As the chances of a data breach incident increase, savvy businesses have invested time and thought in a response plan. But plans never survive first contact with the enemy. Stress test your incident response plan to find and resolve its weaknesses while time is on your side.
According to the Ponemon Institute’s 2016 Cost of Data Breach Study United States:
- Lost business is the biggest financial consequence of a data breach. Taking steps to retain customers’ trust reduces a breach’s long-term financial impact.
- The longer it takes to contain a breach the more costly it becomes. Breaches contained within 30 days of discovery cost an average of $5.24 million. If it takes more than 30 days to contain the breach, the average cost increases to $8.85 million.
- The average breach in 2016 cost $221 per record. Having an incident response plan and team in place, employee training, board-level involvement and a CISO in position are associated with reducing the cost of data breach $56 per record.
As compelling as these conclusions are, advisory firms and their clients have even more reasons to establish a data breach incident response plan (IRP). Their role as hubs of sensitive information make them irresistible targets for thieves.
Awareness of the threats rightly galvanizes leadership to develop an IRP and to invest in cybersecurity services.
Simply Having an IRP on File Isn’t Enough
The faster an incident is mitigated, the lower its costs, but speed can’t be mandated by the plan. For this reason, your firm and clients should stress test your IRP on a semiannual or annual basis.
When facing a real breach, the time and resources spent in practice could well pay an attractive return on investment. Without fail, the exercise turns up shortcomings, confusion and inefficiencies. Ironing those out with a calm team is far more cost-effective than diverting cognitive capacity in the midst of a real incident.
Stress testing an IRP works best when you go through the motions as if your company were having an active data breach. Everyone who has a role on the response plan assembles in one room and, in the context of specific scenarios, discusses their actions and the order of operations. The goal is to get everyone familiar with their roles and responsibilities.
We’ve done a lot of breach response planning and testing, from typical tabletop exercises to call trees and testing the response team’s reaction times. After these exercises, response teams regularly praise the experience and say that they feel more confident about their abilities to react in a real incident.
Make the Most of Your Stress Testing Exercises
1. Focus on the most likely scenarios.
You’re more likely to encounter ransomware via a phishing email than a dedicated nation-state penetrating your firewall. As such, focus your stress test on the scenarios that are most likely and threaten the worst potential consequences.
By the time you work your way down to less likely and less costly threats, you’ll have already covered the common elements of your response. Knowing how to adapt your plan to a specific threat is an expertise unto itself; one that won’t emerge naturally in the planning phase.
The threat model, kill chain and consequences of ransomware will differ from stolen equipment. If your top two likely scenarios are similar, you’re right to consider one stress test sufficient and use your remaining time to consider a somewhat less likely threat that could require a different response.
Ways to brainstorm stress-test scenarios
As a leader in your firm or company, you read news from industry associations, their publications and discussion forums. This is a great practice for keeping your security measures aligned with the most likely threats.
If you like your data fresher, contact your local U.S. Secret Service or FBI office. These folks rarely get calls from people who aren’t in distress. They love to get involved on the prevention side. They’re happy to discuss specific questions such as “What are the three biggest attacks that are going on these days for [financial institutions, insurance brokers or whatever industry your firm is in]?”
At a certain size, all companies include vulnerability assessment and penetration testing in their security operations. If getting your own vulnerability scanner would be overkill, commission a third party to conduct a penetration test or vulnerability assessment. Use the results to inform your choices when you stress test your IRP.
Take stock of your data housing and protection protocol. If it’s hard for your organization to keep up to date on your client devices’ patches, devise a test to determine what sort of patching frequency you can handle. Are your web servers or web applications out of date sometimes? Build a scenario around a penetration of your web-facing application and the SQL database behind it. Maybe PII gets exposed there; make that into a scenario.