What to Do After a Data Breach

March 28, 2019 Eric Dosal Eric Dosal

Imagine that you’ve just been told that there was a data breach of your organization. How do you react? Do you know what to do after a data breach? Do you have an incident response plan (IRP) ready for handling a data breach? How will you identify and close the security gaps that led to the breach?

Having a firm grasp of data breach response best practices is crucial for minimizing the impact of a breach. To help you improve your ability to respond to a data breach, here’s a quick guide for “what to do after a data breach.”

What to Do After a Data Breach: Contain the Breach

The first thing that you should do after discovering a data breach is to stop that breach from potentially getting worse. This means identifying the breach, learning how it happened, and doing whatever is necessary to cut off the attacker’s access to your systems. The exact means of containing the breach may vary depending on the nature of the attack—so it’s important to have an incident response plan that can account for different attack strategies.

This will often require extensive preparation beforehand to ensure that your network security team or managed security service provider (MSSP) has the right tools on hand to identify the breach and contain it. For example, a security information and event management (SIEM) tool can be invaluable for collecting data about intrusion attempts—though expert analysis may be required to sort out the pertinent event logs from the ones that aren’t useful.

Once Contained, Investigate the Data Breach in Detail

After containing a network security breach, it’s necessary to collect information about the breach to identify the specific method of attack so future attacks using that method will fail. Otherwise, the attacker can just use the same attack method again and cause more damage.

During this cybersecurity investigation, it will be necessary to identify the full extent of the data breach—which systems were affected, what information was taken, whether that info was encrypted or not, and so on. This information is necessary for identifying any parties that may be affected by the breach so you can contact them later and apprise them of the risks they face.

As mentioned earlier, SIEM tools can be invaluable for this activity because they log all important network activity.

Reach Out to Notify Any Affected Parties

As noted by Privacy Right Clearinghouse, “all 50 states now require some form of data breach notice.” While the exact wording of the requirement will vary from one state to the next, it is imperative that you notify any affected parties as soon as reasonably practicable—the faster, the better. Maintaining “radio silence” for any longer than necessary only hurts your customers/clients and helps the hacker.

A key data breach response best practice is to send out multiple notifications to all affected parties via multiple channels as soon as they have been positively identified. This is a key step in handling a data breach effectively so customers, clients, employees, and business partners can take the necessary measures to prevent fraud.

Some typical notification methods include mass emails, text messages, automated phone calls, and even hardcopy mail. It can also help to put out an advertisement or press release notifying the general public about the breach and how it may affect your customer base. This way, if you have out-of-date contact information, there’s a strong chance at least one of your alert methods will reach its intended audience.

Harden Your Cybersecurity Measures Against Future Attacks

This step in handling a data breach will probably occur concurrently with the previous step. Even as you’re compiling your list of all affected parties, you will want to have your team picking the attack apart to discover how it happened and determine how it could have been prevented.

For example, if an attacker leveraged a customer-facing application programming interface (API) to breach your defenses, it may be necessary to shut down that API until it can be patched (or replaced) to eliminate the weakness that let the attack happen. Or, if the attacker used a hijacked employee account to access the system, it may be necessary to reset that account’s username/password and authentication tokens (or to delete the account). Then, the method of the account hijack should be investigated to prevent future incidents.

In the case of hijacked employee user accounts, it may be necessary to improve cybersecurity awareness of phishing techniques so employees aren’t as likely to fall for them in the future. Adding multifactor authentication (MFA) can also help since it keeps hackers from simply being able to guess or steal passwords and using them to access employee accounts.

Knowing what to do after a data breach is often a matter of having an IRP in place—along with the resources to enact that plan. If you need help handling a data breach, it’s better to reach out sooner rather than later. So, talk to a member of the Compuquip Cybersecurity team ASAP—preferably before you have to enact your incident response plan!

back-to-cybersecurity-basics

cdo-guide-to-omnichannel-security