Mike Semel, president of Semel Consulting, recently sat down with Miles Jobgen, CompTIA’s IT Security Community manager, for a CompTIA Community podcast to talk about the necessity of a data breach response plan. To help MSPs (managed service providers) and other channel partners navigate this complicated issue, CompTIA has released a Data Breach Response Planning Guide. Here are some of the key takeaways you’ll find in the guide.
Incident Response is a Business Problem, Not a Technology Problem
Breaches and incident response are often discussed from a technology perspective. Because IT departments manage the infrastructure and security controls, conversations regarding more stringent protections and increased diligence often become the focal point. But when a data breach occurs, the problem extends beyond IT and becomes a business situation.
In the event of a breach, IT won’t be the only team taking a hit—it will span all areas of the business. “I think incident response, it's like disaster recovery. In fact, it is disaster recovery just in a different form…you need a team and you need to approach it the same way,” Semel said. “It's not one person who is going to be the hero because there are so many different roles that have to be filled when there's an incident.”
Semel urges MSPs to communicate with clients quickly when an incident is detected. He advises that situations are more likely to be successful when you engage the business owner to ensure all business concerns are addressed alongside technological ones.
Download the full Data Breach Response Planning Guide.
Treat Yourself Like a Client
Channel partners can easily become focused on client issues without giving due diligence to their own systems. As a solution provider, you are likely to become the target of malicious attempts because a breach of your systems will not only yield valuable information about your business, it will also compromise your clients.
Ransomware is growing and while it may seem like a tired subject, channel partners need to continue to divert attention to ensure they are protected against this kind of attack. “I think being a solution provider and being in this business, we kind of get tired of hearing about things like ransomware over and over and over again,” Semel said. “But there was a statistic earlier this year from Beazley Insurance that ransomware increased 37% from Q2 to Q3 in one calendar quarter. So it's growing like crazy.”
Clients are the primary focus for MSPs so often the attention moves from internal preparation to client initiatives. It can easily be overlooked that ensuring security measures on your own systems actually is a protective measure for clients. “We've found MSPs that didn't have current patches and updates and we had some lax security implemented because they weren't doing what they were telling their customers to do,” Semel warns. “So treat yourself like a customer, secure your own environment, implement things like two-factor authentication.”
Channel partners should use the tools they provide to help identify vulnerabilities and judge the efficiency of those solutions. “That notion of rolling out your own solutions, so you can experience them as an organization is something that our managed service community has shared as well. It's a great idea and a great way to make sure that your updates are on time and that you know what the clients are experiencing because you're under that same stuff,” said Jobgen.
Engage Legal Support and Insurance Companies
One recommendation that is especially encouraged is to engage an attorney and insurance companies in the initial stages of incident response. You can help mitigate any business risk ahead of the curve by understanding the legal ramifications of a breach and knowing the impact on insurance.
To support these efforts, it was also highly recommended that communication tools, such as email, texting and messaging apps, be avoided to discuss the incident. Electronic communications can be admitted in court should a breach require legal processing. “We recommend having phone conversations, face-to-face conversations, within the organization before anything is put in writing,” Semel warns. “So the conversations that you're having internally or the conversations you have with vendors…would not be discoverable in court.”
Familiarize Yourself with Compliance Guidelines.
Data protection laws and compliance standards vary from state to state. When it comes to incident preparedness, it’s extremely important that you understand the compliance requirements in the areas your serve. Failing to meet those requirements could pose dire legal consequences.
Semel discussed the variations he’s seen when it comes to compliance standards. “The State of Texas required [one client] to notify the state within one hour of discovering the incident,” he noted. “Under HIPAA, you have 60 days to notify a patient if their information has been breached. But if you're in the State of California, you only have 15 days. And in Florida, 30 days, and other states have 30-day requirements.”
Semel cautions there is a very real need for a comprehensive organizational approach to incident response which becomes evident when a breach actually occurs. “Think lawyers, think regulators, think insurance companies. Don't just think about the technology that needs to be fixed.”
With careful preparation, MSPs can manage incident response quickly and efficiently.
Listen to the full podcast to find out more about how MSPs can successfully navigate incident response.