Andrea Danti - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Breach response plan is a must for enterprise security

As data breaches mount, the C-suite is being pressed to take part in enterprise security. At the MIT Sloan CFO Summit, top financial, legal and security experts imparted advice.

Data security isn't just the responsibility of the IT department. Instead, it should be a "top-down, across the silos," enterprise issue, according to Gerard Leone, a partner at the law firm Nixon Peabody LLP.

Leone was the moderator of a panel of financial, security and legal experts at the recent MIT Sloan CFO Summit on "the dangers and the demands of digital data." While tools such as rapid intrusion detection are important, the best offense starts with a solid strategy.

In part one of this two-part story on enterprise security, Massachusetts U.S. Attorney Carmen Ortiz and other panelists explain why making friends with local and federal government authorities before a breach happens should be an integral part of a breach response plan.

Enterprises should create a strategy that includes the "full life cycle" of security, according to panelist Cynthia Izzo, managing director of information protection and business resiliency at KPMG. The lifecycle includes four elements: prevention, detection, monitoring and reporting. Combined, they provide the backbone for deterring breaches as well as knowing how to respond when a breach does happen, Izzo said.

Case in point: One of Izzo's clients believed it was cybersecurity ready; it was cognizant of system vulnerabilities and tested those vulnerabilities regularly. But when the company was breached, its breach response plan turned out to be flimsy. Just figuring out how deep the breach went and who to report the incident to took "a good five hours," Izzo said.

The lack of clarity is part and parcel for the complex regulatory compliance world, which CIOs know all too well. In the U.S. alone, who to report a security breach to can differ from one state to the next. "Because Congress has not passed a piece of legislation, which could cover us nationally in this space, you are consistently having to determine if you have an incident or breach, what agency you have to deal with," Leone said. "You don't know who is going to come calling and every state AG's office has its own enforcement approach."

Mitigate breach damage

Delays in reporting incidents can be costly to an organization, in more ways than one. Not only can it impact a company's reputation, but "you have to report in a certain amount of time or risk getting fined," Izzo said.

That's why panelists recommended developing relationships not only with the media, but also with legal and government officials in advance of a breach. This is advice that can ultimately prove to be advantageous in ways businesses may not expect. "We can do certain things to protect your company, your information, your assets in ways you can't," Ortiz said.

She said that when disgruntled employee Biswamohan Pani left Intel in 2008 for a competitor, he took sensitive documents with him, "including blueprints to a chip worth $200 million dollars." Intel contacted the government, which obtained a search warrant for Pani's home. "We were able to get to this individual before he had a chance to transfer the thumb drive," Ortiz said. "And we were able to retrieve it for the company." Pani is now serving a three-year sentence.

For LevelUp, a mobile payments platform in Boston, the list of proactive relationships with government and regulatory organizations is "far longer than I could share," according to Lang Leonard, LevelUp CFO. It includes the Consumer Financial Protection Bureau, Federal Trade Commission, Financial Crimes Enforcement Network, state departments of financial services, state attorney generals and various industry associations.

"The investment or the tax -- depending on what way you want to look at that -- to make sure you're proactively connecting with the right people is very significant," he said.

Let us know what you think of the story; email Nicole Laskowski, senior news writer, or find her on Twitter @TT_Nicole.

Next Steps

The next installment of this two-part story provides a high-level overview of LevelUp's approach to keeping data safe.

Dig Deeper on Cybersecurity strategy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

In your opinion, what are the crucial aspects of a breach response plan?
Yikes. There are so many things to do depending on what was breached, where, how and the extent that business continuity was affected. This is an open-ended question as the response plan for the local restaurant is far different than it would be for Lowe's or Ford. I guess on the face of it the steps are similar, but teams, communication and crisis response are different.
The best part of this article is finally the realization that everyone in the enterprise has a role in protecting its assets. While it might be common sense that the office supplies (hardware, paper clips, hole punches) shouldn't be mistreated or pilfered, the same has to be said of the data we handle regularly. If it vanishes, it's worse than the stack of post-it-Notes disappearing. It could be the livelihood of everyone around you - AND YOU. From C-suite on down, we need to realize the info we touch every day is vital to running the company. Treat it like gold, because that's usually its worth.