10 Essential Steps to Take After a Data Breach

Data breaches are increasing day by day. As companies develop their digital capabilities and range of services, they increase their risk. Cybersecurity company ESET has outlined the do’s and don’ts in the wake of the escalating data breaches.

Data breaches worldwide today cost more than US$4.2 million per incident. As organizations strengthen their digital infrastructure, they also expand the company’s attack surface. More violations reported in the US in the third quarter of 2021 than in all of 2020. It takes quite a long time for an average-sized organization to find and contain a data breach, and it is estimated to take 287 days today. So, what to do when breach alarms go off? ESET experts shared the following information about what to watch out for;

The increasingly common ransomware actors that are at the forefront of modern data breaches make things even more complicated.

Calm down
A data breach is one of the most pressing situations for an organization. This creates a lot of pressure, especially if this event is carried out by ransomware actors that encrypt host systems and demand payment. However, impulsive responses can do more harm than good. Getting the company back up and running is of course very important, but in this case it is vital to have a method. You should put in place an incident response plan and understand the extent of the violation before taking any major action.

Follow your incident response plan
You should consider the likelihood of the organization being breached not “when” but “if” it happens today, and that an incident response plan is cybersecurity best practice. This requires advanced planning; Guidance from organizations such as the US National Institute of Standards and Technology (NIST) or the UK’s National Cyber Security Center (NCSC) can be sought. When a serious violation is detected, a pre-determined incident response team with company-wide stakeholders should work through the processes step-by-step. It’s a good idea to test these plans regularly so everyone is prepared and documentation is kept up to date.

Assess the extent of the violation
One of the most important steps after a major security incident is to understand how badly the company has been affected. In this way, you will be informed about post-infringement actions such as reporting and remediation. You should find out how the malicious people got into the systems and how large the “effect size” of the attack was, ie what systems these people had access to, what data was at risk, and whether these people were still on the network. This is where third-party forensic experts usually come into play.

Include the legal department
You should know where your organization is after a breach. What are your obligations? Which regulatory bodies need to be notified? Should you bargain with attackers to gain more time? When should customers and/or business partners be notified? The internal legal department should be your first point of contact in this regard. However, you can also involve experts in the cyber incident response field. Information forensics about what really happened is vital at this point so these experts can make informed decisions.

Inform law enforcement
Regardless of regulatory requirements, it is in your best interest to have law enforcement agencies on your side in case of data breaches, especially when threat actors are still in your network. You should involve law enforcement agencies as soon as possible. For example, in the case of ransomware, law enforcement agencies may have you contact security providers and other third parties that offer decryption keys and risk prevention tools.

Tell your customers, partners and employees
This is another step that should definitely be on your post-violation to-do list. But again, the number of customers/employees/business partners you need to inform, what you tell them and when you tell them depends on the details of the incident and what was stolen. First, convey a statement that the organization has noticed an incident and is currently investigating the incident. However, you should share more details shortly, as rumors about it will spread quickly. IT, Public Relations and Legal departments should work in close contact with each other on this issue.

Start recovery and fix work
nce the scope of the attack has been determined and the forensics/incident response teams have made sure that threat actors are no longer gaining access to the network, it’s time to get things back on track. This can mean restoring systems from backup, reimaging compromised machines, patching affected endpoints, and resetting passwords.

Start building a solid foundation for future attacks
Threat actors often share information underground in cybercrime. In addition, organizations that fall into victim status are being violated more and more. Ransomware is used for this purpose. Therefore, it is more important than ever to use information obtained from threat detection and response as well as forensic tools. This way, you can be sure that all the paths used by the attackers the first time will not be used again in future attacks. This could mean improvement in patch and password management, better security awareness training, implementation of multi-factor authentication (MFA), or more complex changes to people, processes and technology.

Examine worst-event response
The final item in the event response puzzle is learning from experience. As mentioned above, building a more solid structure for the future is part of this. You can also review other examples. Past data breaches include many high-profile incidents with poor response. In one highly controversial incident, a phishing link was tweeted four times from a compromised company’s corporate Twitter account, mistaking it for a link to the company’s breach response site. In another case, one of the UK’s major telecommunications companies came under heavy criticism for publishing contradictory information.

Regardless, customers are increasingly aware that the organizations they do business with will encounter security incidents. Whether they continue to work with you or not depends on how you react to these events, as well as material and moral damage.


Related Articles

Back to top button