It’s often said that data breaches are no longer a matter of ‘if’, but ‘when’ – here’s what your organization should do, and avoid doing, in the case of a breach
Globally, data breaches are estimated to cost in excess of $4.2m per incident today. And they’re happening on an unprecedented scale as organizations build out their digital infrastructure – and unwittingly expand the corporate attack surface. In the US, for example, the number of reported breaches by Q3 2021 had already exceeded the number for the whole of 2020. It takes way too long for the average organization to find and contain data breaches – an estimated 287 days today.
However, once the alarms go off, what happens next? The presence of ransomware actors, an increasingly common precursor to modern data breaches, will complicate matters even further. Here’s what to do, and what to avoid doing, following a breach.
A data breach is likely to be one of the most stressful situations your organization ever finds itself in, especially if the incident was caused by ransomware actors who have encrypted key systems and are demanding payment. However, knee-jerk responses can do more harm than good. While it’s obviously important to get the business operational again, working methodically is crucial. You’ll need to run through the incident response plan and understand the scope of the compromise before taking any major steps.
Follow your incident response plan
Given that it’s not a case of “when” but “if” your organization is breached today, an incident response plan is an essential cybersecurity best practice. This will require advanced planning, perhaps following guidance from the likes of the US National Institute of Standards and Technology (NIST) or the UK’s National Cyber Security Centre (NCSC). When a serious breach is detected, a pre-assigned incident response team featuring stakeholders from across the business should work through the processes step-by-step. It’s a good idea to test such plans periodically so everyone is prepared and the document itself is up-to-date.
Assess the scope of the breach
One of the first critical steps following any major security incident is to understand how badly the company has been impacted. This information will inform subsequent actions such as notification and remediation. You’ll need to know ideally how the bad guys got in, and what the “blast radius” of the attack is – what systems they’ve touched, what data has been compromised, and whether they’re still inside the network. This is where third-party forensics experts are often drafted in.
Get legal involved
After a breach, you need to know where the organization stands. What liabilities do you have? Which regulators need to be informed? Should you be negotiating with your attackers to buy more time? When should customers and/or partners be informed? In-house legal counsel is the first port of call here. But it may also want to draw in experts in the cyber incident response space. This is where that forensic detail on what actually happened is vital, so those experts can make the most informed decisions.
Know when, how and who to notify
Under the terms of the GDPR, notification of the local regulator must take place within 72 hours of a breach being discovered. However, it’s important to understand what the minimum requirements for notification are, as some incidents may not demand it. This is where a good understanding of your blast radius is essential. If you don’t know how much data was taken or how the threat actors got in, you will have to assume the worst in notification to the regulator. The UK’s Information Commissioner’s Office (ICO), which was instrumental in drawing up the GDPR, has some useful guidelines on this.
Tell law enforcement
Whatever happens with the regulator, you’re probably going to need to get law enforcement on your side, especially if threat actors are still inside your network. It makes sense to get them on board as quickly as possible. In the case of ransomware, for example, they may be able to put you in touch with security providers and other third parties that offer decryption keys and mitigation tools.
Tell your customers, partners and employees
This is another no-brainer on the post-breach list. However, once again, the number of customers/employees/partners you need to inform, what to tell them and when will depend on the details of the incident, and what was stolen. Consider first putting out a holding statement saying that the organization is aware of an incident and is currently investigating. But rumor thrives in a vacuum, so you’ll need to follow this up with more details pretty soon after. IT, PR and legal teams should be working closely together on this.
Begin recovery and remediation
Once the scope of the attack is clear and incident responders/forensics teams are confident the threat actors no longer have access, it’s time to get things back up and running. This could mean restoring systems from backup, reimaging compromised machines, patching affected endpoints and resetting passwords.
Start building resilience for future attacks
Threat actors often share knowledge on the cybercrime underground. They are also increasingly returning to compromise victim organisations multiple times – especially with ransomware. That makes it more important than ever that you use the information gleaned from threat detection and response and forensics tools to make sure that any pathways your attackers used the first time can’t be exploited again in future raids. It could mean improvements to patch and password management, better security awareness training, implementing multi-factor authentication (MFA) or more complex changes to people, processes and technology.
Study the worst of incident response
The final piece of the incident response puzzle is learning from the experience. Part of that is building resilience for the future, as above. But you can also study from the example of others. The history of data breaches is littered with high-profile cases of poor incident response. In one well-publicized case the corporate Twitter account of a breached firm tweeted a phishing link four times, mistaking it for the firm’s breach response site. In another, a major UK telco was heavily criticized for releasing conflicting information.
Whatever happens, customers increasingly expect that the organizations they do business with will suffer security incidents. It’s how you react that will determine whether they stay or leave – and what the financial and reputational damage will be.