The Most Crucial Time During a Data Breach

Editor’s Note: The author of this post is an information systems consultant and a certified ethical hacker.

By Charlie Platt, iDiscovery Solutions

It’s two in the morning. You just hung up the phone. There’s a lot of confusion and no one really knows much, but the one thing that is certain is your company just suffered a massive cyber-attack. As you quickly prepare to head out the door, you know the clock is ticking and the next few hours will be critical to the firm’s future. Pulling out of your driveway, you punch in the number for outside counsel. It’s going to be a long night, but you’ve prepared for this – you have the right team, the right protocols and the right training. Now it’s just a matter of execution – execution that is already well under way.

Whether you are outside counsel or inside breach response, when you receive that call, are you ready to respond? Are you this confident that your breach response will already be well under way, even before you arrive, and conducted reliably, consistently and thoroughly? Are you sure that critical forensic evidence is not only being preserved, but has been pre-identified and secured against modification and manipulation?

The minutes and hours immediately post-breach are the most crucial, and they will be scrutinized at leisure by stakeholders, attorneys, shareholders and executive management. Post-breach is the wrong time to realize that you should be keeping logs for 180 days, not 30, or that your response varies based on the specific staff on site, or that your team ignored warning signs and alerts that might have halted the threat early on.

Post-breach is not a technical problem, it’s an organizational and business problem. The basic nature of it, and of cybersecurity as a whole, is what management science terms awickedproblem. Wicked problems can prove difficult to solve, contain several levels of interdependencies and can even contradict themselves. In contrast to wicked problems, there aretameproblems. Tame problems can require time, resources and effort to resolve, but are generally clear and concise with relatively simple possible solutions. One of the primary difficulties with cybersecurity is that, on the surface, it appears to be a tame problem – easily solvable with the right application of technology and staff. In actuality, it is a wicked problem – difficult to solve without addressing cultural and organizational issues first.

Post-breach doesn’t start when an attack is identified, it starts today with truncated logs, it started yesterday with an email or saved file, it started last week with every USB device attached, it started last month with every connected iPhone and iPod, it started last year with Facebook, LinkedIn, Dropbox, OneDrive, Google Drive and iCloud – and it will start again tomorrow with something you aren’t even aware exists yet.

Are you asking the right questions now to prepare yourself for what the future may hold?