Six Things Executives Must Do To Ensure Effective Incident Response

When it comes to data breaches, 2017 has shaped up to be quite the year. While every year seems to have its share of significant breaches, this year certainly had its share of substantial and unique breaches that should serve as a reminder to business leadership that a breach can happen to any company and at any time.

While there’s nothing the business can do to “unring” the bell after a breach — there are steps organizations can take to both minimize the impact of breaches when they do occur, as well as help customers, partners, investors and shareholders better understand the nature and impact of the incident. The challenge, for too many organizations that I speak with in my interviews, is they lack adequate executive leadership and sponsorship for these efforts to take hold and keep hold within the enterprise.

Making certain that the right resources and priorities are in place isn’t something front-line and lower level managers can do. It takes leadership and time to plan for breach response, and certainly not to be done in the middle of the action. It’s best to develop a plan in advance so that the playbook is written and everyone involved understands their role.

While every organization is different, and every response plan will therefore be different, there are essential steps every organization should consider to be better prepared. Here are a number of areas business leadership should make certain are in place for that data breach preparedness. These are not meant to be all inclusive of what needs to be done, but as a starting point:

Always be on the lookout. The first thing you’ll do is make sure your organization is always looking for indicators that the organization has been compromised. These can be detected by looking for indicators of compromise on servers, in network traffic, endpoints, system logs, and so on. With swift detection of breaches, not only is it more likely that the damage of the incident will be mitigated, the organization will be much more likely to be able to proactively manage the breach disclosure, if necessary. It’ll also be much less likely that you’ll be notified by law enforcement, or worse yet: a business partner, that you have been breached. Both methods are persistently top of the charts when it comes to discovery methods. Not good.

According to the 2017 Ponemon Cost of Data Breach Study, the average time to detect a breach is currently 191 days. The good news is that figure dropped from 201 days. The bad news is that it is still 191 days that breaches often go unrecognized.

Have the ability to properly investigate. Once a breach has been identified, it’s important to investigate to learn what exactly happened. What data may have been accessed, what networks infiltrated. How did the attacker get in?  What information were they targeting?

The more swiftly, and accurately, the organization can determine what happened, and to what extent, the more swiftly the remediation can be conducted and the more intelligent the rest of the response including, if necessary, the public announcement.

Be ready to respond internally. Once the nature of the breach has been determined, it’s time to respond. This will include a technical response always and sometimes a public disclosure. If the breach is proven to be insignificant, perhaps mitigating the impacted system will be enough. If there is evidence that the breach went deeper into the organization, than it’s a good idea to have some type of incident coordinator in place so that the response is properly managed.

If it’s a data breach that is material to customers, partners, or shareholders — or it is mandated by an industry or government regulation — the right executives need to be notified as quickly as is reasonably possible. This way the right internal resources can be notified and put into place. In these cases, the coordinator can ensure that the appropriate executives for legal, organizational, and public announcement are informed and ready.

Executive leadership must be ready to respond. If the breach is significant, senior leadership response is critical. Here, management will coordinate with corporate communications, legal, audit and compliance teams, human resources, and technical staff. We’ve seen breaches this year where executive mishaps after the breach was discovered lead to ethical and legal questions. Legal should be involved here to help ensure the response is in accordance with controlling laws and regulations.  Good communication can help avoid such situations.

 Have a public notification plan in place. While public notification shouldn’t be delayed, it shouldn’t come any sooner than the organization is ready. First and foremost that means understanding exactly what happened, how it happened, who was affected and how, and how the attack vector was mitigated or will be mitigated in the future. When it’s time to go public, the corporate communications team will need to know the who, what, where, why and how of the situation, as well as information on how those affected can protect themselves. Successfully bringing all of this information together will require collaboration among IT, security teams, legal, regulatory compliance teams, and others. When the time comes to take the notification public, all teams should be on the same page with the message.

Review the organization’s response to the incident. After the breach has been technically investigated, the holes the attackers used for entry have been plugged, and the public disclosure communications are complete — it’s critical that the organization review how well it performed. This includes not only how well the organization did technically when it came to breach identification, investigation, and remediative response — all of that is essential for sure. But it should also include how well the public disclosure and outreach worked. Any areas that need improvement should have their processes fixed so that teams are better prepared for next time.

To be sure, no one wants to go through a data breach and every organization hopes that it doesn’t happen to them. And an organization can hope, or expect, to never have a breach and then wake up having been breached the next day. Like all forms of crises — no organization expects it will happen to them. But one thing is sure: it’s better to have a plan when a breach occurs than not. And this year has proven it’s not as unlikely to happen to any given organization as one might think.

George Hulme is an award-winning writer and journalist well-known in the IT security world. He writes about business, technology, and IT security topics for publications like InformationWeek,, Government Computer News, Information Security, Nation’s Business, Network World, San Francisco Examiner, The Industry Standard, VARBusiness, and dozens of other technology publications.