How to survive a data breach

If someone with the proper motive and means (time, money, and resources) wants what you have badly enough, they are going to get it. Many companies fail to prepare for a breach until it's too late. Unfortunately, there is not a true, tested method for preventing and/or stopping a breach. How does one survive the inevitable?

The three survival points that I touch on briefly (but by no means should be considered a comprehensive list) will help:

First, you had better know your data, know how your data flows in and out of your organization, where data is stored when not in use, and who has potential access to it. Remember that there are different types of data driven by the business you are in, and understanding the sensitivity of that data is critical. Due to the nature of technology and expansiveness of data through your network, trying to protect all of your data at the same security level is futile. You must be able to identify and separate the nonsensitive data from the sensitive.

Second, manage access to critical data on a "need-to-know-only" basis. Monitor and log every person and/or system that touches (or attempts to touch) sensitive data. Implementing a security information and event monitoring program within your organization is a must. Log, log, log--log as much data as your budget allows. If you cannot afford this step, then you will have a difficult time explaining a breach to the data's owner. If you cannot substantiate how the breach happened with logs, how are you going to defend against a compromise?  You can't!

This is the operationally expensive part of surviving a breach; a necessary cost of doing business in today's globally interconnected business world.

Third, know who the bad guys are, what they're looking for, where they're coming from, and how they're getting to your data. This information is not easily obtained, but is becoming more readily available, if you know where to look. You need to act like a company that has already been breached and proactively work with law enforcement, commercial incident response teams, security researchers, industry specific information sharing and analysis centers, listservs, etc. If you are not working with the aforementioned entities, don't be surprised when bad things happen to your data!  Knowing who wants your data and how they are most likely going to get it is necessary if you want to have a fighting chance of surviving a breach.

Now, let's take a step back for a minute for a little philosophical discussion. Not all breaches require a disclosure; however, the key is knowing if the breach has resulted in a compromise. Is a virus a breach? How about a phishing attack? Do you know if targeted individuals actually clicked on a link or opened e-mail attachment(s)?  Certainly, these are breaches, but if they do not result in unauthorized access to sensitive data, who really cares, other than you? Conversely, if you can't tell -- or don't know -- if any type of unauthorized access took place, even a seemingly simple virus could have resulted in a compromise, and you are none the wiser.

The way to survive a breach is to have a comprehensive program that actively incorporates the three points outlined above. Not knowing what or where sensitive data is, you:

  • are going to have an extremely difficult time protecting it; the larger the organization, the exponentially harder this becomes.
  • won't be able to effectively monitor and log activity; without detailed logs, how are you going to defend the question of data compromise?
  • won't have early warning indicators of a breach or the ability to stop attackers in the early stages of the breach, which limits the effect of a potential compromise.

You need to know the threats specific to your industry, your company, and ultimately, your data, so your organization can begin to close and/or secure known attack vectors, filter known addresses, and make the bad guy's job just a little more difficult than the next company.

Intrusions are inevitable, especially if you have "data of interest." It is up to you to make sure that the breach does not result in a complete compromise, and you cannot do that without knowing your data inside and out. Please know that a breach does not have to be synonymous with a compromise, and you alone are the one that will determine the end result; therein lies the ability to survive a breach. Surviving a compromise is a whole different story!

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecuritydata breachsoftwaredata protection

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Scott M. Angelo

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts