Phase 2: What to do during a breach
Even though everything is on fire during a data breach, keep your cool. By following these steps, you can minimize the damage hackers inflict to your systems.
READ: 5 Early Warning Signs of a Data Breach
1. Contain the breach.
Your highest priority should be to contain the breach and prevent further damage. This may involve isolating affected systems, disabling user accounts, or disconnecting from the internet.
However, Harris also shared that containing the breach isn’t as simple as unplugging the device.
“Shutting down an affected machine could result in loss of important information forensics might need,” he said. “Also, sometimes the key to decrypt ransomed files is in your device’s memory – which disappears when it’s shut down.”
“It’s a toss-up and a judgement call when a breach happens.”
He advised that the industry standard is to isolate the machine – prevent it from talking to other machines on the network. “If this can’t be done, shutting down the machine may be the next best choice,” he said, "but always shutting down a machine when its infected is not the right answer.”
Bonus: follow the procedure in your incident response plan (IRP).
If you did your due diligence, you’ll already have a plan for dealing with a breach. Your IRP will (or should) have a detailed guide to isolating infected machines.
If you find yourself in the unenviable position of dealing with a breach without an incident response plan, go to step two.
2. Contact cybersecurity experts & insurance partners.
After starting breach containment, it’s time to immediately contact people who can handle the technical aspects of your cybersecurity.
This may be the head of your internal IT or your third-party IT provider. If you don’t have a specific team handling your security, consider contacting your insurance provider.
Harris said, "It's very likely you'll need to contact insurance first before making new outside vendor contact.”
They can advise you on the next steps and help cover any financial damage that occurred during the data breach period.
While you should contact your internal experts or existing MSSP, IT team, or MSP, you likely shouldn’t be involving outside parties that you don’t already have a relationship with until calling insurance.
3. Conduct a preliminary investigation.
While the breach is happening, your cybersecurity expert should conduct a preliminary investigation to determine what happened. This may involve reviewing logs, interviewing employees, or hiring a third-party security firm.
This is where having a specialized cybersecurity expert on-call can come in handy.
“Experts will know how not to destroy evidence while a standard non-security trained expert may not,” Harris said.
It’s always best to ask your IT team exactly what they can do, and make sure you have the right people for the job.
4. Keep lines of communication open.
Lastly, when experiencing a data breach, you must inform affected parties of your progress in responding to the data breach and implementing new security measures.
This may involve issuing periodic updates or establishing a hotline for concerned parties to call.
Phase 3: How to recover after a breach
The days after the data breach are just as important as dealing with it while it’s happening. Make sure you:
1. Conduct a post-breach assessment.
You should thoroughly assess the breach to understand what happened, how it happened, and what data was compromised. This can help you develop a plan to mitigate the damage and prevent future breaches.
The post-breach assessment (or, in some circles, is called an action review, hotwash, or post-mortem) will help you decide whether you need a complete system wipe. Your cybersecurity experts will help evaluate where you go from here.
2. Coordinate with your cyber liability insurance provider.
Stay connected with your cyber liability insurance provider after a data breach. They can guide you in navigating the post-breach complexities, ensuring you document everything properly and follow the necessary protocols.
You can assess the financial impact more accurately and expedite the insurance claim process.
Their expertise can help you enhance cybersecurity measures to prevent future breaches, showcasing your dedication to managing risks effectively.
3. Provide a transparency report about the breach.
After the post-breach assessment, you should notify affected parties about the full details of the breach and their next steps to prevent further data compromise.
However, you'll need to check in with your insurance and legal team before making any major statements.
“If insurance is involved,” Harris explained, “they might have also used a law firm to hire a forensics or incident management team. This invokes attorney client privilege and prevents things from being discoverable in lawsuits.”
If you've had an incident, it’s critical that you don't circumvent these channels and accidentally disclose data that shouldn’t be communicated outside of those channels.
Read: Security Incident or Data Breach: What’s the Difference?
4. Enhance security measures.
You’ll now need to enhance your security measures to prevent the breach from happening again. This may involve updating software, implementing more robust access controls, or providing additional security training for employees.
Ready to stop the damage of a data breach?
You can protect yourself from data breaches by taking proactive steps to mitigate the risk of data breaches. And while it’s always better to have a plan in place, it’s not too late to recover, even when a breach is already happening.
Here at ITS, we believe all businesses deserve to have safe data, which is why we’ve helped our clients develop Incident Response Plans tailored for their organization.
To learn more about incident response plans and data breaches, check out the following resources:
- How to Create an Incident Response Playbook [eBook]
- What Is the True Cost of a Data Breach?
- What NOT to Do When Creating an Incident Response Plan
But if you’re looking for more personalized advice about incident response planning, or are already experiencing a data breach, schedule a meeting with our cybersecurity experts and watch our webinar explaining the first 24 hours after a data breach so you can immediately get the information you need.
Topics: