Nothing can make your heart drop to your stomach like discovering your network has been breached. It's a horrible situation to find yourself in, but with a little forethought and some simple steps, you can minimize the damage to your company and your career.
A key task to complete before you suffer a system compromise is to prepare an incidence response plan — a document that covers what should happen when you discover a security incursion. It should outline the steps you’ll take for investigation, mitigation, and communication. That includes a security disclosure policy, which should cover the what, when, and who for disclosures.
There's no hard and fast rule about what to tell and what to hold back when disclosing a breach. Involve your corporate communications and legal professional to craft an appropriate message. This is a management decision, not a systems issue.
If you discover a breach, you should disclose it immediately, or at the most expedient time possible, without unreasonable delay. The requirement for prompt reporting is written into the disclosure laws of many states, and failure to quickly notify customers whose data was leaked can expose your business to civil or criminal penalties.
Who needs to know about this breach? Your boss obviously does — not telling your manager is a good way to get fired when someone eventually discovers the problem. You also need to notify the corporate officer responsible for cyber security. But the larger question is: Should you tell anyone outside of the organization?
The answer may depend on what kind of breach you fall victim to. Some breaches are more serious than others. In fact, you can divide system compromises into three or four levels of severity. In ascending order, they are:
If hackers got into your website and changed your carefully crafted marketing messages to something that reflected their own agenda or sense of humor, things could be worse. Restore from backups and look for signs of deeper penetration; if you don't find any, breathe a sigh of relief that you dodged a bullet. In this kind of breach no sensitive data was accessed, and in most jurisdictions you don't have to tell anyone outside of the organization about it. However, if openness and transparency are among your corporate values, you might want to disclose it anyway. You can think of this kind of incursion as more of a security incident than a breach.
If you discover that a hacker has cracked one of your users' accounts, you have a potentially more serious situation. Review your logs to determine whether the user accessed sensitive information or installed unauthorized software.
If a black hat gains access to a system ID, you're in big trouble. You'll need to save the data from the affected system for forensic use, wipe and reinstall the operating system and everything that runs on it, and bring in an outside organization to conduct an in-depth security audit.
Not all break-ins come over the wires. Some criminals may get their hands on an unencrypted laptop or backup tape that holds sensitive data. Treat theft of physical assets just like a user-level or root compromise, depending on what was stolen.
Many states have laws that address security breaches. If you do business in California, for instance, you fall under S.B. 1386, which requires "notification to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Similar laws apply in other jurisdictions. In the US, no federal law addresses breach disclosures.
If you already have a security disclosure policy and wouldn't mind sharing it so that organizations that haven’t been as proactive as yours can adapt it, please post it in a comment (after sanitizing your company's specifics, of course).
About the Author
Lee Schlesinger writes and edits stories about technology. He’s the former managing editor of Spiceworks, executive editor of Linux.com and ZDNet Business & Technology, and editor-in-chief of Enterprise Networking. Follow him on Twitter @leeschlesinger and on LinkedIn.