Data breaches are inevitable. But the ways IT leaders respond to them are not.
A rapid, effective response can make the difference between results that are catastrophic at all levels -- brand identity, market share and financial health -- and those that are relatively harmless.
As more than one expert has said, it is impossible to prevent all breaches, but if a response team can prevent attackers from completing their mission, or even reduce the damage they do, the good guys have won that battle.
And a lot of what makes a response effective is what happens in the hours immediately after it is discovered. Several vendors have published "checklists" of what to do during the first 24 hours after a breach is discovered, including the credit monitoring firm Experian and Smith Anderson, a law firm in North Carolina.
But security experts, while they agree that checklists adapted to the needs of different organizations are good, say there is no way to perform the items on those lists effectively without intense pre-planning. In a world where the reality is "when," not "if" a breach will occur, a little worst-case paranoia can be the only way to keep an organization in the "relatively harmless" camp.
"The last thing an organization wants to do in a full-blown crisis is make up a crisis response plan," said Greg Mancusi-Ungaro, CMO at BrandProtect. "It is much better to work from an established plan, created during a time where choices and procedures can be drawn up, debated and revised."
Tom Evans, CSO at Cognia, agrees, saying that if organizations have not planned and trained in advance to spot and mitigate a breach, then the best they should do is, "leave power on, isolate, do not touch, call a specialist."
Andrew Avanessian, vice president of professional services at Avecto, argues that post-breach strategies are "fundamentally flawed" because they are "reactive and based on fear."
Organizations should have a data breach strategy, he said, but it should be "proactive," which means, "IT infrastructure projects will take a little longer to deploy, but the amount of time spent firefighting after the fact will be significantly reduced.
Lucas Zaichkowsky, enterprise defense architect at AccessData, said it is almost impossible to do an effective forensic investigation without, "rapid visibility into live systems, network traffic, and most importantly, historical data."
And that, he said, requires "extensive logging in place with a high retention period, the ability to rapidly search endpoints at an enterprise scale for indicators of compromise and retrieve forensic data from systems accessed by the attacker."
Sign up for Computerworld eNewsletters.