The IT industry has an answer to almost every security problem. Need to lock down an app server to ward off hackers? There's likely a product available for that. Same goes for making sure a stolen Android phone uses strong authentication to keep a hacker from stealing data.
However, if the worst does happen say, the hackers manage to break into a server and steal credit card numbers from a database it can be hard to know what to do next (other than panic). CIO.com spoke to several security and legal experts to find out what to do after a leak occurs. Here are their five steps for how to survive a data breach, in chronological order.
Address the Breach Immediately
Experts agree on the first step: Solve the problem and fix the data leak. Marc Malizia, the CTO of the IT consulting firm RKON Technologies, says it's important to address the security flaw. Determine what server, or servers have been compromised. "Once located, a disk image of those servers should be made in order to preserve their state," he says." To protect chain of custody in the event of a lawsuit, these images should be read-only and secured." Finally, he adds, put in place a containment strategy "to ensure the compromised server cannot infect other servers or devices.
Form a Task Force
Almost every expert says another critical early step is forming a team to deal with the breach. You can't report a breach to the authorities and the legal department until you have a task force to lead the charge and communicate about progress.
Pat Calhoun, the senior vice president and general manager of network security at McAfee, says a "Seal Team" needs to be assembled immediately to carry out any additional steps. Attorney Tatiana Melnik adds that a company has to speak with one voice after a data breach; this team is response for making sure all information about the issue is reported in a concentrated effort.
Test the Security Fix
Once the problems have been resolved and a team is ready to lead a counter-offensive and even before moving on to the stage of communicating about the breach outside of the organization it's important to make sure the flaw is fully resolved. This may require having the security team look through server logs again or running penetration tests. It may require investigating whether other servers, or a cloud infrastructure, are also susceptible.
"Companies should undergo a rigorous penetration test by an external team of experts," says Chris Pogue, senior vice president for cyber threat analysis at Nuix, a company that analyzes unstructured data. "This is really the only way of ensuring that the fixes that have put in place are fulfilling their intended purpose. The penetration test will also help to identify potentially unknown attack vectors that could be used by future attackers."
Sign up for Computerworld eNewsletters.