The breach of VTech in November 2015 raised red flags for parents across the U.S. and sparked discussions they had never considered before when buying children’s toys. After initial reports of a breach exposing personally identifiable data of its customers (despite VTech’s statement otherwise), the hacker released a limited set of personal messages and photos from VTech customers to prove a near-complete compromise.

Make no mistake, VTech was the victim of a crime. However, the immediate issue was the potential fallout for their customers and their children. And it’s here that VTech’s initial response made things worse not better. Thankfully, they’ve adjusted course and have been more open with information.

Let’s learn from this. Here’s what you can do as a defender to make sure your organization is prepared to handle a breach.

Communicate Openly

The time to figure out your post-breach communications plan is now. When dealing with the fallout from a breach, you want to be able to implement a step-by-step plan that is appropriate for the situation.

A basic outline of what you’re going to need includes the following key elements.

  • An open and honest email to customers that contains:
    • Specifics of the data that was stolen
    • Contact information to speak to someone fully informed of the situation and ready to respond immediately to their concerns (e.g., customer care)
    • An apology
    • A timeline for future communications
  • A press release that contains:
    • Specifics of the data that was stolen
    • The steps you’ve taken to inform your customers
    • A media contact for comment and additional information
  • An open and honest communication to stakeholders that contains:
    • Specifics of the data that was stolen
    • What is known so far about the mechanics of the breach
    • The steps you’ve already taken in response
    • The steps you plan to take
    • Who is the lead for communications
  • A public URL that you can use to gather information (like an FAQ):
    • This should be constantly updated as the situation evolves
    • Use this as the default resource to send everyone to
    • Don’t hide this away on a corporate site. Make sure it’s visible where your customers visit

These items should be written ahead of time in a customizable template. Remember, this is in addition to the internal response that you’ll require.

When you realize that you’ve been hacked, here are the steps you need to take to effectively communicate:

  • Acknowledge that there has been a breach and that you’re actively investigating it
  • Identify and inform affected customers
  • Publish the public URL for general awareness
  • Inform and brief stakeholders
  • Issue a press release with critical information and a point of contact

All of these should be written in a tone that is clear and apologetic. Don’t needlessly muddy the waters (e.g., VTech’s re-definition of personally identifiable information), try to deflect blame, or raise the point that you’re a victim too. You can provide an explanation and get into the specifics of how this happened afterwards.

The immediate goal is to reduce the impact of the breach.

This means ensuring that your customers have the necessary information as quickly as possible. If they need to take action (i.e. cancel credit cards, change account credentials, etc.), you want them to be made aware so they can reduce the chances of something bad happening.

Act Decisively

Once you start to respond to an incident, the process has five key steps:

  1. Detect
  2. Analyze
  3. Contain
  4. Eradicate
  5. Recovery

These steps are bookended by “prepare” and “improve/learn” and together these steps form the foundation of a solid incident response (IR) process.

Most often, the biggest challenges are faced in the “contain” step. This is often when the IR team is faced with tough decisions that directly impact the business.

VTech issued the following update on their FAQ 01-Dec-2015;

“As a precautionary measure, we have suspended Learning Lodge, the Kid Connect network and the following websites temporarily whilst we conduct a thorough security assessment.”

This is not something that any organization ever wants to have to write. But it’s 100% the right call despite the potential impact to the bottom line.

When is the right time to make this type of call? There’s no firm rule. It’s a judgment call based on the information you have at the time.

What you can do to make this easier is to work out possible scenarios ahead of time. This is an extremely difficult exercise to work through as it assumes your other work in defending the organization has failed. But it’s critical to work through these scenarios in theory and in practice (called a game day) in order to write a playbook for IR.

Part of this exercise is to determine who in the organization has the required authority to make the decision to shut down services. Hopefully you never have to make that call. But if you reach that point, you need to know who to call.

All of the processes you have in place with your security practice works toward never having to make a call to shutdown services. If you’re hacked and you have to make that call, you’re far better off working from the playbook you wrote ahead of time instead of calling an audible.

Know Your Exposure

The most important thing you can do now to reduce the impact of being hacked is to review the data you are collecting and storing. By creating an inventory of the type of data you have, it is much easier to evaluate the risk you’re facing.

With the list in hand, you want to run through a very simple exercise. Put each data point on its own sticky note. Use the notes to combine various data points to create different points of view.

The goal of this plays on usability card sorting to find which data points pose more risk to your business when they are linked to other data points.

Using the VTech example, their app store requires a billing address, the social app links parents and children, and the messaging server temporarily stores photos and private messages. Individually each of these data points poses a risk. Combined, that risk escalates dramatically.

Mapping out all possible connection between all of the data points you collect and store lets you better identify risks and set the appropriate mitigations.

Those mitigations could entail;

  • Not storing the data at all
  • Isolating the data in separate backend systems
  • Ensuring that your monitoring practice is looking for warning signs of data aggregation

Until you map out the entire landscape of data you store and collect, you won’t know what level of risk you’re facing. Without that knowledge, how can you formulate an effective defense?

Prepare For The Worst

No one wants to be hacked. It’s a security team’s worst nightmare. You can reduce the impact of a breach by taking steps now.

  • Set out a communications plan. Create a few templates for key communications so you can fill in the details during the incident in order to reduce your response time
  • Practice and planning are key. Work through possible response scenarios ahead of time. Practice them. Make sure you know who has the authority to suspend services if you need to take dramatic steps to contain a breach
  • Know what data you are collecting and where you store it. Understand how those data points can be combined and how those combination affect the risk (and value) of the data. Add additional protections as appropriate

When you’re focusing on keeping the lights on or, worse, getting them back on. The last thing you want to do is to shoot from the hip. Writing out a clear playbook for all aspects of incident response is the key to a successful response.

A version of this article originally appeared on Trend Micro’s blog.