7 Years of Insufficient Data Breach Response
- Why is insufficient data breach response such a tenacious and worsening problem?
- 3 major stress points that can lead to insufficient incident response
- Inadequate responses has increased by 40% and risks to business and individuals have increased by almost 30% (OWASP)
Read more below.
Building Adaptive Incident Response
In 2014, the Open Web Application Security Project (OWASP), a global non-profit that promotes software security, published a study on the top 10 privacy risks in web applications. That year, privacy and security experts identified the #3 largest privacy risk as insufficient data breach response.
Fast forward seven years to 2021: OWASP just issued a new report on the top 10 privacy risks and holding onto the number 3 spot was—you guessed it—insufficient data breach response. In fact, according to the OWASP data, the frequency and risks associated with insufficient response have gotten worse!
Seven years ago, OWASPs recommendations to improve breach response involved forming a response team and creating an incident response plan. But privacy practices have come a long way. If you’re reading this blog, it’s a good bet that your organization took those steps long ago.
So, why is insufficient data breach response such a tenacious and worsening problem? And how can it be solved? In a nutshell, conditions have changed, and privacy incident response practices need to adapt to what’s happening now.
Why is Incident Response Still Insufficient?
After the 2014 report, OWASP recommended implementing the basics of incident response: investigating each incident, documenting findings, assessing whether to notify authorities and affected individuals, notifying as necessary, and analyzing the incident to help prevent future incidents.
Privacy teams today follow these well-defined incident response steps, but incident response can still be inadequate: struggling with investigation, missing regulatory deadlines, misjudging risks.
Why? Because the job of privacy incident response has gotten harder:
- Privacy teams have to maintain compliance across a complex and expanding network of privacy laws, covering multiple industries and jurisdictions.
- Their organizations are collecting more data at the same time as definitions of protected information are widening.
- As more business and leisure activities move online, criminals find more ways to attack and exploit them.
In the face of growing threats and complexity, the basics of privacy incident response are necessary, but not sufficient. There are three major stress points that can still lead to insufficient incident response:
- Being able to investigate and assess incidents in time to meet notification deadlines
- The ability to make accurate decisions about notification, based on both regulatory requirements and risks to the affected individuals
- The ability to handle increasing volumes of incidents.
To overcome these challenges, privacy and security teams need ways to adapt to the changing threat and regulatory landscape.
Speeding Incident Investigation and Assessment
While many privacy incidents are small in scope (and a surprising number are still paper-based), a potential data breach will inevitably require close cooperation between the security and privacy teams. The security team will be focused on closing leaks and mitigating data exposure, but they also need to notify the privacy team immediately, since the countdown on regulatory deadlines begins when any part of the organization first discovers a potential breach. As the security team conducts its own investigation, it needs to keep the privacy team informed in real time, so that they can make accurate decisions about notification.
Alignment between privacy and security can be fostered in multiple ways.
- Collaboration on system planning and data mapping will foster good working relationships, and cross-education can build awareness of incident response issues on both sides.
- In the throes of incident response, integrated tools and workflows will help ensure that critical information is shared across the privacy and security teams.
- Real-time communication will help to reduce decision time and support accurate risk assessment that will protect affected individuals and protect the business from the risks of over- or under-reporting.
Improving Notification Decision-making
With breach notification deadlines as short as 72 within GDPR’s jurisdictions, privacy teams need to be able to conduct risk assessments and make notification decisions faster while navigating an increasingly complex and fragmented maze of regulatory requirements, jurisdictions, and contractual privacy obligations. To meet deadlines, privacy teams need intelligent breach response tools that can automate risk assessment and provide a real-time view of the regulatory landscape.
Scaling Privacy Incident Response
The volume of incidents needing response is only going to grow. As businesses find ways to leverage new kinds of data, data flows to more places across the internet and the “internet of things,” and bad actors find new ways to attack, the number of incidents will inevitably increase.
Adding to the volume will be new regulations with expanded definitions of personal and “sensitive” information that can trigger a breach.
To respond adequately to increasing incident volumes, privacy teams will need intelligent incident response platforms that automate and speed processes, ensure consistent, accurate decision-making, and capture complete incident data for analysis, benchmarking, or to answer future questions from regulators.
Making Up Ground
Going by the numbers in the latest OWASP report, there is ground to make up in incident response. Even as organizations have built incident response teams and processes, the frequency of inadequate responses has increased by 40% and risks to businesses and individuals have increased by almost 30%.
The digitization and integration of everything are increasing risks, and the regulation of everything digital is increasing the complexity of response. For privacy organizations to win this race, they’ll need digital tools of their own. By automating the parts of incident response that can be, by applying real-time intelligence to risk assessment, and by creating a continuous cross-function workflow for incident response, privacy teams can adapt incident response processes to the evolving threat and regulatory landscape.
They can also free the human part of the system to be proactive, to anticipate problems, improve privacy practices, and influence business systems and processes for the better. In other words, to be creative, which is what humans do best.
To jumpstart your data breach response plan, check out the Radar Breach Guidance EngineTM and see what’s possible in future-proofing compliance with Radar.
The Breach Guidance EngineTM recognizes and captures the millions of variations in incidents and connects incident-specific details to the appropriate data breach laws to perform an automated risk assessment.
Intelligent Incident Response is a permanent solution that will grow alongside the privacy landscape and always deliver quick and consistent breach notification obligations.
You might also be interested in:
Topics: Incident Response Management