Weekly Marketing/Analyst blog follow-up

Timeline of Incident Response to Data Leak

Ms. Amanda Geraud had been an auditor for years.  It has been her job to review business projects and summarize the actions taken, costs involved, as well as  benefits or losses to her employer.   Today felt no different than so many others before, when she had to explain the chain of events leading to preventable consequences. As the Auditor closed her spreadsheet and completed her summary to the Executive Committee, she sighed, nonetheless.  The cost of the data breach was $2.1 million dollars, including government fines. Ms. Geraud had been asked to audit the company’s response to a cybersecurity breach of login credentials for over 20,000 customers. She traced the leak from the first step of this cybersecurity leak through to the last step and had interviewed the stakeholders who responded to the incident.  It was clear:  the company could have responded faster than it did.   This data leak was unaddressed for 24 days while employees went through their chain of command to remediate the incident.  This particular data leak took extra time to remediate because it originated from one of their third parties, who had just moved data to a new Cloud provider. The lost time contributed to this data leak turning into a 2.1 million dollar breach. Ms. Geraud prepared a timeline with the key actions to illustrate the time gaps in the journey from data leak to breach.  

Incident Response Timeline

Day 1-4         

A customer call is received at the Help Desk about unauthorized account activity.  After three more complaints are received the Help Desk representative lets his supervision know about the issue. The supervisor alerts the InfoSec Team at the end of his day.

Day 5           

InfoSec Team alerts IT Director — who is out of the office with a client.

Day 6-7           

The IT Director directs the team to investigate whether there had indeed been unauthorized account activity. If there was a leak, she wants it remedied, as well as getting an understanding of its cause and the magnitude of the leak.

Day 8-10       

The team reports that not only had there been unauthorized account activity, it was more extensive than originally thought. They have searched the internal sources, but believe the leak may be from a third party.

Day 11           

It is determined the leak is from one of their suppliers, ACME Corporation. The IT Director notifies the CIO, who is tied up in strategy meetings and responds the next day.

Day 12       

The CIO gathers the team and outlines an action plan. The first step is to contact the InfoSec Team at ACME Corporation. The CIO also alerts the CEO and the entire executive team of the security risk to their enterprise.

Days 13-19 

The CIO’s team calls and emails ACME Corporation; however,  there is no response other than, “We are investigating.” It turns out the ACME’s VP of Information Security was on medical leave, and no one was authorized to handle the potential data leak. The issue was passed from department to department at ACME.

Day 20-23         

ACME’s VP of InfoSec returns. Once he sees the notices about a potential leak, he tasks his team with identifying the data leak source. He also escalates the issue to his executive team, who want to review their exposure before responding. 

Days 24       

The ACME InfoSec Team determines the data leak source is their new Cloud provider. They notify their Cloud provider to locate the source of the exposed files and ensure the files are secured. 

Day 25         

Once ACME has validated the leak is remediated, and they notify the company with whom Ms. Geraud is working.

In her report, Ms. Geraud lists the hand-offs that delayed the incident response.  She also shares the top five reasons for the extended time in remediating the data leak, as identified by the stakeholders she interviewed.

  1. Our InfoSec Team did not know about the unsecure data until our Help Desk got a spike in complaints from customers.
  2. Our IT Team forwarded the incident to the Director of IT who took longer than usual to reply because she was out of the office with a client. There was not an escalation process in place for handling sensitive data leaks.
  3. There was not an agreed upon procedure established for third parties to report, investigate, and handle data leaks, as well as an associated SLA including a timeframe to report progress and remedy.
  4. The third party did not have an internal process and procedure for escalating the report of a data leak, particularly when their CISO was out of the office. 
  5. The third party did not have an agreed upon process and procedure for handling data leaks with their new Cloud provider. 

Recommended next steps

Ms. Geraud worked with the CISO to develop the top 3 recommendations for next steps. These had to be actionable steps that management could take to the Board of Directors to ensure cybersecurity incidents like this would not end in a data breach costing the company millions.   The company should act immediately to implement the following steps to prevent another data breach.

  1. Develop, document, and enforce processes and procedures for reporting and addressing data leaks that occur outside the IT perimeter.
  2. Develop, document, and enforce processes and procedures for managing the increased risk of data sharing data with third parties.
  3. Build a business case to buy or build the tools, skills and competencies to:
    • Scan for leaks of sensitive data outside the enterprise’s perimeter, particularly addressing Cloud Applications and Connected Storage Devices. 
    • Remediate data leaks in one-third the time, thus reducing exposure and potential costs. 

CybelAngel value

Use our free MyExposure Dashboard to determine if and where your sensitive data is leaking.  If your team is concerned about data leaks and does not have the bandwidth to address data leaks outside your IT perimeter, our security experts can partner with you to detect and remediate leaks.  Contact Us Now…because data leaks are inevitable; but damage is optional.