The jaw-dropping data breaches of the past decade—Equifax, First American, and Yahoo, to name a few—would seemingly have numbed the business world’s consciousness to such massive incidents. But then, something happens that puts IT departments and compliance professionals back on edge …
The latest alarming breach was at Capital One, which announced recently that a hacker gained access to 100 million records, including 140,000 Social Security numbers and 80,000 bank account numbers. The breach is expected to cost the company as much $150 million to clean up.
Although this breach wasn’t necessarily the fault of rank-and-file employees—a firewall was misconfigured, as opposed to, say, someone falling for a phishing email—it does serve as a stark reminder that these catastrophes still occur and that no business, big or small, is immune.
The Department of Justice’s Cybersecurity Unit published important updated guidance last year: Best Practices for Victim Response and Reporting of Cyber Incidents. In light of the cybersecurity news of the past few months—from the Equifax settlement to the First American and Capital One breaches—the DOJ document is worth revisiting.
Notification … and So Much More
Plenty of regulations, guidelines, and standards for data breach notifications exist, including GDPR, the FTC, the Consumer Financial Protection Bureau (CFPB), individual states, and more. Many organizational factors determine whether the Department of Justice guidance applies to your company, or whether your organization chooses to follow it. If the guidance does apply, it can help you meet the DOJ’s regulatory expectations. Timely notifications of a data breach benefit affected individuals and place a level of responsibility on the organization to decisively act after an incident. Therefore, staying current with the DOJ’s guidance is essential.
What’s notable about the DOJ document is that the first half of it is devoted to being fully prepared to react to a cyber incident if and when it occurs. Establishing procedures to deal with an incident and training personnel to execute those procedures can minimize harm and expedite the subsequent recovery from a breach.
Preparedness Is Key
Being prepared in a crisis is critical—whether your employees are familiar or unfamiliar with a cyberthreat, knowing what to do when a crisis strikes gives employees the confidence to decisively act rather than panic. The DOJ guidance offers strategies to achieve this preparedness, including:
- Educating senior management before a cyberattack occurs
- Identifying the most vital data and systems
- Implementing an actionable notification plan
- Engaging with law enforcement
- Establishing appropriate workplace and cybersecurity policies (more on this later)
- Implementing the proper technology and services to use during and after a cyber incident
Employees should be immersed in these best practices rather than just read about them on paper—and this is where security awareness training can help. For example, if you run preparedness exercises, as recommended by the DOJ guidance, scenario-based training provides an effective framework that such exercises can build on.
Plan for Procedures
The DOJ document strongly recommends implementing and maintaining strong cybersecurity policies ahead of time—proactive measures instead of after-the-fact responses. In this modern digital age, “I didn’t know I was responsible for that” is not an acceptable excuse. Organizations that plan ahead benefit when a crisis arises and employees must follow those plans and make consequential decisions with much at stake.
Such policies and procedures can be incorporated into security awareness training so that employees deeply understand what cybersecurity and response measures they are responsible for. This strategy is recommended within the DOJ best practices. When a breach does occur, “muscle memory” kicks in, and with a good plan in place, the crisis, though no less urgent, is more manageable and staff can mitigate damages. The best training platforms ensure employees absorb this knowledge and adjust the progression of the course based on their prior knowledge and performance during the course.
Let Data Guide the Way
To be fully prepared to handle a cyberattack and send out the appropriate notifications, you should know which areas of concern might be contributing to risk. Analytics from security awareness training not only identify weaknesses that can be addressed with further training, but also guide which non-training controls you might consider instituting to a counter the heightened risk.
Training data can also show how prepared employees will be to act during and after a cyber incident. You can’t fully eliminate the risk of a breach, but with great training, great analytics, and great planning, you’ll be ready if that day ever comes.