It’s a gut-wrenching feeling, realizing that your company’s data—or the data of your customers—has been compromised. Maybe someone called you to let you know they found a list of your employees’ login credentials on the dark web. Maybe a member of staff themselves realized they’d fallen victim to a phishing attack. Maybe a whole file server was locked, and you received a message from an anonymous attacker demanding you pay a ransom to regain access to that critical information.
If your organization experiences a data breach, there are a lot of things you need to do to get things up and running again, securely. And you need to carry out those processes quickly and decisively to prevent the situation from becoming worse—the longer your breach response takes, the more likely you are to add reputational and financial damage to your list of concerns.
But, as with any high-stress or crisis situation, responding to a breach can be overwhelming, and it can be easy to make decisions that might seem beneficial to your productivity in the short-term, but could leave you more vulnerable to attack in the long term.
To help you avoid this, we’ve put together an eight-step guide on how to respond to a data breach safely, efficiently, and within the boundaries of compliance regulations.
So, whether you’re currently in the midst of a crisis or you’re preparing in case the worst should happen, here’s what to do.
Step One: Keep Calm And Stick To The Plan
This is easier said than done in a high-pressure environment, but it’s crucial that you remain calm if you discover a data breach. Otherwise, you might be tempted to take a quick—but less secure—recovery route, which could leave you vulnerable to another breach. If your network goes down and business operations are halted, it’s understandable that you might start to panic. But this is the point where you need to stop and take a step back. Hurriedly paying the ransom or deploying a quick fix to get business running again could leave you in a worse state of compromise than you were to begin with.
Instead, find your incident response (IR) plan or checklist. This will give you guidance on how you should respond immediately to reduce the impact of the breach and contain it, as well as how to ensure business continuity and an effective recovery from the incident. Your organization likely has one written up already for compliance purposes but, if not, you can use an IR template such as the one provided by FRSecure.
If you’re reading this in preparation for the eventuality of a data breach and your organization hasn’t yet created an IR plan, we recommend that you check with your state and industry compliance bodies which steps they require you to undertake. Under GDPR regulations, for example, businesses must report breaches to their appropriate authority (such as the ICO) within 72 hours of discovering the breach. If your company has to comply with the GDPR, your incident response plan should include reminders to note the exact time that the breach was discovered, and to report the breach within the 72-hour timeframe.
Tony Anscombe, Chief Security Evangelist at cybersecurity provider ESET, highly recommends that organizations refer to a cybersecurity framework such as provided by the National Instutute of Standard and Technology (NIST) when creating an incident response plan.
“You can use that framework, to some extent, like a checklist to make sure you’re covering all the elements of the cybersecurity architecture and processes that you need to have in place.”
NIST provides thorough advice on how to create a response plan for cybersecurity incidents in the Computer Security Incident Handling Guide.
At this stage, you also need to notify law enforcement of the breach, so they can begin to investigate any potential identity theft. If your local police force isn’t familiar with this type of investigation, they’ll refer to you the appropriate authority for your country to contact, such as the FBI in the US or Action Fraud in the UK.
Step Two: Determine The Scale Of The Breach
On average, it takes 207 days to detect a data breach. That means that, by the time you realize the incident has occurred, your organization’s data could have been drip-feeding into the hands of a cybercriminal for over half a year. Because of this, it’s critical that you determine the scale and impact of the data breach as soon as you realize it’s happened. That means finding out what types of data—such as personal contact information, addresses and financial information—has been compromised, and how many records of each data type have been compromised. As you’re doing this, you should keep a log of everything you discover and all the actions you take—this will come in useful if you need to report the breach later on.
Discovering the extent of the breach can be fairly straightforward, or quite difficult, depending on the type of incident that led to it and how you found out about it. If you’re finding it difficult to work out what happened, you should talk to the people who discovered the breach—they might have useful information that can help you piece together what happened.
Once you’ve worked out how the attacker entered your network, you need to determine what data they were able to access—this will help you establish the types of data involved and the number of records compromised.
Step Three: Contain The Breach
Now that you know exactly what’s happened, you need to isolate the breach, secure your systems, protect your data and fix any vulnerabilities that may have caused the breach. There are a few parts to this:
- Call a breach response team and forensic experts to secure your network and take actions to prevent any further data loss. This is likely to be someone that you’ve hired externally, because—particularly if you’re a small business—your in-house IT team typically won’t be equipped to deal with this level of incident response. The response team take will take actions according to the nature of the breach—for example, if it was caused by a vulnerability exploit, the vulnerable application should be taken offline; if it was caused by compromised account, that account should be shut down. You can always restore this later, once the issue has been resolved.
- Remove any personal information involved in the breach that’s been posted on your website improperly or in error, and search for it online to make sure it hasn’t been posted on other websites. If it has, contact them and ask them to remove it. You should also contact search engines to make sure they don’t archive any personal data that’s been posted.
- Secure any physical locations that might be connected to the breach—if it was caused by a malicious insider, you may need to change access codes to prevent them from accessing that area and continuing their attack.
- Talk to your legal counsel to get advice on any legal implications or consequences that you may face due to the breach, and on how to communicate the impact of the breach with your stakeholders, including customers and partners.
- Implement your business continuity plan to ensure that your core business functions continue to operate, minimizing your downtime.
Step Four: Assess The Damage And Risk
Once you’ve successfully contained the breach, you need to assess the damage that has been caused and what risk that damage might pose to anyone affected, including (among others) your employees, customers and partners. These risks could be anything that causes them economic or social harm or distress, such as safeguarding issues, financial loss and identity theft. Depending on the types of data that were compromised, the breach may have little impact on your stakeholders, or it could have a long-term affect on them. Once you’ve assessed the risk, you can make a decision on whether you need to contact each affected individual.
As well as this, you need to decide whether to notify your appropriate compliance authority about the breach. This will depend on the type of data compromised, the risk to your stakeholders, and the industry you’re operating in—breach notification laws are complex and often vary from state to state. Your legal counsel will be able to advise you on the most appropriate action to take.
Step Five: Carry Out A Security Audit
Data breaches can result in huge financial repercussions, and compliance fines can add a hefty amount to that if your company is found to have failed to perform due diligence prior to the attack. Your incident response team will be able to supply evidence for reporting requirements that might give you protection against legal action by proving that you had security measures in place to help prevent a breach from occurring. This is also where the evidence log that you created yourself will come in useful. But you also need to carry out a security audit.
Auditing is something that you should be doing regularly anyway to minimize your company’s security risks—but they’re particularly important right after you’ve suffered a breach.
When carrying out your audit, it’s usually a good idea to use an external auditor. The audit will be much more in-depth than a routine audit that you might usually perform internally; the auditor will need to examine all of your company’s systems and attack surfaces to provide objective evidence that your organization performed due diligence to prevent the breach from occurring. They’ll also propose measures that you can take to improve your security to avoid a repeat incident.
Step Six: Protect Your Stakeholders
You’ve established how the breach occurred, contained it, assessed the associated risk and performed your due diligence following your recovery. Now it’s time to let the people affected know what’s happened, and advise them on steps they can personally take to protect their data moving forwards. Depending on the nature of the breach, this could include things like suggesting they change their passwords, or keep an eye out for fraudulent activity on their accounts.
Making a public statement and issuing your stakeholders with advice will not only save you from potential compliance fines, but also help you maintain your reputation among your customers and the media. What you include in your statement may be dependent on state laws, but you’re likely to mention the breach date, what data was compromised, and the steps your company is taking or has taken to ensure the security of everyone impacted.
Remember, honesty is the best policy here—leaving out details to try to minimize reputational damage is only going to cause worse problems down the line. Not only that, but it could also lead to legal action.
Step Seven: Report The Breach
Although this is step seven, when you complete this step really depends on the state, industry and compliance requirements that your organization operates within.
Wherever your company is based, your government will have enacted legislation on the requirements for reporting security breaches that involve personal information. In the US, this varies from state to state. And depending on what other types of data were compromised, there might be other laws or compliance regulations that are relevant to your situation. For example, if you’re covered by the HIPAA Breach Notification Rule, you’ll need to report breaches of unsecured protected health information (PHI) to affected individuals, the Secretary of the Department of Health and Human Services and, in some cases, the media. If you’re covered by GDPR regulations, you’ll need to report a breach of personal data within 72 hours of discovering it to the ICO.
Your report should contain:
- The contact details of the person in your organization responsible for data protection
- Situational analysis of the breach, including how it was caused and what impact it had
- An assessment of the types of data involved and how many records were compromised
- Information on your security awareness training program—this is particularly important if the breach was caused as a result of human error or social engineering
- Details of the preventative measures you had in place before the breach occurred, and what steps you’ve taken or plan to take in order to recover from the breach and mitigate any damage
Step Eight: Prevent Future Attacks
Once you’ve taken all the steps needed to recover from the breach, it’s time to prepare for the next one. Now that an attacker has managed to infiltrate your systems, it’s likely that they—or another cybercriminal—will try to do it again, even if it happens months or years later.
The first step in preparing for another attack is to review your recovery plan. Ask yourself what your organization did well, and what you could have done more effectively—you might find out that your security staff need more training on how to respond to a large-scale incident, or that you need to streamline your incident response plan. Treat this as a learning opportunity that will help you reduce your recovery time the next time around.
Once you’ve reviewed your response, it’s important that you regularly practice your processes through simulated security incidents and drills.
“Run a crisis scenario within your organization and make sure you’re prepared,” Tony Anscombe of ESET advises, “so that you know your backups are going to work, you know who needs to be in the room when an incident happens, and you know who to call as an outside resource.
“A lot of companies are not prepared because they haven’t run that scenario.”
Finally, you should make sure to implement security measures at all layers of your network. These should include human- and tech-centric solutions that protect against the most prevalent threats we’re seeing today, including endpoint, email and identity threats.
To help you find the right solutions to protect your business, we’ve put together a series of buyers’ guides to the top products designed to prevent attackers from accessing your data, and to help you recover your data in the event of a breach. You can find these guides below: