Coordinated Response
Services and tools for incident response management

Data Breach

Senior Executive Involvement in Data Breach Response

The Ponemon Institute conducted a survey of 495 senior executives both in the United States and the United Kingdom. The findings identify the importance of executive involvement in an effective data breach response.

Key Findings

The following ingredients really apply to any organization evaluating their data security posture, not just law firms.

  1. Poor communications, lack of leadership and lack of board oversight are barriers to effective incident response.
  2. Current incident response plans are more reactive than proactive.
  3. Executive level oversight is critical to minimizing financial loss and protecting reputation and brand.
  4. Understanding the risk and approving incident response plans should be on the board of directors’ agenda.
  5. Negligent and malicious insiders are considered the biggest security risk.

This strongly suggests that senior executives need to be involved in the development and review of your incident response plan.

In one recent engagement, we developed and exercised an organization’s incident response plan. Senior executives were directly involved including the COO, two vice presidents of key business units, the chief risk officer, the CIO, and deputy legal counsel. Our client gained from this effort and so did we.

Coordinated Response

Let us help your organization develop, improve, and test your incident response capabilities.

The full study, “The Importance of Executive Involvement in Data Breach Response, (May 2015) is available at this link:

Cyber Incident Response – Executive Awareness

Raising executive awareness on the importance of incident response planning should raise executive support. This is one in a series of references that serve as tools for engaging your executives and gaining their support.

The full collection of references is available at this link:

What to Do After a Data Breach

Eight Best Practices to Effectively Deal with a Data Breach

On the CIO Insight web site Karen Frenkel posted a slide deck that identifies 8 best practice for dealing with a data breach. The practices identified align nicely with the elements Response Management Framework.

I recommend the slide deck as a good device for a review and a discussion with your executive team.

Eight Best Practices for a Data Breach Response

  • Prepare and Practice to Make Perfect.
  • Don’t Panic!
  • Move Quickly, but Stay Patient.
  • Don’t Go It Alone.
  • Assemble the Right Team.
  • Get Legal Advice.
  • Someone Needs to Talk.
  • Identify Lessons Learned.

Coordinated Response

So apply these best practice as you evaluate and improve your incident response plan. Refer to our Response Management Framework for added insight.

Let us help you with a response plan review that considers your risk of a Data Breach.

A Note of Appreciation

Thanks to Jeff Mathis and the LinkedIN Cyber Resilient Community Dialog for bringing this to my attention.

Enhance Data Breach Response – 6 Recommendations

The GAO in Congressional testimony made the recommendations

A report of the testimony is available from the GAO Web Site. For some interesting statistics from this report refer to GAO Statistics on Cyber Security.

Key Management Practices

  • Establish a data breach response team;
    rely on IT security staff for technical remediation;
    identify an extended team that includes the information owner, the CIO,
    the CISO, the privacy officer, public affairs, and legal counsel among others.
  • Train employees on their role;
    train of employees with access to sensitive data on their responsibilities;
    train the response team on their role in the incident response plan.

Key Operational Practices

  • Submit reports to appropriate entities;
    prepare and submit reports for internal use, to the US-CERT within 1 hour of discovery,
    and to other external entities as appropriate.
  • Assess the impact both in breadth and in depth;
    identify the nature of the data, the number of individuals, the likely potential for harm,
    and the possibilities for mitigation; this assessment determines incident actions and reports.
  • Offer affected individuals assistance;
    as appropriate and as required, help  mitigate the individual’s risk
    through credit monitoring for example.
  • Analyze the breach response; identify lessons learned.


Coordinated Response

With this information the response team makes informed decisions on what resources to apply and what actions to take. Refer to our Response Management Framework for added insight.

Let us help you with a response plan review that considers your information security risk assessment.

A Data Breach and Insider Threats

Insiders pose a unique threat. A Data breach involves legal issues. Does your incident response plan reflect the required actions?

The Verizon 2013 Data Breach Investigations Report provides insight into the role of insiders when data is breached.

Profit-driven organized crime groups were tied to over half of all breaches.

Attackers targeted mostly finance, retail, and food service industries. Attackers profit from selling payment data or personal information. Almost all states and the District of Columbia have data breach laws governing this type of incident.

State-affiliated Actors were linked to 21% of all breaches.

Here the attackers were seeking intellectual property – trade secrets, sensitive internal data, or systems information. The targeted industries were Manufacturing, Professional Services and Transportation. This raises issues of liability or economic loss.

There are two important statistics associated with cyber-espionage campaigns.

  • First, over 95% started with a phishing attack. Companies need to take their anti-phishing controls seriously.
  • Second, smaller companies, those with less than 10,000 employees, were attacked 4 times more than larger companies. Small professional services or law firms were often targets due to the sensitive information they held for their clients.

Malicious Insiders account for 14% of data breaches.

But, Verizon also states that External Actors are involved in over 90% of all data breaches. So, often an external actor recruits or coerces an insider.

Risk Awareness is the first step.

Include insider threats and the potential impact of a data breach in your risk assessment.

An Incident Response Plan is the second step.

When dealing with insider threats, consider the legal and human resource issues. Managing employees or contractors involves legal and regulatory issues. When dealing with a data breach, appropriate legal steps need to be followed.

Coordinated Response

Coordinated Response can help you develop a plan that anticipates the unique actions needed to address a data breach or an insider threat.