Editor's note: This post was originally published on June 29, 2018 and has been revised for clarity and comprehensiveness.
When experiencing a breach, the sheer amount of work that goes into containing it can be overwhelming.
Luckily, having a plan can take away the stress.
As a managed security service provider (MSSP), it’s part of our vision at Intelligent Technical Solutions (ITS) to help companies thrive despite cybersecurity threats. In line with this vision, we’ve prepared a step-by-step guide for preventing and lessening the damage of data breaches.
In this article, we’ll explore:
We also invited Sean Harris, Chief Security Risk Officer at Intelligent Technical Solutions, to share his thoughts about preventing data breaches in 2025.
By the end of this article, you’ll have a clear foundation for taking proactive steps to mitigate the risk of data breaches.
Phase 1: How to prepare for a breach
The best way to lessen data breach damages is preparation. Here’s a list of things to do before a data breach becomes an issue:
1. Reevaluate your needs for sensitive data.
Hackers can’t steal what you don’t have.
Carefully analyze the information you’re collecting and discontinue gathering any information not justified by a legitimate business reason.
There’s no real way to have zero exploitable data but checking what you’re collecting will help reduce potential liability.
2. Create and test an incident response plan.
An incident response plan (IRP) is one of the most effective ways to mitigate the cost of a data breach by limiting the damage. Due to increased hacking attempts, 55% of businesses have started investing more in incident response plans.
3. Utilize security AI and automation.
Extensive use of AI and automation lowers data breach costs.
The faster something is identified and acted on the quicker damage can be slowed or halted. Organizations without security AI automation had an average data breach expense of $5.8 million, while companies with AI and automation stood at $3.76 million.
4. Map the lifecycle of your sensitive data.
Your business may collect sensitive data from various channels: your website, online ads, point-of-sale devices, apps, and other sources.
“It's referred to as a Data Flow Diagram,” Harris pointed out.
How does it enter your system? Where is it stored? How is it eventually removed? When you have the whole picture, you can devise a strategy to protect this information.
5. Implement a Zero Trust security framework.
Zero Trust is a security framework requiring all users, within or outside the organization’s network, to be authenticated, authorized, and continuously validated before granting access to any applications and data. The idea is to assume that everything is not trusted – aka zero trust.
6. Use modern encryption methods.
“Some businesses have older encryption algorithms in use for things like SSL tunnels,” Harris observed. “They haven’t taken the time to change to modern encryption methods.”
Despite the time needed for upgrading to modern encryption methods, it’s still worth doing. Every day, cyber criminals work to break into your business; protecting your data with an old encryption method wastes the opportunity to implement something that will actually stop them.
Phase 2: What to do during a breach
Even though everything is on fire during a data breach, keep your cool. By following these steps, you can minimize the damage hackers inflict to your systems.
READ: 5 Early Warning Signs of a Data Breach
1. Contain the breach.
Your highest priority should be to contain the breach and prevent further damage. This may involve isolating affected systems, disabling user accounts, or disconnecting from the internet.
However, Harris also shared that containing the breach isn’t as simple as unplugging the device.
“Shutting down an affected machine could result in loss of important information forensics might need,” he said. “Also, sometimes the key to decrypt ransomed files is in your device’s memory – which disappears when it’s shut down.”
“It’s a toss-up and a judgement call when a breach happens.”
He advised that the industry standard is to isolate the machine – prevent it from talking to other machines on the network. “If this can’t be done, shutting down the machine may be the next best choice,” he said, "but always shutting down a machine when its infected is not the right answer.”
Bonus: follow the procedure in your incident response plan (IRP).
If you did your due diligence, you’ll already have a plan for dealing with a breach. Your IRP will (or should) have a detailed guide to isolating infected machines.
If you find yourself in the unenviable position of dealing with a breach without an incident response plan, go to step two.
2. Contact cybersecurity experts & insurance partners.
After starting breach containment, it’s time to immediately contact people who can handle the technical aspects of your cybersecurity.
This may be the head of your internal IT or your third-party IT provider. If you don’t have a specific team handling your security, consider contacting your insurance provider.
Harris said, "It's very likely you'll need to contact insurance first before making new outside vendor contact.”
They can advise you on the next steps and help cover any financial damage that occurred during the data breach period.
While you should contact your internal experts or existing MSSP, IT team, or MSP, you likely shouldn’t be involving outside parties that you don’t already have a relationship with until calling insurance.
3. Conduct a preliminary investigation.
While the breach is happening, your cybersecurity expert should conduct a preliminary investigation to determine what happened. This may involve reviewing logs, interviewing employees, or hiring a third-party security firm.
This is where having a specialized cybersecurity expert on-call can come in handy.
“Experts will know how not to destroy evidence while a standard non-security trained expert may not,” Harris said.
It’s always best to ask your IT team exactly what they can do, and make sure you have the right people for the job.
4. Keep lines of communication open.
Lastly, when experiencing a data breach, you must inform affected parties of your progress in responding to the data breach and implementing new security measures.
This may involve issuing periodic updates or establishing a hotline for concerned parties to call.
Phase 3: How to recover after a breach
The days after the data breach are just as important as dealing with it while it’s happening. Make sure you:
1. Conduct a post-breach assessment.
You should thoroughly assess the breach to understand what happened, how it happened, and what data was compromised. This can help you develop a plan to mitigate the damage and prevent future breaches.
The post-breach assessment (or, in some circles, is called an action review, hotwash, or post-mortem) will help you decide whether you need a complete system wipe. Your cybersecurity experts will help evaluate where you go from here.
2. Coordinate with your cyber liability insurance provider.
Stay connected with your cyber liability insurance provider after a data breach. They can guide you in navigating the post-breach complexities, ensuring you document everything properly and follow the necessary protocols.
You can assess the financial impact more accurately and expedite the insurance claim process.
Their expertise can help you enhance cybersecurity measures to prevent future breaches, showcasing your dedication to managing risks effectively.
3. Provide a transparency report about the breach.
After the post-breach assessment, you should notify affected parties about the full details of the breach and their next steps to prevent further data compromise.
However, you'll need to check in with your insurance and legal team before making any major statements.
“If insurance is involved,” Harris explained, “they might have also used a law firm to hire a forensics or incident management team. This invokes attorney client privilege and prevents things from being discoverable in lawsuits.”
If you've had an incident, it’s critical that you don't circumvent these channels and accidentally disclose data that shouldn’t be communicated outside of those channels.
Read: Security Incident or Data Breach: What’s the Difference?
4. Enhance security measures.
You’ll now need to enhance your security measures to prevent the breach from happening again. This may involve updating software, implementing more robust access controls, or providing additional security training for employees.
Ready to stop the damage of a data breach?
You can protect yourself from data breaches by taking proactive steps to mitigate the risk of data breaches. And while it’s always better to have a plan in place, it’s not too late to recover, even when a breach is already happening.
Here at ITS, we believe all businesses deserve to have safe data, which is why we’ve helped our clients develop Incident Response Plans tailored for their organization.
To learn more about incident response plans and data breaches, check out the following resources:
- How to Create an Incident Response Playbook [eBook]
- What Is the True Cost of a Data Breach?
- What NOT to Do When Creating an Incident Response Plan
But if you’re looking for more personalized advice about incident response planning, or are already experiencing a data breach, schedule a meeting with our cybersecurity experts and watch our webinar explaining the first 24 hours after a data breach so you can immediately get the information you need.
Topics:
