Tips for handling your first security breach
by Jim Hansen - Senior Director, Product Management, AlienVault - Monday, 10 February 2014.
When it comes to data breaches, the risk for organizations is higher than ever before – from the calculable costs of leaked data to the less tangible effects on the companies’ brands and customer loyalty. Therefore, with targeted security breaches on the rise, defining an action plan is critical for every security practitioner.

Getting breached does not determine whether or not you have a good security program in place, rather how you respond to one does. Before you begin to stress out about how to keep your head (and your job) intact when the worse case scenario happens, here are the top five tips for handling an organization’s first security breach.

Expect to have quality time with executives

Prepare yourself for some quality time with the executive team. During a security breach, you will find yourself interacting with an entire group of people that previously were merely names on your corporate organization chart. The executive management team will expect you to make confident decisions quickly. This will often drive you crazy because you are an engineer and as you know, the unknown always outweigh the known. You will be sought after to make decisive, quick assessments regarding the information and data that you have collected and be prepared to be held accountable for them afterwards.

Make sure you establish and record a timeline of events

Create a complete and detailed timeline of events because your responsibility is to determine “how” this happened. A comprehensive list of everything that happened within your network is crucial information that your management team needs from you. This is not an interpretation of “why” this happened. Additionally, know that this collected data will be essential for legal, PR and the board members, and will be the primary deliverable that the rest of the workflow is derived from.

Set clear expectations and don’t succumb to the endless requests for updates

Do not succumb to the endless requests for hourly updates because it can impact the organization’s productivity. Although you should expect to receive constant status update requests, you should not update too often because it can negatively affect your work. Make sure that the analysts are given enough space to conduct their actual analysis. You might insist that hourly status calls occur, but understand that a 15-minute phone call every hour can actually rob and interrupt you of 25 percent of your productivity in conducting actual forensics work. Do not be afraid to push back and give yourself time to gather and report accurate information. After all, your responsibility is to enable informed executive decisions at this point.

Keep calm

Stay calm and do not panic. During a security breach, things are going to get a little crazy. During a time of crisis, do not worry about offending others by not being nice to them rather be more concerned about not adding to the insanity. Be prepared to make some decisions that may be above your typical job responsibilities. Inevitably, you will be required to task others that you normally do not have authority over, on the understanding that you will answer for it later on if needed. As long as you make this clear, then any reasonable person will support you on this.

Do not hesitate to ask for advice and support


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th