Data breaches are more than basic security incidents. They are catastrophic events with far-reaching consequences for both MSPs and the businesses they represent. A breach can torpedo a company’s reputation, undermine sales, and leave an organization vulnerable to legal and regulatory penalties.
Unfortunately, it’s possible to make critical errors during a breach. The collateral damage can be enormous. “‘Breach’ is a legal term that involves compromised personally identifiable information (PII),” according to Blair Dawson, an attorney at law firm McDonald Hopkins. “There are also regulatory and potentially contractual implications.”
Here are seven common mistakes MSPs make during a data breach and how to avoid them:
No. 1 The Lack of a Detailed IRP
The Mistake: Today, even the best technology solutions and protocols can’t prevent a data breach. Attack surfaces and methods are massive and growing. Without a robust incident response plan (IRP), it’s impossible to prioritize actions and responses. “One of the biggest mistakes is taking the wrong initial triage steps,” Dawson noted.
The Fix: Develop an IRP that explicitly defines actions during and after a breach. The plan should address detection, containment, eradication, recovery, legal obligations, and communication protocols. It should focus on roles and responsibilities, recommended Bradley Gross, an attorney with Weston, FL-based business technology law firm Law Office of Bradley Gross P.A. Regularly review and update the plan to address new threats and current regulations.
No. 2 Inadequate Communication with Clients
The Mistake: During a breach, it’s tempting to tell clients that you have everything under control. However, a lack of communication or too much information can lead to panic. The business relationship may take a hit and bigger problems may ensue.
The Fix: Focus on transparency and draw conclusions only when you have all the facts. Seek legal counsel when appropriate, Gross emphasized. “Transparency directly correlates to trust. [But] transparency and protecting sensitive information are entirely different concepts, and one doesn’t necessarily impact or diminish the other.”
No. 3 Moving Too Slowly
The Mistake: “Knowledge of an actual or suspected breach often triggers inaction, largely due to the MSP’s often incorrect assumption that it is responsible for the breach and all its consequences,” Gross explained. This gives bad actors more time to access, steal, or destroy sensitive data.
The Fix: Always assume a breach will happen, Gross said. Know what actions to take when an attack takes place. Containment is the top priority. It’s also important to know which systems to restore first and who to notify, including regulators and an insurance provider.
No. 4 Not Capturing Forensic Evidence
The Mistake: When a breach occurs, it’s remarkably easy to overlook, delete, or alter critical data that could identify the root cause. This missing information makes it harder to lock down key systems. It can also complicate reporting and compliance. “In the absence of forensic evidence, a company may never understand what happened,” Dawson warned. Gaps in information can also increase the risk of legal action, Gross added.
The Fix: When a cyberattack strikes, disconnect devices from the internet to protect evidence, Dawson advises. Afterwards, collect, analyze, and preserve evidence. Document all steps and retain all log data, Gross said. If needed, hire a forensic specialist.
No. 5 Focusing Solely on Technical Solutions
The Mistake: After the breach is contained, the focus is typically on patching vulnerabilities, restoring backups, shoring up technology, and eliminating malware. But you must examine human factors — including employee behavior, privileges, and organizational security policies.
The Fix: A comprehensive approach is vital, including a thorough review of technology, security practices, training, and policy enforcement. Penetration testing and ethical hacking can also help expose weaknesses.
No. 6 Skipping a Post-incident Review
The Mistake: Without insight into what went wrong, a repeat is possible. Moreover, an inability to document lessons learned can hinder future responses, including an MSP’s ability to resolve similar problems for other clients.
The Fix: Following a breach, MSPs should conduct a post-mortem with all key stakeholders. This helps identify gaps, errors, and weaknesses. As Dawson noted: “A cyber incident can reveal blind spots.” The information can also help an MSP improve its processes, creating a roadmap for future incidents.
No. 7. Ignoring Regulatory and Legal Obligations
The Mistake: It’s easy to overlook critical laws and regulatory requirements following a breach. However, failing to properly notify authorities can result in fines, legal repercussions, and damaged relationships.
The Fix: Assign a point person to serve as the official record collector, Gross suggested. Follow all data breach laws and regulations. Seek legal counsel for complex compliance issues. Contact these experts promptly if a breach occurs.
The Takeaway
Data breaches are inevitable, but a best practice response isn’t. Avoid common errors and build a better response framework that supports stronger, more effective client relationships.
Featured image: iStock