After the breach: Six key actions to take

(Image credit: Image source: Shutterstock/Ai825)

Despite an organisation’s best efforts, with the level of sophistication of today’s hackers and other malicious actors, sometimes a data breach is unavoidable. As a result, all businesses should be prepared for the very real possibility of its data being stolen, held for ransom or manipulated in a way to make it unusable.

The key to surviving a data breach is dealing with it swiftly, effectively and transparently to minimise damage and keep those affected in the know. Here are six key steps that organisations can follow to achieve this and build a stronger, safer network to avoid future breaches.

  • Contain the threat
    The obvious first step in dealing with a data breach is containing the threat. Now that you’ve identified an intruder in your system, it’s time to kick them out and stop them from getting in again. There may be multiple hackers within your system, so be careful to track them accordingly.

    Your entire security team needs to be available to assist with this. Identify and secure the main access point – and any additional access point the intruder may have created after gaining initial access.
  • Identify the vulnerability
    There are a host of vulnerabilities that could leave your network vulnerable, whether it be a missed patch update, lack of data encryption or even a new type of cyberattack for which your organisation wasn’t prepared. Knowing the source of the threat will show you what you need to focus on in the future. Knowing the nature of the vulnerability, who (or which team) was responsible for it and why it was missed helps you understand where there’s room for improvement.  Getting to the root cause of the attack also will enlighten other organisations about what precautions should be taken in the future. Since the nature of cyberattacks is constantly evolving and the ways in which hackers gain access is never quite the same, this is vital information to share. It is also important that you give your customers and other stakeholders peace of mind by identifying the issue and confirming that you’ve secured it. 
  • Determine what was stolen (and how much)
    The intent behind every data breach is different: not everyone is after Social Security Numbers and email addresses. Alternatively, some hackers may be interested in banking information, electronic health records (EHRs) or in manipulating data for political or economic gain. So, after falling prey to a data breach, it’s important to inventory everything that was stolen or changed. This is essential when you are disclosing the nature of the breach. Knowing what was stolen gives you an idea of what is likely to happen to the data and what precautions victims should take.

    Understanding what information from your business is valuable to hackers will also allow you to better safeguard that particular information in the future.  In cases of manipulation (tampering) of encrypted data, identifying the data that was hacked is of the utmost importance. This is not just so organisations can understand the motives of the hacker, but so they can correct their now-corrupted data.

    Data manipulation refers to modifying the data in such a way to render it unusable. If you were prepared for a data breach, you’ll have backup data servers in place.  Organisations can recover this information using their backup devices and actually determine how hackers changed the data. Data modification can be used for nefarious activities with the intent to harm a specific individual, such as bloodwork tampering, or unauthorised changes to a no-fly list. Being able to detect unauthorised modifications to encrypted data is essential since the potential danger to personal and public safety is extremely high.
     

  • Announce the breach immediately
    Although it’s not ideal, be transparent when a data breach occurs. Tell the public, tell your customers and tell your vendors. Whoever is at risk needs to be notified immediately. The GDPR gives European companies and companies that deal with European customers only 72 hours to report a breach after it happens. And forty-eight U.S. states, Puerto Rico, the District of Columbia, Guam and the Virgin Islands all have legislation requiring that individuals be notified if personally identifiable information (PII) has been put in jeopardy because of a data breach. 
  • Offer your customers recourse It’s standard procedure for organisations to offer customers one to two years of credit monitoring services if their data has been compromised. In 2017, the state of Delaware introduced new legislation that stated a breach of 500 or more individuals requires that the affected organisation purchase credit monitoring services for their affected customers.

    Don’t just comply with government legislation when determining how much to offer your customers and employees affected by a data breach. Rather, go big when providing your customers recourse. History tells us that data breaches can lead to major distrust of the affected brand. Take Target’s 2013 data breach, for instance: its sales fell 46 per cent the following quarter. Providing immediate support for your customers – and admitting that you have an obligation to make this right – can mitigate a fall in sales and loss of trust. 
  • Make sure it doesn't happen again
    Today, one data breach is hardly forgivable. Suffering multiple data breaches in a short span of time is a recipe for disaster and could even mean the end of your business. According to a Dark Reading report from 2017, 66 per cent of small businesses would either go out of business or shut down for at least one day if they suffered a data breach. In another report, 76 per cent of those interviewed said they would stop using a company that suffered more than one data breach.  It’s important that you do everything in your power to prevent a data breach from happening again. After all, you are now a target. You have sent a message to the hacker community that you are lax when it comes to security. It’s time to recreate your image as a company that takes data security very seriously or suffer the consequences. 

Whatever led to the vulnerability will require you to examine your business processes and modify your security operations procedures. It’s also vital that you re-examine all of your security processes. Is your threat detection software doing its job? Is your data encryption sophisticated enough for your organisation’s needs? Do you have a security-first mentality within your organisation? Address all of these questions and respond accordingly.

Jeff Harrell, VP, product and marketing, Zettaset
Image source: Shutterstock/Ai825