What to do if leak already happened?

However to information there was a paradox: from year to year both its amounts, and value grow. According to experts from Ponemon Institute, in six cases from ten for bankruptcy of the company there is enough leakage only of the fifth part of its commercial secrets. In this regard the question of data protection becomes more and more topical. But if about the organization of protection of own 'mysteries' of the company have though some representation, date leak cases, as a rule, generate an impromptu of the measures which are seldom resulting in success. Nevertheless even if leak already happened, it is not a reason for panic and irrational acts. Together with understanding of effects of the taken measures in some situations incident effects are capable not just to minimize the quiet analysis of a situation, but even to turn it to themselves on advantage. About it the speech below will also go.^[1]

When both ways are right: external way

The problem of the choice of the correct way to most of us for the first time opened in the fairy tale with the hero at the crossroads. In a case with information leak there are nuances of the choice: there is no universal solution here. For working off of an incident it is necessary to carry out both the internal work on establishment of guilty persons, and external directed to interaction with the public and regulators. Let's consider every way in more detail.

For a start we will deal with 'external'. For the best understanding of a situation we will look what effects threaten the company which allowed leak. And if soon New year, we will pick up a thematic example. The 'Mutual Fund-paf-Vakh-Vakh-Vakh' company, the recognized leader in production of fireworks, is going to release a new type of the products which is more, more loudly, more colourfully and more beautifully, and, above all, is cheaper, than analogs from competitors. For development of a prototype the company spent many means: the best ballistics was attracted, new sorts of gunpowder are developed, the internal structure of a shell is improved, computer simulation, field tests, etc. was carried out. And now provide that after the huge preparatory stage is completed also everything that remains, it to put new fireworks in serial production, someone organizes leak and all information appears at the competitor. And a problem not only that the company suffered direct losses (this time and money spent for development). The competitor, having on hand the 'saved' means can mobilize resources and 'stake out the place in the sun', having put similar fireworks on the market earlier.

Unfortunately, it is not the only trouble which can arise on the way of those who allowed information leak. Are possible:

• deterioration in image of the company that is capable to lead to decrease in number of new clients and leaving of existing;
• loss of technology secrets 'pulls' for itself weakening of the position in the market;
• administrative lawsuits: legal claims from clients and the sanction of the supervising bodies;
• dismissal of employees;
• need of costs for elimination of the effects which are listed above.

It Razuumetsya, there will hardly be a situation when within one incident it is necessary to face all listed points. For example, in the situation described above there will hardly be legal claims from clients and deterioration in image of the company. Generally there is a dependence between the future troubles and what information left out of limits of 'native Penates'. Of course, everyone has 'skeletons in the cupboard', but it will not prevent to make the approximate list of what you should not show to general public:

• the documents opening a financial status and plans of the organization (reports, accounting documentation, business plans, agreements, estimates, etc.);
• the technical data necessary for access to network and corporate resources of the company (logins and passwords, data on the used means of protecting, etc.);
• own developments, know-how of the company, etc.;
• internal documents (memos, audio recordings of meetings, the presentations 'only for employees', etc.);
• personal data of clients and staff of the organization.

Actions

Thus, it is possible to sum up the intermediate results of following in the 'external' way. Its main goal — to lower information leak effects which can come from the outside: sanctions of regulators, checks, penalties, claims, etc. For this purpose the company, perhaps, should organize the whole package of measures.

First of all, it is desirable to notify on an incident of regulators. Meanwhile by the legislation it is desirable, but it is not obligatory. In Great Britain, for example, on the contrary, there for untimely informing regulatory authorities impressive penalties are provided.

The second (but sometimes and the first) in line notifications clients follow. Further events can develop differently therefore we will sort the maximum number of actions. The company can issue the official press release explaining an essence of an incident and telling about the taken measures. By the way, in public recognition of fault also the psychological implication is: there is a probability that the principle will work 'do not hit a man when he is down'. Like, to the company and so got, the guilt was admitted, so why it is even more troubles it to arrange.

Also actions from regulators which will 'strongly recommend' protection gain are not excluded: introduction of obligatory enciphering, access isolation on smart cards or implementation of more advanced means of protecting from leaks, like DLP systems.

At last, a final accord, active interaction of the company with injured clients is. For example, if there was a date leak about credit cards, they need to be reissued as soon as possible, having blocked old. Also positively the organization of a certain loyalty program to victims will affect image. On such way Megafon when in open access there were 8000 Sms of subscribers of the operator went. The company not only admitted the leak fact (at the same time having defined technical failure of the equipment as the main guilty person), but also offered all victims material compensation. However for its receiving it was required to be personally in department of the operator and to write the written application. It is remarkable that the amount of compensations publicly did not appear. All this allowed to lower number 'dissatisfied' more than by 10 times. An elegant example of how the company managed not only to minimize incident effects but also to turn it to itself on advantage.

When both ways are right: internal way

The second way too correct and in case of leak the company should follow on it in parallel with the first. The essence of a 'internal' way is captured by expression 'a disease easier to warn, than to treat'. However, there is nothing to warn, however to find a leak source and also it is necessary to define guilty persons that an incident did not repeat in the future.

First of all it is necessary to receive answers on several, apparently, simple questions:

• Who allowed leak? So from what computer it happened under whose account?
• To whom the stolen information became available. Of course, if data just copied on the removable medium or printed, with establishment of 'destination point' there can be serious problems. Another matter if information was sent using the Internet messenger or mail.
• On what channel information was transferred?
• What was transferred? The answer to this question will help to narrow a circle of suspects and also to understand what else information, perhaps, malefactors wanted to catch.

The main problem by search of answers to the designated questions is that occasionally it is difficult to receive them. Obvious approach is the analysis of logs. However for a start they should be conducted. Otherwise further guesses and 'guessing on bones' case will not go. Also search in logs 'bluntly' will demand a lot of time. Especially, if not to know exact date and 'responsible'. Therefore we will consider option of working off of an incident on the example of use of a DLP system. The main destination of this class of products is hidden in the abbreviation. DLP — Data Leak Prevention — systems for information loss prevention, are more often applied on adjacent appointment as the systems of determination of information leaks (Data Leak Detection) and are very powerful tool when conducting investigations.

Some DLP systems are capable to fix and store all information passing on the communication channels put under observation. Main 'weapon' is the possibility of creation of search criteria, at compliance to which an incident on which the security officer is right there notified forms. For example, if to set the list of logins and passwords as search criterion, then at their transfer, the officer will receive the notification on violation of policy. Analyzing an incident, at the correct setup of a DLP system it will be possible to set an account from under which information, a machine name was sent to networks, its IP-and the MAC address and also time, date and the addressee.

Thus, when following on a 'internal' way the package of measures is also necessary:

• first, to receive answers to four 'simple' questions. As well as by what to do it — to solve to you. Main thing, the quicker, the better. However it is worth remembering that speed cannot renounce reliability of the acquired information to please;
• secondly, the information quicker stolen will lose the relevance, the better. For example, if case concerns data on credit cards, the 'lit' credit cards first of all need to be blocked but only then to call owners, to issue new cards, etc.;
• thirdly to start careful investigation of an incident. Primary analysis is received from information on 'four questions'. Now it is a high time to define on the basis of this information, where to dig further;
• fourthly, at establishment of the guilty person, those resources to which he had access and also its communications are surely studied (both with colleagues, and with the outside world). Some DLP systems have in an arsenal and such functionality;
• fifthly, it is necessary to prevent repetition of the scenario of leak in the future. After the analysis of an incident of a prineobkhodimost job descriptions are supplemented with the corresponding points, with personnel scheduled and explanatory maintenance is carried out, and means of protecting are tuned up.

Finish

If information leak nevertheless happened, the main thing — to learn the lesson and not to allow similar incidents in the future. It is not a shame to study at own errors. Especially as at due ability it is possible to learn to use strength of the opponent against him. In general, as it was possible to be convinced, date leak — not a reason for panic and spontaneous measures.

Notes