Unfortunately, the lack of that kind of planning or preparation is common. A recent survey of more than 340 CIOs, CSOs, IT directors, managers and auditors by consulting firm Protiviti found that 34 percent admitted that their organizations had no formal breach response plan, and another 10 percent said they didn't know if their company had a plan.
And security vendor Lancope and the Ponemon Institute reported in January on a survey that found that half of the 674 respondents said incident response (IR) was less than 10 percent of their security budgets.
Several experts say it is very likely worse than that. "It seems like a low number to me," said Orlando Scott-Cowley, director of technology marketing and resident security expert at Mimecast, who added that too many companies, "talk about the P principles -- Proper Planning and Preparation Prevents Poor Performance -- in hindsight."
And while many in key financial districts or industries in hurricane or tornado-prone states have plans in place, "others who would normally never feel the need to be threatened often don't prepare," Scott Cowley said.
David J. Bianco, Hunt Team Manager at FireEye, agreed. "I expect the number is much higher, especially when you consider that, 'We have a plan' doesn't say anything about how good that plan may be."
Planning for a breach ought to be a given, they say, because it is almost a given that it will happen. Bianco, Evans, Mancusi-Ungaro, and Wendi Rafferty, vice president of services at CrowdStrike, offer a number of recommendations for a pre-breach plan:
- Establish roles and responsibilities of everyone on the IR team, ideally with 24-hour contact information that includes third-party vendors, IT & IT security, senior management, business unit leaders, legal counsel (both internal and external), PR and customer ombudsman.
- Rehearse IR scenarios with all internal stakeholders.
- Draft PR statements for a variety of scenarios, because there will likely not be time to do so effectively when a breach occurs.
- Establish relationships with local law enforcement authorities, including the FBI and Secret Service, to have a point of contact when a breach occurs. That will lead to faster response in a crisis.
- Get data breach insurance.
- Implement role-based account access and monitoring of that access, which will help to quickly identify unusual and potentially malicious activity.
- Train all staff members to spot and systematically report information security incidents and near misses. This can lead to detection before an actual breach occurs.
"More and more, the weakest link in a company's security chain is employees and families," Mancusi-Ungaro said. "It is impossible to overstate the importance of helping them maintain vigilance in all their online activities.
Sign up for Computerworld eNewsletters.