By Ian M. Marlow
October 9, 2014
Today’s ID and data theft is no longer one-on-one, when you knew who the perpetrator was and when/where the situation occurred (usually at a retailer or restaurant and a credit card payment). With today’s cloud computing, security breaches are anonymous, enterprise-wide and can affect millions of people at a time, within businesses of any size. It’s crucial to take both reactive and proactive measures in the event of (or to avoid) a cyber crime; here are a few to implement.
- End the breach immediately — Shut down open ports on your firewall the moment your IT department or service provider notices the system compromise, and reroute data accordingly. This keeps hackers from exploiting these open areas again. Reconfiguring your firewall changes your global connection so that only authorized users (employees, customers) will be able to get back in. Your services may be temporarily offline so let all relevant parties know.
- Notify those affected – It is crucial to contact all clients and partners about your cyber intrusion and inform them that all necessary actions are being taken. It’s also important to instruct all users to change their passwords so hackers cannot gain access to personal and/or company emails and any sensitive data they contain.
a. If your organization has a point-to-point virtual private network tunnel (a VPN) to a sister company or business partner, it is critical that you inform the other party so they can do their due diligence around their own computing security. Your weak spot may not be yours alone and can lead to infiltration of your client/customer or partner computers and data. Inform them of the steps you’ve taken to remediate the breach and anything they should watch out for (e.g., spam emails, false retail charges).
- Monitor system activity – Monitor your system 24/7 with intrusion detection software; look for any suspicious activity which could signal another breach such as unusual network traffic, malware and viruses, and alerts about unsuccessful email login attempts.
- Preserve the evidence for forensic investigation – Companies commonly (and mistakenly) eliminate the evidence of the breach as they re-establish a secure firewall and get all operations and functions back online. However, the evidence is necessary in order to figure out how and where the breach occurred, how far it extended through your system, and what information was stolen or at risk. The evidence also helps your IT professionals devise a solution to avoid a reoccurrence.
- Report the breach – 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws that require private or government entities to notify individuals of security breaches involving personally identifiable information. Every state differs regarding the definitions of a breach and of confidential information so check your state/local laws regarding this. Reporting the incident also shows corporate transparency and allows users to take the necessary steps to protect their personal information quickly.
- Conduct a thorough forensic investigation – This entails going through your entire technology infrastructure for clues. Your IT team will examine your backups for snapshots that document system changes based on the time of the breach and the moment you fixed the problem. This process focused on what the hackers were after and why your company was targeted. When performed correctly, this forensic process will help you better understand why the breach occurred as well as the safeguards necessary to avoid its repetition.
- Perform an intrusive penetration test –This step is extremely important both as a proactive anti-breach protocol and especially after a breach occurred and your security has been reconfigured. A penetration test comprises hiring an outside firm to effectively hack your network and confirm there are no holes in your firewalls in order to ascertain that the reported breach is permanently closed (or that none exist as a routine test).
a. Should holes be found, you can remediate them before another security intrusion occurs. Make sure you get full documentation of the penetration test to show management and investors you took all necessary steps possible in your remediation.
b. As a proactive measure, testing your network before a problem is detected is a smart IT practice and is good business. Your company can avoid the financial losses (network repair, charge backs, etc.) and the loss in client/partner trust that a security breach causes (and which can be more difficult to restore than your system’s safeguards).
No company can afford to take risks with their network security. Any organization that stores confidential data should perform regular penetration tests as a proactive measure to protect your company and your users. Closing the security holes before a breach occurs will help you avoid the costly service disruptions and remediation steps caused by hackers who have infiltrated your firewall.