5 steps to respond to a data breach

April 2, 2021  |  Bernard Brode

This blog was written by an independent guest blogger.

You’ve just been breached. What do you do next? Depending on personality, preparation, and ability under crisis, there are a variety of responses to choose from, some effective and some not. Hopefully, you’re the rare breed who plans in advance how to respond. Even better if this planning includes how to prevent them.

But to execute a logical, effective response, keep reading. In this guide, I’ll take you through a methodical process of handling a data breach and how to stop it from happening again. Let’s get to it.

1. Stop the breach

At the risk of resembling Captain Obvious, before anything else you need to stop the data leak. But to do that you have to recognize a data breach exists. For some organizations the problem with data breaches isn’t responding to them – it’s knowing they are happening at all. Research indicates that breach detection can take half a year or longer on average. That should be a mind-boggling statistic and testament to the general widespread lack of effective cybersecurity. By the time the problem is spotted, potentially private data has been leaking into the wrong hands for a long time.

So... contain it quickly. Isolate the systems that have been compromised and immediately take them offline. Late though it might be, it’s critical to stop the problem from spreading to other parts of your network. Shut down any user accounts that you believe have been used to steal data – it’s better to be safe than sorry. You can restore them later.

2. Assess the damage

Next, get ready to undertake some forensics. These should be focused not just on tracing how your data was accessed, but the likely impact of it being released to the general public, in the unfortunate event that happens. While determining whether it’s a data breach, leak, or compromise, you should also ask yourself (and your team) a number of questions:

  • What was the attack vector?
  • Was the attack based on social-engineering tactics or through user accounts?
  • How sensitive is the breached data?
  • What is the type of data affected?
  • Does the data contain high-risk information?
  • Was the data encrypted and can it be restored (did the company backup their data)?

It’s crucial that you perform this analysis before going on to the next step. Otherwise, your response to the breach could look uninformed and casual to an outsider. Get the facts straight, in other words, before customers start asking awkward questions.

3. Notify those affected

Then it’s time to come clean. Inform everyone who is likely to be affected by the breach at the earliest possible opportunity. While it’s not a terrible idea to make sure your systems are safe before breaking the news, that doesn’t give you a license to wait months “just in case.”

It’s tempting to play down the breach. Maybe omit some damaging details in hopes of preserving your brand integrity. Unthink those thoughts! If you are not totally honest and it’s discovered later - which it almost certainly will be - brand damage could be much, much worse. There is also the possibility of legal action. Any nasty, negative online comments the breach generates can be dealt with effectively, with a focus on  openness. Today’s customers understand that no company can provide 100% security. What’s more important is a proactive approach to limiting the impact of a breach and limiting the possibility of it happening again.

4. Perform a security audit

Once things calm down, you need to perform a security audit. Hopefully you already do this regularly in order to limit risks, but they are particularly important immediately after a breach.

This audit should look at two issues. The first is how hackers were able to penetrate your system in the first place. For this, examine network and server systems, IP blocks, open ports, rDNS records and staff logs. What you find might come as a surprise, because phishing and brute force attacks are still the most commonly successful forms of cyberattack.

The second issue to examine is the fall-out from the breach. How much customer data ended up in the public realm? Can it be used to target them with future cyberattacks? This kind of “chain” attack is becoming more common. If critical information like passwords, dates of birth, or ID details have been leaked, customers need to know so they can plan accordingly.

5. Update your recovery plan

Finally, all the processes and steps above should feed into a review process for your recovery plan. Some months after the breach, you should review how you responded to it and what you could have done better as an organization.

Executed correctly, this kind of post-breach analysis can actually turn a data breach into a learning opportunity. Maybe you’ll discover an overwhelming need for new security policies. It would be the perfect opportunity to designate a research team to develop them. A common finding in this kind of review is that staff lack the skills and knowledge to adequately respond to a hack – if that’s the case, set up a training program to bring everyone up to speed.

If the breach was caused by one of your third-party suppliers, things can get trickier. But even in this case, it’s possible to work on the plan that you both follow after a data breach and improve coordination.

Plan and learn

Unfortunately, it’s simply not feasible to protect yourself against 100% of online threats. The number of breaches has been rising for years. Smart companies devote appropriate time and effort to breach recovery planning. Recent reports suggest that 4 out of 5 data breaches are caused by human or process error. The big takeaway here is that they are, therefore, eminently avoidable through careful planning and preparation.

Share this with others

Get price Free trial