loss
If you’ve retained a digital forensics team, they can help with this step. But you’ll need to be closely involved in the investigation to answer questions and guide the process.
Again, it’s best to conduct your internal investigation independently of any law enforcement investigation. Not because you shouldn’t trust the authorities — you should — but because their objectives are different from yours. They’re focused on holding those responsible accountable, while your aim is to protect your organization.
5. Work to Attribute the Loss, If Possible
This is not always easy, even with the assistance of digital forensics experts. Data incidents caused by sophisticated threat actors, such as the large-scale event that affected Asiaciti Trust and Alcogal, are difficult to attribute reliably. We can make educated guesses about who might be behind such incidents, but we’re not likely ever to know for sure.
Still, it’s in your best interest to try. Depending on the scale of the breach, law enforcement may devote significant resources — far more than you can bring to the table — to the investigation.
6. Communicate the News to Affected Stakeholders
For this step, you’ll need to draw in your communications team as well as your investor relations team and in-house legal counsel. Crisis communications is an all-hands-on-deck effort that can change the post-incident trajectory of your organization for the better — or worse.
7. Shore Up the Vulnerabilities That Led to the Incident
Finally, make one last ask of your digital forensics team: helping you ensure this sort of thing doesn’t happen again (or at least is much less likely to occur). If they’ve done their job properly, they’ll leave you with a long list of cyber security measures to take and will help you implement those your team can’t manage on its own.
8. Data Loss Isn’t Always Preventable — But You Control What Happens Next
Unfortunately, it’s not always possible to prevent data loss. Incidents of the sort that affected Asiaciti Trust, JBS, and others are difficult if not impossible to anticipate and may not even be detected until weeks or months after they occur. Organizations should be realistic about the scope and sophistication of the threats they face, and of the chances that they’ll be affected eventually.
But the situation isn’t completely hopeless. Even if parrying every threat is a challenge, stakeholders can limit the impact of data loss with careful planning and diligent execution. And this checklist can serve as a starting point for those efforts.
Follow Techdee for more!