Hurricane season is in full swing. As I write this, Tropical Storm Emily is drenching Florida, and the governor has declared a state of emergency. Having lived in Florida myself, I know that most coastal residents do take hurricanes seriously. There are always those, however, who either don’t grasp the possibility that if a hurricane hits they can suffer real damage, or simply play the odds that it won’t happen to them. Hurricane readiness for them is a bottle of Cuervo Reserva and some DVDs for entertainment in case the power goes out. And so, too, it goes with data breaches.
Breach readiness today ranges from total denial, through half-hearted attempts at maintaining current backups, to—for a minority—sophisticated IT security teams and technology ready to detect, respond, and recover. Even the technologically prepared, though, have likely not planned beyond containment and recovery. Consider our hurricane scenario. Minimal readiness includes necessities for riding out the storm: an evacuation plan, water, food, flashlights, medical supplies, and so on. Those things should get you through the first 48 hours, much like the immediate IT response to a data breach. But what next?
The aftermath of a hurricane can affect lives and property for months and years following the event. Seventeen months after Superstorm Sandy hit the Northeast, residents were still displaced and without financial assistance. The Department of the Interior invested $787 million to “clean up and repair damaged national parks and wildlife refuges; restore and strengthen coastal marshes, wetlands and shoreline; connect and open waterways to increase fish passage and improve flood resilience; and bolster local efforts to protect communities from future storms.” “Twenty percent of the homes affected by Sandy — perhaps thousands — have had major mold issues or recurring issues.” Almost a quarter million vehicles were damaged and sold for salvage.
Similarly, in a data breach scenario, the immediate damage that can result from system downtime and business disruption is dwarfed by the long-term repercussions to reputation, litigation exposure, legal and technology costs, and provision of customer notification and credit protection services.
I’ll take my chances
Just how likely is the possibility of a data breach that results in exfiltration of data, or worse, a ransomware attack? Symantec reports in 2016 that 43% of cyber-attacks worldwide in 2015 were against small businesses with less than 250 workers, and the likelihood for larger organizations of a spear-phishing attack was 38%. Note the operative word, “reported.” Not surprisingly, many data breaches go unreported if they happen to non-regulated or smaller companies with no obligation to report, so the actual numbers are likely much higher. As former FBI Director Robert Mueller famously stated, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again” (this Mueller quote from five years ago gets thrown around a lot, but if you’ve never done so, take a moment to read his brief, prescient remarks).
The difference between hurricanes and data breaches is that hurricanes are at least somewhat predictable. Data breaches are increasingly random, and take advantage of vulnerabilities that exist below the demographic layers of business. It doesn’t matter that your company is small, or that you work in an industry not typically targeted. Bots troll the Internet looking for unpatched systems and open ports. When they get a hit, a human hacker digs deeper to see if there’s anything worth stealing or holding for ransom.
Readiness, therefore, is required of all of us. An effective breach readiness plan will include elements to manage the aftermath. Who will you call regarding insurance, legal considerations, forensics, notification, and public relations? When will you call, and what will you tell them? How will you deal with your customers and the media? Who will coordinate your organization’s response? What laws apply? Will you need a forensics investigation? Is the event contained, or are you at future risk?
A good breach readiness plan will address all of these questions and more. Sure, you can take your chances, but be aware that small and mid-sized businesses are increasingly susceptible to breaches. There was only a 2% chance that a Category 1 hurricane would hit New Jersey—and then Sandy happened. You’ve worked hard to earn your clients’ and customers’ trust. Be prepared to keep it.