Data Breaches: Small business incident response

Technology

• Regularly Update Software and Systems: Ensure that all software, especially security software, is regularly updated to protect against the latest vulnerabilities
• Implement Multi-Factor Authentication (MFA): Use MFA wherever possible to add an extra layer of security, especially for accessing sensitive data.
• Use Secure and Encrypted Communication Channels: Encourage the use of encrypted communication methods for sharing sensitive information internally and externally
• Monitor Networks and Use Intrusion Detection Systems: Continuously monitor networks for unusual activities and use intrusion detection systems to identify potential threats
• Implement Least Privilege Access Control: Ensure employees have access only to the data and resources necessary for their job role, reducing the risk of internal data breaches
• Use of Firewall and Network Security Tools: Employ firewalls and other network security tools to protect against external attacks
• Secure Disposal of Outdated Equipment: Ensure that old computers and hardware are properly wiped of data before disposal or recycling
• Implement Endpoint Protection: Use endpoint protection software to secure all endpoints - devices connecting to the network, including mobile devices.
• PII:  Do not use Social Security numbers as employee IDs or client account numbers. If you do so, develop another ID system now.
• Establish Password Management:  A password policy should be established for all employees or temporary workers who will access corporate resources. In general, password complexity should be established according to the job functions and data security requirements. Passwords should never be shared.
• Secure All Computers:  Implement password protection and require re-login after a period of inactivity. Train employees to never leave laptops or PDAs unattended. Restrict teleworking to company-owned computers and require the use of robust passwords that are changed regularly.
• Control use of Computers:  Restrict employee use of computers for business. Don't permit the use of file-sharing peer-to-peer websites. Block access to inappropriate websites and prohibit the use of unapproved software.
• Keep Security Software Up-To-Date:  Keep security patches for your computers up to date. Use firewalls, anti-virus, and spyware software; update virus and spyware definitions daily.
• Encrypt Data Transmission:  Mandate encryption of all data transmissions. Avoid using Wi-Fi networks; they may permit interception of data.

Third-Party Vendors

Ensuring that your third-party vendors comply with your organization's security standards is crucial for protecting your data and maintaining trust in your business operations. Here's a comprehensive to-do list to help manage third-party vendor compliance effectively:

Conduct Due Diligence:

• Research potential vendors to understand their security policies and practices.
• Evaluate their history of data breaches or security incidents.

Define Security Requirements:

• Establish clear security criteria and expectations for vendors.
• Include requirements for regular security audits, compliance with industry standards (e.g., ISO 27001, SOC 2), and adherence to data protection laws (e.g., GDPR, CCPA).

Assess Vendor Security Measures:

• Request detailed information on the vendor’s security infrastructure, policies, and procedures.
• Verify their use of encryption, firewalls, access controls, and other cybersecurity measures.

Ensure Contractual Agreements Include Security Provisions:

• Include clauses in contracts that specify compliance with your security requirements.
• Require immediate notification of any security breaches or incidents.

Conduct Regular Audits and Assessments:

• Schedule and perform regular security assessments of vendor systems and practices.
• Use third-party auditors for unbiased security evaluations.

Monitor Compliance:

• Implement processes to continuously monitor vendor compliance with your security standards.
• Establish key performance indicators (KPIs) to measure compliance levels.

Require Incident Response Plans:

• Ensure vendors have incident response plans that align with your own.
• Coordinate response strategies for handling data breaches or cyber attacks.

Train Your Team:

• Educate your staff on the importance of vendor security compliance.
• Train them on how to identify and mitigate risks associated with third-party vendors.

Review and Update Agreements Regularly:

• Periodically review and update contractual agreements to address new or evolving security threats.
• Adjust security requirements based on changes in business operations or technologies.

Develop Strong Communication Channels:

• Establish clear lines of communication with vendors for reporting security issues.
• Hold regular meetings to discuss security performance and improvements.

Plan for Termination or Change:

• Have a plan in place for securely transitioning services if the vendor relationship ends or changes.
• Ensure that data is securely returned or destroyed according to contractual obligations.

By meticulously following these steps, you can ensure that your third-party vendors adhere to the same high standards of security that you expect within your own organization, thereby minimizing risks and safeguarding your data.

Processes & Governance

• Regularly Review and Update Incident Response Plans: Have a clear, up-to-date incident response plan that outlines steps to be taken in case of a data breach.
• Conduct Regular Security Audits and Risk Assessments: Periodically review and assess your security posture and practices to identify and address vulnerabilities.
• Employee Training and Awareness Programs: Regularly train employees on security best practices, potential threats like phishing attacks, and the importance of following company policies.
• Develop and Enforce Strong Security Policies: Create comprehensive security policies covering aspects like acceptable use of company resources, data access, and breach reporting procedures.
• Regular Backups and Data Recovery Plans: Regularly back up critical data and have a robust disaster recovery plan to minimize data loss in case of a breach.
• Establish an Approval Process for Employee-Owned Mobile Devices.  With the increased capabilities of consumer devices, such as smart phones and tablets, it has become easy to interconnect these devices to company applications and infrastructure. Use of these devices to interconnect to company email, calendaring and other services can blur the lines between company controls and consumer controls. Employees who request and are approved to have access to company information via their personal devices should understand and accept the limitations and controls imposed.
• Govern Internet Usage:  Most people use the internet without a thought to the harm that can ensue. Employee misuse of the internet can place your company in an awkward, or even illegal, position. Establishing limits on employee internet usage in the workplace may help avoid these situations. Every organization should decide how employees can and should access the web. You want employees to be productive, and this may be the main concern for limiting internet usage, but security concerns should also dictate how internet guidelines are formulated.
• Manage Email Usage:  Many data breaches are a result of employee misuse of email that can result in the loss or theft of data and the accidental downloading of viruses or other malware. Clear standards should be established regarding use of emails, message content, encryption and file retention.
• Govern Social Media:  All users of social media need to be aware of the risks associated with social media networking. A strong social media policy is crucial for any business that seeks to use social networking to promote its activities and communicate with its customers. Active governance can help ensure employees speak within the parameters set by their company and follow data privacy best practices.
• Oversee Software Copyright and Licensing:  There are many good reasons for employees to comply with software copyright and licensing agreements. Organizations are obliged to adhere to the terms of software usage agreements and employees should be made aware of any usage restrictions. Also, employees should not download and use software that has not been reviewed and approved by the company.
• Secure Physical Access to Company Premises: Implement measures like keycard access, visitor logs, and surveillance to secure physical access to your business premises.
• Manage Use of Portable Media:  Portable media, such as DVDs, CDs and USB "flash drives," are more susceptible to loss or theft. Allow only encrypted data to be downloaded to portable storage devices.

Data

• Keep Only What You Need:  Reduce the volume of information you collect and retain to only what is necessary. Minimize the places you store personal data. Know what you keep and where you keep it.
• Destroy Before Disposal:  Cross-cut shred paper files before disposing of private information. Also destroy CDs, DVDs and other portable media. Deleting files or reformatting hard drives does not erase data. Instead, use software designed to permanently wipe the drive, or physically destroy it.
• Safeguard Data:  Lock physical records in a secure location. Restrict access to employees who need to retrieve private data. Conduct employee background checks and never give access to temporary employees or vendors.
• Safeguard Data Privacy:  Employees must understand that your privacy policy is a pledge to your customers that you will protect their information. Data should only be used in ways that will keep customer identity and the confidentiality of information secure. Of course, your employees and organizations must conform to all applicable laws and regulations.

Legal

• Legal Compliance and Data Protection Laws: Stay informed about and comply with relevant data protection laws and regulations like GDPR, CCPA, etc.
• Report Security Incidents:  A procedure should be in place for employees or contractors to report malicious malware in the event it is inadvertently imported. All employees should know how to report incidents of malware and what steps to take to help mitigate damage

The Significance of Breach Reporting: 

Effective communication and prompt notification about breaches are essential for efficient remediation and recovery, as well as for meeting compliance and regulatory requirements. 

Benefits of Breach Disclosure in Remediation:

Prompt breach reporting notifies all affected parties, both internal and external and mobilizes them as well as key stakeholders who are involved in recovery and remediation efforts, depending on the nature and scope of the attack or compromise. For instance, if your organization is breached via a third-party, you must be alerted at once to prepare and protect your business. Similarly, if a breach in your system could affect your client, they should also be notified as soon as possible.

Effective and speedy remediation lessens the impact of a data breach, protecting the company's reputation and business relationships. It also helps retain customer trust by promptly informing customers of the impact and the measures taken to prevent further damage.

Regulatory and Compliance Standards for Breach Disclosure:

Recent data protection laws, such as the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), mandate timely breach disclosures.
Emerging regulations highlight the increasing importance of breach reporting. new regulatory actions are continuously emerging, underlining the growing importance of breach reporting. Failure to comply with the respective privacy and data protection regulations can result in hefty fines and further reputational damage. Some notable recent regulations have reporting deadlines and requirements for breach disclosure. 

Here’s what some of them require:

• GDPR - The GDPR asks companies to report breaches within 72 hours "where feasible" with the only exception being if the breach does not "result in a risk to the rights and freedoms of natural persons." If an organization delays in reporting the breach, reasons for the delay need to be provided. The GDPR has heavy fines for non-compliance. Depending on violations, fines can reach:
  €10 million ($11 million) or 2% of annual turnover, whichever is higher
  €20 million ($22 million) or 4% of annual turnover, whichever is higher
  This all depends on the regulator’s investigation, the amount of negligence, and the severity of the breach.

• California Consumer Privacy Act (CCPA) - The CCPA requires companies to report breaches within 72 hours if unencrypted data is involved or if an unauthorized user has access to encryption keys of encrypted data. It also requires companies to notify the California AG if more than 500 California residents are affected.
• New York SHIELD Act ("Stop Hacks and Improve Electronic Data Security") - The "NYS Information Security Breach and Notification Act" says a disclosure must be made “in the most expedient time possible and without unreasonable delay...." but doesn’t specify a specific timeframe. It also allows companies to delay a disclosure if law enforcement believes the disclosure can impede a criminal investigation. As is the case with the CCPA, if the breach affects more than 500 New York Residents, the affected companies must tell the NY AG within 10 days. Companies who don’t comply with the act can face up to $5,000 per violation.
• Securities and Exchange Commission (SEC) requirements - In 2022, the SEC introduced cybersecurity-related requirements for the protection of investors and now requires companies to inform investors and shareholders of "material incidents" within four business days of discovery. More recently, in March 2023, the SEC proposed updates to its cybersecurity rules, imposing stringent disclosure requirements for covered entities and requiring affected institutions to adopt "written policies and procedures" for incident response that include informing affected individuals within 30 days.
• European NIS-2 Directive ("Network and Information Security, Version 2") - The EU regulation, NIS-2, entered into force on January 6, 2023 and introduced stringent supervisory measures and streamlined reporting obligations. Affected companies must now provide an initial notification within 24 hours of becoming aware of an incident to their reporting authority and within 72 hours, the company must provide an initial breach assessment. Within one month of the attack, companies are expected to provide a final report detailing the attack's scope as well as any mitigation efforts undertaken. NIS-2 fines can be as high as €10 million ($11 million) or 2% of the company's annual revenue, whatever is higher.
• State by State reporting requirements - All 50 US states have laws relating to reporting requirements for data breaches. Puerto Rico, Guam, the District of Columbia, and the Virgin Islands also have reporting and notification requirements in place. It would be impossible to cover all of these here, but the NCSL (National Conference of State Legislatures) maintains a list of the latest bills and acts on its website.

Improving Breach Reporting in Organizations - In an age of increased cyber risks, organizations must proactively enhance their breach reporting practices. Best practices include:

• Developing a clear policy and process for breach reporting.
• Designating key stakeholders and defining their responsibilities.
• Collaborating with third parties for improved response capabilities.
• Preparing for the new normal of frequent data breaches, as indicated by our cybersecurity assessment findings.

How Data Breaches Occur 

• Human Error: Mistakes made by employees are a significant cause of data breaches. This can include sending sensitive information to the wrong recipient, misconfiguring databases, or failing to secure data properly.
• Social Engineering: Attackers often use deceptive techniques to trick individuals into divulging confidential information. Common tactics include phishing emails, pretexting, baiting, and tailgating.
• Advanced Persistent Threats (APTs): These are prolonged and targeted cyberattacks in which an intruder gains access to a network and remains undetected for an extended period of time.
• Ransomware Attacks: Malicious software that encrypts an organization's data and demands payment for the decryption key is becoming increasingly common.
• Lost or Stolen Devices: Laptops, smartphones, external hard drives, and other storage devices containing sensitive information can lead to a breach if lost or stolen.
• Backup Tapes Lost in Transit: Physical media containing sensitive data can be lost or stolen during transport, especially if not accompanied by a qualified escort.
• Hackers Breaking into Systems: Cybercriminals exploit security vulnerabilities to gain unauthorized access to systems and data.
• Insider Threats: Employees or contractors stealing information or intentionally providing access to unauthorized individuals.
• Information Obtained Through Deceptive Business Practices: For instance, data purchased from a fake business or through fraudulent means.
• Poor Business Practices: For example, sending sensitive information through insecure methods like postcards or unencrypted emails.
• Internal Security Failures: Lack of adequate security measures, such as weak passwords or unpatched software.
• Malware Infections: Viruses, Trojan Horses, spyware, and other malicious software exploiting security loopholes.
• Improper Disposal of Information: Sensitive information thrown away without proper destruction, such as in dumpsters.
• Unsecured Networks and Wi-Fi: Data breaches can occur when sensitive information is transmitted or accessed over unsecured or public Wi-Fi networks.
• Lack of Employee Training and Awareness: Employees unaware of security protocols and best practices can inadvertently cause breaches.
• Weak Access Controls: Insufficient access controls and privilege management can allow unauthorized access to sensitive data.
• Third-Party and Vendor Risks: Data breaches can occur due to vulnerabilities in the systems of third-party vendors or service providers.
• Cloud Storage Vulnerabilities: Inadequate security measures in cloud storage solutions can lead to unauthorized access and data leaks.
• Mobile Device Vulnerabilities: Increasing use of mobile devices for business purposes can lead to breaches if these devices are not properly secured.