With more and more small and medium businesses and non-profits becoming the victims of cyber-crime, it is important to know the answer to “Who you gonna call?” If your only answer is “Ghostbusters,” read on! The correct answer is outlined below and starts with preparation. Identifying who to call and when, means you don’t have to figure this out on the fly, and might even be required for some regulations, such as HIPAA.
Incident Response Plan
Most experts say an incident response plan has between four (NIST) and six (SANS) steps. The information is the same in all models; the difference is in how it is broken down into steps.
For example, the SANS model breaks the information down into these six steps:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
Creating the Right Plan for Your Business
An incident response plan does not have to be some massive document that is tens or hundreds of pages long. That is a bad case of overkill for a small business. You just need to cover all of the information.
In fact, at the time of this writing, our response plan is only three pages long. Here’s the way our plan is laid out:
- The first page has general wording for HIPAA and the conditions under which the Incident Team Leader should be notified.
- The second page is a flowchart of our response plan, covering all 6 of the steps in the SANS model above.
- The third page is the contact info for the incident response team leader, the PR point person, and our lawyer.
That’s it. Sure, you can spend a bunch of time and effort on fancy paperwork, or even download a template from the internet, but do you really need all that? The answer is usually no.
All That is Great, But Who Do I Call?
If you are a small or medium-sized business or non-profit, hopefully you have a good working relationship with a professional IT firm. If you suspect a breach, your first call should be to them. They should be able to identify if there is an actual issue or recommend a specialized forensics team to ensure there isn’t an issue.
If you do not currently work with a professional IT firm, then now is the time to get one. In most cases, an IT company is going to be less expensive than a forensics firm. Plus, you will need that IT firm to handle the rest of the process, anyway.
They Said I Was Breached, Now What?
If your IT firm delivers bad news, there are several things you should do next.
1. Call Your Insurance Company
Hopefully, you purchased cyber-liability insurance when you set up your business, or maybe you read our post on cyber-liability insurance, and then rushed out to buy a policy immediately. Either way, call your cyber-liability insurance agent ASAP. They may have specific forensic teams and/or legal teams that are covered under your policy. If you don’t use their teams, you may be on the hook for some, or all, of the bills.
2. Start a Forensic Investigation
If you have either been breached or have reason to believe that a breach has occurred, you need to get a forensic investigation going. It is possible your IT company can do this, but we recommend an external company do the investigation. The breach or potential breach occurred while that IT company was providing your day-to-day support. They may not immediately see where you were at risk. So, it is better to have an outside auditor do the investigation.
3. Speak to Your Lawyer
It is also time to involve your lawyer. Since every state now has data breach reporting laws, you need to let your lawyer know what’s going on. They will advise you of the legal impact and the reporting requirements you have to follow. You might need to get a firm involved that has expertise in the reporting laws of multiple states if you house data from people in other states.
Download the Alabama Data Breach Law Whitepaper
How Long Will All This Take?
We all want to know how long things will take to get done and how much it will cost. The investigation could take weeks, six months, or more. Unfortunately, there is no way to know what the timeline will be before a breach happens because it all depends on how much data was at risk, where it housed, and a whole slew of other factors. As the investigation progresses, your IT provider can help you understand what is happening.
Once the investigation is completed, you will have to fix any issues that were found to prevent the breach from occurring again. Your IT company will work with you to create a remediation plan and timeline to addresses your state’s requirements.
That Seems Like a Lot
Yes, it is quite a lot to take in, which is why it is important to have a good relationship with a professional IT firm. You could potentially handle all this yourself, but you still have your business to run, so it is a good idea to have a professional IT firm handle things for you.
We have covered the basics here to help you understand the importance of taking appropriate measures to prevent a data breach from becoming an issue in the first place.
If you need help with your breach response plan or a response to a breach, Sawyer Solutions is here to help. We partner with small and medium businesses and non-profits to make their technology work better and protect them from cyber-criminals.
If you have questions about protecting your business, call Sawyer Solutions, LLC at (844) 448-7767 or click here to send us a message.