Breach Recovery Checklist For You and Your Company

No business nor individual is immune to a cyber breach yet I still hear many people telling me they don’t think they will be affected. They believe that their company does not have anything valuable enough to steal, but every company and individual have valuable data to a cyber thief that we might overlook. While we’re all focused on our money in bank accounts, cyber thieves are looking elsewhere. But before I lay out a breach recovery checklist, let’s not forget the following noteworthy breaches:

2013  Target – 70 million records compromised
2014  Ebay – 145 million records compromised
2014  Home Depot – 56 million records compromised
2014  JP Morgan – 76 million records compromised
2015  Anthem – 80 million records compromised
2016  IRS –  700,000 accounts affected
2017  Equifax – 145 million American accounts compromised including SS#s and driver’s licenses
2017  Yahoo – 3 Billion user accounts compromised

These are the some of the greatest hits in data breaches. Now ask yourself if you have any tie to any of these breaches. I would venture to say Yes! Perhaps you have not be compromised yet but is it only a matter of time?

Compromised data stolen from a company or directly from any individual are used for 3 primary payouts: identity theft, medical fraud, and credit card fraud. Thieves looking for social security numbers, account numbers, date of birth and mother’s maiden name can glean additional data just by stealing one of these by leveraging the inherent security weaknesses found on social media and security challenge questions.

Before you can take any action, you must determine specifically what was compromised.  Perhaps your address or name were compromised. This is not too concerning as anyone can obtain this information in less then 30 seconds from an Internet search. This would be a low security threat but do not be lulled into a false sense of security because each piece of data, no matter how seemingly harmless, is still another piece of the security puzzle. When we build a jigsaw puzzle, even insignificant pieces can sometimes lead to an unexpected breakthrough. And once the puzzle becomes clearer, the time required for completion only shortens. So time is of the essence but what about post breach?

As soon as you know you have been compromised, take immediate action. Since weak passwords are involved with nearly every breach,  create new, long and strong passwords using upper/lower case letters/numbers/symbols of at least 12 characters. If that sounds like too much to handle, use a password manager such as Dashlane to help you create and manage all those new passwords. It is important to also make sure you are not reusing any passwords across multiple sites. Despite endless warnings on the dangers or password re-use, it is still a tremendous problem that hackers gladly exploit.
If you believe your credit card was compromised, it is essential to immediately call your issuing bank. The majority of credit cards have a toll free number printed on the back allowing you to speak to an actual person to relay any suspicious activity. They will likely cancel and re-issue the card immediately to be safe. Time is of the essence as most credit card thieves move quickly to go on shopping sprees in the first few hours of stealing a credit card. Your liability exposure is $50 on a credit card (although they often waive that fee if you ask) and you have up to 60 days to dispute in writing any suspicious charges. Contrast this to a debit cards which only allow you 2 days to report fraud with a liability up to $500. This is another reason why I strongly discourage use of debit cards. In either case, regular credit monitoring and immediately reporting suspicious activity are paramount to security.

A good next step would be to contact one of the credit reporting bureaus and place a fraud alert to TransUnion (800-680-7289), Innovis (800-540-2505), Experian (888)-397-3742), or Equifax (888-766-0008). If you report a fraud alert (AKA credit alert) to any one of the credit reporting bureaus, they are all required to alert the other three bureaus anyway.

If you suspect your identity has been compromised, you may want to take a stronger step which is a credit freeze (AKA security freeze). Anyone whom you already don’t do business with cannot run a credit report on you or open an account in your name without your explicit authorization. To unlock your files temporarily, the credit agency will issue you a PIN. It is important to follow that up with  a formal report of identity theft to the FTC.

If you have had your identity or credit compromised, you may opt to get a monitoring service such as LifeLock Ultimate Plus. This is not so much a preventative measure as it is an early warning service that scours the dark web for potential compromises and threats by cyber thieves. The idea is that the faster you can alerted to suspicious activity, the faster you can react to protect your digital identity.

When Your Company Is Hacked

As much as a nightmare it is to have your own identity hacked and stolen, having your company hacked can be its own nightmare orders of magnitude greater. Since you are dealing not only with internal company data such as financials, emails, passwords, but also the possibility of all your customers’ data, no post-breach steps required can be overlooked.

The first thing you need to do is to reach out to your customers and alert them immediately. In fact, the law requires that you inform any customers whom had data compromised. This can be difficult when organizations still have not fully ascertained what has or has not been compromised. It is more important to alert customers first so they can be prepared and you can work out the details later. This can help them avoid major financial damage as well as future class action lawsuits against your company.  This alert should be followed up with a formal written data breach notification detailing all known compromised data and what to expect in the way of security responses and future correspondences.

Customer notifications should always clearly state what happened, how the damage has been contained, and any preventative actions put into place to prevent this from happening again. If your company does not have a clear understanding of what happened, they should hire an outside cyber security firm to carefully advise on the next crucial steps.

Laws vary from state to state on the level of transparency required as well as obligations to provide free credit monitoring for example. A breach of sufficient size requiring notification of over 500 customers may require filing a formal notice with your state attorney general’s office. Look within your industry to determine if specific regulatory bodies require additional filings. For instance, the healthcare services industry’s HIPPA requirements stipulate that if over 500 customers are affected, you need to notify prominent media outlets.

Companies should have a yearly incidence response plan annually updated which includes a game plan on response to a serious breach and key contacts that need to be informed to provide assistance including a 3rd party cyber security IT forensics group.

I recommend annual vulnerability assessments alongside penetration tests performed to identify vulnerabilities that in-house security and IT teams may overlook.

There may even be a need to notify federal authorities depending upon the scope of the breach and the industry you serve. With the aforementioned breaches affecting everyone, it is also prudent to further minimize risk by putting an effective cyber insurance policy in place. These policies become crucial after a significant breach as numerous legal expenses, forensic fees, customer credit monitoring fees are sure to follow.

This blog was originally posted on BMC.com