Retailers have learned a lot of hard lessons from cyberattacks. Many cyberattacks successfully targeted the giants of the industry. Wanting to avoid the same fate, organizations are making significant investments in security technologies and educating their employees on best practices.
But what happens when these investments aren’t enough? While companies are becoming smarter in their security approach, hackers are also growing more sophisticated in their attacks.
AT&T’s latest Cybersecurity Insights Report, “The CEO’s Guide to Cyberbreach Response,” reports that while 62% of companies acknowledge they were breached in 2015, only 34% of organizations feel confident in the effectiveness of their incident response plan.
In fact, research from Ponemon Institute shows that the retail industry is less prepared to respond to a cyberattack compared to other industries. It takes retailers an average of 197 days to identify an advanced threat in their network and an additional 39 days to contain the breach.
Response Planning
The key to a swift, organized response is to plan well before a breach occurs. Having an established incident response plan, and knowing how to appropriately react to a variety of breach scenarios, can turn the “Now what?” into decisive steps to mitigate damage.
Every effective plan should outline three key things: the incident response team, a response playbook, and a strategy for regular testing.
An incident response team is vital to any response plan. Regardless of whether valuable Personally Identifiable Information is stolen during a point-of-sale attack or critical systems are compromised due to a DDoS disaster, breach response is an all-hands-on- deck affair that should involve members across the entire company. During the first 24 hours after a breach, IT and security will need to isolate the attack, while the CEO may be asked to decide if and when operations should be shut down.
A communications professional will need to draft statements for the press as well as internal audiences, and act as the primary contact for media inquiries. Legal representation is essential, particularly for retailers, as response and compliance may vary based on the unique Payment Card Industry (PCI) regulations and data breach notification laws for each state. Certain credit card companies may also require an organization to work with a PCI forensic investigator and conduct an independent investigation.
The response playbook should outline all vital, individual roles and response processes for various breach scenarios, and prioritize the scenarios that are most likely to occur. A retailer’s response to an attack at a corporate call center will look different from its response to a breach involving a franchisee. The playbook should take this into account and avoid a one-size-fits-all approach.
Ideally each section should provide a framework for when to engage each member of the response team, when and how to notify employees and customers, and detailed procedures to help mitigate and remediate active breaches.
For the response plan to work, it’s important that each team member is equally committed to following the rules and procedures from the playbook. Conducting regular tabletop exercises can also help incident response team members familiarize themselves with their responsibilities and simulate their response in any given scenario.
By rehearsing the plan, if customer credit card data were breached or if a DDoS attack brought down operations, incident response teams can help reveal any flaws or gaps in the incident response plan that could negatively shape and delay response performance.
In today’s world, it’s a matter of when, not if, a cyberattack will occur. Incident response can make or break a business. A practical, and practiced, incident response plan is critical to quickly identifying and responding to network threats, minimizing the guesswork and equipping team members with the confidence to face a breach situation.
Todd Waskelis is VP of security consulting services at AT&T Consulting.