Businesses in an ideal world would be able to completely prevent data breaches from happening. However, no person, organization or security measure is entirely perfect, which is why it is important to develop an action plan for responding to incidents.
As InformationWeek columnist Kevin Casey pointed out, high-profile attacks against large businesses make headlines, but organizations of all sizes can be victimized by cyber criminals. Casey highlighted comments from Craig Spiezle, executive director and president of the Online Trust Alliance, who offered advice for small- and medium-sized businesses in dealing with data security breaches.
1. Understand the type of data being stored
Spiezle said many business leaders aren't always aware of what kind of information their business is storing. The first step in developing an incident response strategy is determining what kind of information the organization manages and who has access to it. This process will better position the business for outlining the consequences in the event of a breach.
2. Determine compliance and regulatory requirements
Meeting compliance and regulatory requirements can be a significant challenge for SMBs, according to Spiezle. Because smaller businesses don't always have the resources to hire dedicated compliance officers, they rely on general-knowledge professionals to ensure regulations are met. Some organizations also rely on third-party vendors can help by providing technology solutions and consulting services, which can be risky if the provider is not transparent regarding its practices.
3. Establish communication standards
The final step involves establishing which organizations need to be notified when an incident occurs. Spiezle said determining when and who to contact can be tricky, but regulations can actually be helpful. For example, healthcare regulations dictate that affected individuals must be notified in the event of a data security incident, while, in cases involving 500 or more individuals, health organizations are also required to notify major media outlets. In general, SMBs should relay advisories through the appropriate channels as quickly as possible without sacrificing the accuracy of the information they provide.
How big is the problem?
According to Verizon's 2012 Data Breach Investigations Report, the number of incidents in 2011 reached the second-highest number of compromised records since 2004. What is more telling than the total number is the reason behind most breaches. Seventy-nine percent of victims were targeted simply because hackers were able to find easily exploitable weaknesses and 96 percent of all attacks did not utilize complex methods. In addition, the majority of breaches were not discovered by the victim but by a third-party organization. However, perhaps the most surprising, is the type of organization that was most victimized.
"Once again, organizations of all sizes are included among the 855 incidents in our dataset," Verizon analysts said. "Smaller organizations represent the majority of these victims, as they did in the last DbIR. Like some of the industry patterns, this relates to the breed of 'industrialized' attacks mentioned above; they can be carried out against large numbers in a surprisingly short timeframe with little to no resistance."
The report further explained that, in the case of financial data, many of the breaches were caused by failure to meet the Payment Card Industry Data Security Standard (PCI DSS). The report identified several common forms of attack, which include:
• Keyloggers and stolen credentials
• Backdoors and command control
• Physical tampering
• Brute force
• SQL injection
The threat from many of these attacks can be reduced using easy-to-implement solutions. The risk that keyloggers and brute force attacks pose can be addressed through the use of two-factor authentication. Many of the other forms of hacking can be mitigated through security awareness training. SMBs relying on a third-party vendor for IT services should also ensure the provider is compliant with industry standards. For example, organizations that rely on service providers to handle payment processing should ensure the vendor is PCI compliant – if a data breach happens with the provider, liability is likely to come back to the organization rather than the vendor.
Data Security News from SimplySecurity.com by Trend Micro