How to Recover from a Security Breach

April 5, 2018 Eric Dosal Eric Dosal

Sooner or later, no matter how strong your company’s defenses are, someone will manage to compromise your security. No combination of defenses is 100% immune to an assault by a skilled and determined attacker (or group of attackers). The scary thing is this: According to data cited by the U.S. Securities and Exchange Commission, “60 percent of small firms go out of business within six months of a data breach.”

However, just because you’ve suffered a security breach doesn’t mean the end of the world. It is possible to recover from a security breach and return to business as usual—if you have a plan in place for recovering from the breach and have taken steps to prepare for this eventuality.

So, how can you prepare your business recover from a security breach? And, what steps should you take immediately following a security breach?

Preparing for a Security Breach

When it comes to recovering from a security breach, preparation is key. If you don’t have the right tools in place, you may not even be able to identify a security breach—let alone contain and eliminate it.

Some key preparations to make include:

  • Identifying All of Your Company’s IT Assets. How can you protect your network if you don’t know what’s on the network? Performing a complete audit of your IT assets on your network is a must if you’re going to account for all of the resources you need to protect—and possibly replicate as part of your recovery plan.
  • Adding an Intrusion Detection System (IDS). The ability to spot a breach is crucial for ensuring a rapid response that minimizes damage and makes recovery easier. Intrusion detection systems help you to identify when security breaches occur so you can respond to them sooner rather than later.
  • Creating an Incident Response Plan (IRP). When a security incident occurs, who is responsible for doing what in response? An incident response plan lays out the roles and responsibilities for people in your company to adhere to in the event of a breach—making sure they know what to do so they can respond faster.
  • Backup Your Data. Different types of breaches are meant to accomplish different things. Ransomware attacks, for example, encrypt the data on your network so that you can no longer access it. Having a backup of your company’s most important data on a remote server enables you simply format the local drives and download the data you need from the backup.
  • Frequent Penetration Testing. Penetration tests are a crucial tool for identifying vulnerabilities in your security preparations so you can fix them before a breach occurs.
  • Creating an Incident Response Team (IRT). While having an incident response plan is useful, having people with the right skills and experience to handle your response to a security breach is just as important. An incident response team—whether pulled from internal IT staff or from a third party cybersecurity staffing provider—can help make sure your IRP is carried out as smoothly as possible.

Phase One of Breach Recovery: Stopping the Attack

stopping-the-attackIf you’ve completed all of your preparations and a breach occurs, what should you do to help your business recover?

Identifying that there was a breach at all was the first step on the road to recovery. The faster you spot a breach after it occurs, the better off your company will be. This is because it will take time for any attackers to break out of the first system that they compromise to get at the rest of your network.

The second step is to contain the breach—cutting off the attacker’s access by isolating the system(s) they’ve compromised or revoking the access privileges of the user account they’re abusing.

After the threat is contained, the third step is to eliminate it. The means of elimination may vary depending on the type of breach that occurred.

If you can identify, contain, and eliminate a breach before the attacker breaks out of the system they initially compromised, you can minimize the damage the breach causes.

Only after the source of the attack is eliminated can the recovery process actually begin.

Phase Two of Breach Recovery: Investigating the Attack Method

Knowing how the attack happened is a must for preventing attackers from simply repeating the same attack strategy again. Also, any affected systems should be investigated for signs of further compromise—the attacker may have left other malware on the system during the time in which they had access.

Activity logs from the time of the breach should be preserved for forensic analysis at a later date. These logs can help you identify the source of the attack so you can block future attempts.

Phase Three of Breach Recovery: Notifying Those Who May Have Been Affected

During your investigation of the breach, you should be able to determine which systems were compromised and what data, if any, was put at risk of being compromised. As soon as you can, you should send out notifications to any and all parties that may have been affected by the security breach.

Notification laws may vary by state, as noted by the National Conference of State Legislatures. Because of this, the time limit that your business has to notify its customers, vendors, and others affected by a breach may be different. As a rule of thumb, the faster you can send out a notification, the better.

Contact methods for notifications may vary, and it is often a good idea to send out notifications through multiple methods whenever possible to ensure that those affected by a breach are notified. For example, you could send out a mass email, regular mail, or automated calls to warn customers that they may have been affected.

In the email/mail/phone message, be sure to note the date of the breach, what kinds of files may have been compromised, and what steps the message recipient should take to protect themselves based on the type of data that was compromised.

Sending out these kinds of notices is crucial for protecting your company’s reputation after a breach. Being prompt and honest, in addition to working to protect customers who may be affected by a breach, demonstrates that you take your customers’ data safety seriously. This, in turn, helps reduce the backlash that inevitably follows a major data security breach.

The authorities should also be notified as soon as possible so they can help with the investigation (and to comply with certain security breach notification laws).

Phase Four of Breach Recovery: Restoring Assets on Your Network

restoring-assets-on-your-networkRestoring the individual assets that were compromised to your network can occur in a number of ways, depending on how you’ve prepared for the security breach. In some cases, it may be possible to simply wipe or replace the data storage drives of the affected IT assets and download any lost data from a backup.

In other cases, it may be possible to activate entire cloud-based replicas of your network environment to near-instantly restore your business’ network to normal while you work to investigate the security breach.

Basically, how you restore the assets on your network will depend on the business continuity (BC) and disaster recovery (DR) plan that you have in place. A BC/DR plan is something that you should have set well in advance to create fail-safes so that if one of your assets is taken down, you have a means of keeping your business going.

When restoring assets, be sure to catalog which assets have been taken down and what is supposed to be on your network according to your latest asset identification efforts. This way, you can be sure that you haven’t missed anything—and that no extra surprises are left on your network, either.

Phase Five of Breach Recovery: Preparing for the Next Attack

After you’ve recovered from the attack by following the BC/DR plan you have in place, it’s important to prepare for the next attack. If you’ve been hit once, there’s a good chance you’ll get attacked again by the same group—or by others using the same attack strategy.

This is where your investigation into the attack can prove invaluable. By studying the attack method and finding out how the attacker(s) got in, you can identify the gaps in your cybersecurity that allowed the attack to occur and close them. Doing so can help prevent future breaches.

Also, studying your BC/DR plan implementation can help you learn how to improve the plan for the future. Making these improvements can help to improve your response speed to an attack and minimize the downtime and disruption that an attack can cause.

Need to know more about how you can protect your company’s network, prevent security breaches, and improve your overall cybersecurity posture? Then check out our free guide, Back to Cybersecurity Basics, via the link below! Or, if you want expert advice from an experienced cybersecurity professional, contact Compuquip Cybersecurity today!