“What do you mean we have to be ‘PCI compliant’?”
Thousands of business managers have uttered those words while staring down the hard lessons of information security and compliance. I was faced with just such a situation while working with a client recently. Criminal hackers exploited SQL injection to extract credit card numbers from a seemingly benign (and assumed to be secure) internally hosted database.
As we’ve discovered, hackers have nothing to lose and everything to gain -- all at the victim’s expense. I’m confident that many people on the receiving end of such a credit card data breach would attest that it’s not the act that’s so troublesome, but rather the stress, cost and turmoil that occurs afterwards. A book could be written on the trials and tribulations of this credit card breach, and practically every other data breach story. But it doesn’t take a book to convey the essentials, so here are seven quick data breach lessons that you can immediately implement in your business:
- It’s important to know how you’re going to handle the initial breach. Should you take the system(s) offline? Call the police? Get a forensic image? Preserve your backups? These are all things you need to consider in advance. What makes it tricky is knowing the type of breach you're dealing with. SQL injection is much different than an unknown threat (such as malware). But both malware and an SQL injection have dire consequences. The point is you need to be prepared for the more common breaches.
- Document as much as you can up front: Information security and compliance policies, incident response procedures, network and information flow diagrams, etc. They all serve as guidance when bad things happen. In addition, when auditors, forensics investigators and affected third parties come knocking, this is information they’ll want to see.
- All involved parties are likely to focus on what happens after the event -- assuming it's handled properly. You can’t change the past. You have to be as professional and level-headed as possible. As you work through processes, get the appropriate experts involved. Don’t be afraid to pull in outside IT expertise. Consider performing a security assessment to see where else you may be vulnerable as well.
- Reassure all parties that you’re taking the incident seriously. You can do this by documenting how you plan to move forward with periodic assessments, and bolster areas such as change management, security policies and your incident response plan.
- Don’t let business managers with little to no knowledge of IT, information security or compliance complete self-assessment questionnaires. Someone innocently claiming “not applicable” for 90% of the questions is a great way to open your business up to further investigation and unnecessary liability.
- Get your lawyer involved, especially when it comes to notifying affected parties of the breach. Advice from counsel, even for simple things such as referring to data breaches as “events,” can soften the blow and keep things in check legally.
- Perhaps more important than anything else, never assume you’re not a breach target. Management at the business I worked with didn’t think they were a target, and I know many other business executives would claim the same thing.
More on data security
There’s hardly any better way to gain information security and compliance wisdom than to experience a data breach. As Peter Drucker said, the unexpected crisis is the only event that is inevitable in the life of the leader. When such a crisis happens to be a data breach, that’s where you’ll demonstrate what you’re really made of. So, are you prepared for the inevitable? You need to ask yourself what’s the worst that can happen and then, ideally, make sure it doesn’t. Ultimately, your goal is to minimize the impact of a breach when it does occur. As reality is teaching us, it’s simply a matter of time before it does.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand the newly updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audiobooks and blog.