A data breach may be detrimental for businesses but much depends on their response. Learn how to react quickly and decisively if you’ve been breached.
A sophisticated cyber attack involving extensive data breaches is the nightmare of business owners. Such incidents not only involve financial losses but also negatively affect the business’s reputation and customer loyalty. Therefore, it is critically important to provide a quick and decisive response to every single cybersecurity incident. However, businesses often cannot take adequate timely security measures in case of a data breach because they remain undetected for a long time. According to IBM, it takes about 197 days to identify and 69 days to contain a breach. Businesses that contain a breach within a month save more than $1 million compared to those that take longer.
The simple truth is that the longer a breach goes undetected and unaddressed, the more harm it can do to business. If you are unfortunate enough to experience a data breach or just want to know how to respond in case of a cyberattack, see our data breach response guidance with reference to Federal Trade Commission’s (FTC’s) recommendations.
The FTC’s Data Breach Response Guide states that “the only thing worse than a data breach is multiple data breaches.” We completely agree with this statement but also want to add that worse than a data breach is a breach within your supply chain as it allows perpetrators to compromise data of several organizations at once. Once a data breach incident happens, it is necessary to take steps to contain it and prevent it from happening again. Learn the exact steps to take immediately depending on the nature of the breach and your business structure:
React immediately to secure your systems that may have been compromised and prevent your supply chain members from being affected by attackers.
Record the moment of discovery: Record the date and time when the incident was discovered and every step of your response efforts. Usually, the response actions start when response team members are alerted to the breach.
Alert and activate everyone: Assemble a team of experts (including IT security specialists, legal, human resources, communication experts, investors, managers, Chief Information Security Officer (CISO), and/or any other C-level stakeholder) to conduct a comprehensive breach response. Depending on your company’s nature and size, the list of experts may vary. Consider engaging external resources – forensics, IT and/or advisory/management consultants – to determine the source and scope of the breach more objectively. For example, the outside legal councils with privacy and data security expertise can advise on federal and state laws that the breach may implicate.
Secure the premises: Ensure security of physical areas and systems (such as servers and workstations) associated with the breach to maintain the integrity of the evidence. Lock them to ensure that only selected experts have access. Preserve all affected system log files and disk images. These logs and images are critical for assessing the attack’s origins, duration, and the volume of data exfiltrated during the breach.
Stop additional data loss: Take affected devices offline, but do not turn them off or start probing until forensics and cyber security experts arrive. Monitor all entry and exit points and update the credentials and passwords of authorized users. Remember, if credentials were stolen, your system would remain vulnerable until you change them, even if all hacker’s tools were removed.
Remove improperly posted information from the website. Be specifically cautious with customers’ personal data involved. Beware that search engines store information for some time, so contact them to ensure they don’t archive the improperly posted information. Finally, search for your organization’s exposed data to ensure that no other websites have saved a copy. If you find any, contact those sites and ask them to remove it.
Interview involved parties: Talk to those engaged in discovering the breach and interview all who may have additional details. If you have a customer service center, make sure the staff knows how to handle information that may aid your breach investigation.
Notify Law Enforcement: Contact your local police department to report your situation. If your local police aren’t familiar with investigating IT data incidents, contact the local office of the FBI or the U.S. Secret Service. Do this if merited, after consulting with legal counsel and upper management.
Document everything: Record as many details as possible, including the date and time of the data breach, its nature, the personnel who discovered the incident, the kinds of data lost/stolen, when the response efforts began, and all of the employees who had access to the affected systems. Remember, a high percentage of data breaches are performed by former employees. Collect the names and contact information for all employees terminated within the last 120 days and confirm whether their security access was terminated.
Once the systems are secured, focus on identifying the cause of the breach and fixing vulnerabilities. Ensure your forensics team removes malicious tools and addresses any other security gaps.
Alert your service providers. If service providers were involved, examine what information they can access and decide if you need to change their access privileges. Also, ensure that your service providers take the necessary steps to prevent another breach from occurring.
Check your network segmentation with your security experts to analyze the effectiveness of your segmentation plan and make changes to it if necessary.
Continue working with your forensic expert team. Find out if all necessary measures (encryption, multifactor authentication, etc.) were enabled when the incident occurred. Review logs to determine accessed data and systems at the time of the breach. Verify the types of information compromised, the number of people affected, and whether you have contact information for those people. Require your forensic team to provide a report and take the recommended remediation steps as soon as possible.
Data breaches often cause a windfall of misinformation and confusion both inside and outside of the affected organization. Along with the direct financial and security impact, the incident may seriously damage the company’s reputation and undermine customers’ loyalty. Such negative effects pose significant risks to organizations and demand having the right communication strategies well ahead of an incident.
Have a communications plan. Imagine news of the incident will leak before your organization has a plan in place to address questions. Such a situation would not work for your company’s benefit. Thus, create a comprehensive communication plan that reaches all affected audiences — customers, employees, supply chain members, and other stakeholders. At the same time, when communicating, avoid making misleading statements about the breach or withholding key details that might help consumers protect themselves and their information. Never publicly share information that might put consumers at further risk.
All states, including the District of Columbia, Puerto Rico, and the Virgin Islands, have enacted legislation requiring businesses to notify individuals of security breaches involving personally identifiable information. In addition, depending on the types of data involved (e.g. Protected Health Information (PHI), Non-Public Personal Information (NPPI), there may be other regulations applicable to your situation – such as HIPAA or GLBA. Check state and federal laws or regulations for any specific notification requirements.
The notification timespan is limited, depending on applicable laws, and companies may have to notify affected individuals of a data breach within just a few days. Today, over 70% of consumers expect to be notified of a data breach within 24 hours while around 50% say they’re more likely to trust a company that reacts quickly and actively discloses data incidents to the public.
Notify Affected Businesses If hackers steal account access information such as credit card or bank account numbers, but you don’t maintain the accounts, notify the institution that does. If you collect or store personal information on behalf of other businesses, notify them of the data breach. Contact the major credit bureaus for additional information or advice if names and Social Security numbers have been stolen.
Notify Individuals If you quickly notify people that their personal information has been compromised, they can take steps to reduce the chance of misusing their sensitive data by attackers. For example, thieves who have stolen names and Social Security numbers can use that information to sign up for new accounts and commit identity thefts. Being notified, people can take steps to limit the damage.
Once the incident is resolved (or is about to be resolved), evaluate how effectively your company managed its response and make any necessary improvements to your preparedness plan. Taking time to reflect and make these adjustments will ensure a smoother response in the future. Use the incident as an opportunity to retrain employees in their specific response roles and their security and privacy practices.
All in all, data breaches have no signs of slowing down. However, they don’t necessarily lead to the complete destruction of a company. A breach can often be an inflection point, with the company coming back even stronger. With a deep understanding of how to act in case of a data breach, companies have a better chance of mitigating the negative consequences.
To stay updated on recent cybersecurity-related topics, keep reading our blog or contact our team. Boost your cybersecurity awareness with Planet 9.