At TCS Forensics, we are acutely aware of the three burning questions on your mind when a data breach has occurred: “What happened?”, “How did it happen?” and, “Who is responsible?”
Our Incident Response Team will help you answer these questions and more.
The average cost to Canadian companies of a data breach was $6.11 million, according to a 2016 Ponemon Institute report, but the sooner you respond the less it will cost you.
Time is of The Essence
When a breach occurs, any delay in your response time can make the situation worse, and rapid response will ensure that your most valuable assets, your reputation and your good name, will remain intact.
TCS Forensics can mobilize our team on a moment’s notice to help you remediate any type of data breach, whether internal or external.
To help you get a sense of how our incident team works, here is a summary of our approach:
Identification Aka Preparation: This step begins with research, which comes long before being ready to react to alarms and events. First, determine if there is an established policy that details how security incidents are to be handled. This policy should identify who has the authorization to conduct interviews, make requests, review sensitive data, and coordinate communications. Additionally, it should also contain a list of threats to the organization intends to guard against and respond to. All stakeholders then need to become familiar with the policy and their roles and responsibilities. Lastly, the policy should state who needs to be notified, in what manner, and how often. Once the rules of engagement are understood, the investigation can proceed in an authorized manner.
This is the most crucial phase to protect your business. Ensure that your employees are properly trained regarding their incident response roles and responsibilities in the event of a data breach. It is then important to develop incident response drill scenarios and regularly conduct mock data breaches to evaluate your incident response plan. Finally, ensure that all aspects of your incident response plan (training, execution, hardware and software resources, etc.) are approved and funded in advance. Your response plan should be well documented and everyone’s roles should be thoroughly explained. Then the plan must be tested in order to assure that your employees will perform as they were trained. The more prepared your employees are, the less likely they will make critical mistakes.
Containment: When a breach is first discovered, your initial instinct may be to securely delete everything so you can just get rid of it. However, that will likely hurt you in the long run since you will be destroying valuable evidence that you need to determine where the breach started and devise a plan to prevent it from happening again.
Instead, contain the breach so it does not spread and cause further damage to your business. Disconnect affected devices from the Internet. Have short-term and long-term containment strategies ready. It is also sensible to have a redundant system back-up to help restore business operations. That way, any compromised data is not lost forever.
This is also a good time to update and patch your systems, review your remote access protocols (requiring mandatory multi-factor authentication), change all user and administrative access credentials and harden all passwords.
Investigation: During a cyber incident, you should immediately make an assessment of the nature and scope of the incident. Your initial assessment should attempt to identify the following:
- The affected computer systems
- The apparent origin of the incident, intrusion, or attack.
- Any malware used in connection with the incident.
- The identity of any other victim organizations, if such data is apparent in logged data.
- Which users are currently logged on.
- What the current connections to the computer system are.
- Which processes are running.
- All open ports and their associated services and applications.
- Any remote servers to which data were sent.
- Any communications, particularly threats or demands for extortion, received by the organization that might relate to the incident should also be preserved. Suspicious calls, emails, or other requests for information should be treated as part of the incident.
Eradication: After a cyber-attack has been contained it will be necessary to eradicate key components of the security incident (i.e. removing the attack from the network, deleting malware and disabling breached user accounts), as well as identifying and mitigating vulnerabilities that were exploited.
Eradication must be carried out swiftly to prevent attackers from launching a new attack. Attackers will often come back when they know that they are being investigated and they have been discovered. It is important to ensure that all elements of the attack have been eradicated and that the attackers cannot carry out further attacks.
Recovery: This is the process of restoring and returning affected systems and devices back into your business environment. During this time it is important to get your systems and business operations up and running again without the fear of another breach.
Mobile Response — 24 hours a day, 365 days a year
We respond immediately with procedures strategically designed to contain any damage and reduce recovery time. We have a team standing by, ready to mobilize.
Our immediate focus is on containing the damage. Our team of forensic experts enacts emergency protocols, and we collect evidence using forensically sound methodology so that any evidence we gather will be court admissible.
If you suspect a data breach, please don’t hesitate to call us at TCS Forensics. We are available 24 hours a day, 365 days a year.