How to Survive a Data Breach: 14 Disaster Response Tips

cyber warfare, How to protect against data breaches
cyber warfare, How to protect against data breaches

Twenty years ago, data breaches were uncommon, and when they happened, they tended to be small. But thanks to digital infrastructure, a worldwide community of skilled attackers with powerful tools and a black market for personally identifiable information (PII), login credentials and financial accounts, large-scale data breaches are now a significant threat to organizations large and small.

In 2018, more than 6,500 data breaches resulted in billions of compromised consumer records. This year, 28% of organizations polled by the National Cyber Security Alliance reported a breach within the past 12 months. There’s a price to pay for negligence: the average cost of every stolen record is $242, and – according to one study – 60% of small businesses are forced to close their doors within 6 months of a cyber-attack.

Today’s businesses bear a great responsibility to their customers and shareholders. Protecting data can mean the difference between staying open and facing bankruptcy: strict security compliance is therefore required to combat the growing number of attackers both domestic and abroad.

But no matter how prepared an organization is for the worst, data breaches can still occur, and when that happens, rapid response is required to mitigate damages. In this article, we’ll share 12 tips for surviving in the aftermath.

What to Do Immediately After a Breach

In the hours after a data breach is discovered, an organization’s actions can potentially save millions of dollars. Staying focused and following strategy is paramount to survival and damage reduction.

1. Isolate the breach – locate the systems affected by a breach and – if possible – physically isolate them from both the Internet, and the rest of an organization’s network infrastructure. However far the attacker has already penetrated, this will prevent them from going any further.

2. Locate threat source study the location of a breach and determine the origin of an attack. If you aren’t already using traffic monitoring tools, start packet capture to monitor inbound and outbound traffic. Tools such as Wireshark, Snort or Bro will assist in determining type of data being exfiltrated, ports/protocols being utilized, and source and destination of files.

3. Remove threat source – when the malicious actor has been discovered, block further access through blacklisting. Analyze logs to find the attacker’s entry point, and reset any credentials used along the way.

4. Record and document – while working to eliminate the threat source, record and document any discoveries. Ensure that logs from the time of attack are preserved. Note system configurations, the type and extent of data accessed, entry point, and path of propagation for later analysis

5. Harm reduction – if login credentials were accessed by the attacker, immediately reset them and send a notification to users. Even encrypted information can be cracked, sold, and used to access user accounts.

Dealing with The Public

In the past, organizations often hid data breaches for a long period of time before informing the public, if they ever did at all. Today, emerging legislation requires publishers to disclose a breach soon after it occurs – 72 hours under GDPR. Handling it well is important for maintaining trust.

6. Seek legal counsel – before taking any other actions, prepare for the possibility of litigation under consumer privacy laws. Calculate the probability of a lawsuit, likely expenses, and decide on a course of action should defense be necessary (settlement, or fight?)

7. Inform everyone affected – if a crime has occurred – especially by insider threat – begin by informing law enforcement. Afterwards, inform any victims of data theft directly, then move to tell stakeholders, relevant government entities, and finally the public. Be transparent about the breach itself, and the steps taken in response.

8. Prepare for questions – in collaboration with your legal, PR, business and IT departments, prepare honest and informed answers to probing questions. Doing this ahead of time allows an organization to maintain their reputation by staying in control of the narrative and helps them to avoid sharing confidential details.

Analyze the Incident

After a breach occurs, an organization will likely spend several months analyzing the incident to avoid a similar one in the future. Areas to analyze include Severity, Vector, root cause, and financial impact.

9. Determine severity of breach – what was stolen, what was its value, and what systems were compromised in the course of the attack? Answer these questions as thoroughly as possible to find areas of priority.

10. Determine attack vector – determine the exact parameters of the intrusion, including any vulnerabilities exploited. Interview staff members to determine whether social engineering was used to gain access credentials.

11. Conduct a security audit – beyond the nitty-gritty of an attack, audit your organization’s security strategy, infrastructure and staff training to find areas of weakness that may have contributed to the breach.

Prevent Future Attacks

In some cases, a data breach can be a blessing in disguise. It provides organizations with the impetus to modernize infrastructure and allocate resources to security. Armed with new information and better safeguards, organizations can avoid more serious incidents down the road.

12. Calculate expenses – determine the cost of infrastructure that needs replaced and include it in future budgets. Expenses may include networking equipment, storage and security systems, software licenses and building plans.

13. Improve infrastructure – aging infrastructure is inherently vulnerable, and a data breach can prove that. Based on information gathered in the aftermath of a breach, update anything that may have contributed to the breach, prioritizing critical systems first.

14. Train personnel – ensure security administrators are prepared for rapid response in the event of another data breach; train personnel throughout the organization for cyber hygiene practices, especially if attackers gained entry through social engineering, phishing attacks, or malware originating through email and web.

Building an Incident Response Plan

Work to reduce the impact of a data breach through rapid and effective response. The best form of harm reduction is harm prevention, and that can be achieved through a proactive enterprise security strategy that includes a protocol for incident response.

Before a cyberattack hits, invest in thorough risk, management, and compliance solutions to prepare your company for the worst. With the help of vulnerability and penetration tests, cyber hunt and asset management, your organization can stay one step ahead of attackers and prevent the worst from ever happening.

Securicon’s risk management solutions are based on industry standards for safety and professionalism. With years of experience in cyber security, we are here to protect your organization from data breaches. Contact us for more information.

How Regular Risk Assessment Prevents and Stabilizes Threats

Risk assessments

Data breaches, foreign hackers and corporate espionage: today, it seems that phrases like these are on the tips of every tongue, and not without good reason. As digital literacy, Internet access and affordable technology scale with global penetration, the knowledge and skill of attackers is increasing as well. Organizations both public and private are right to be concerned about these risks.

At the same time, “risk” is a broad domain, and while it might seem that we are facing more of them today than ever before, it remains true that the greatest risks to an organization originate from the inside. From mundane eventualities like power surges, to human error or malicious sabotage, any and every vulnerability within an organization constitutes a “risk”.

While individually a single risk may not amount to much, collectively risks represent a danger that can seriously obstruct – if not destroy – an organization and its mission. But with so many to worry about, how can they be anticipated and successfully prevented?

How to Define Risk

“Risk” is a measure of likeliness that a vulnerability in a system or asset will be exploited leading to adverse effects, and the probable impact of those effects. Impact may be measured in financial loss, operational obstruction or human capital.

The existence of vulnerabilities in any given system or asset can be taken for granted. All technology is flawed in some way, or risk would not exist. While most vulnerabilities are benign, obscure or inert, some are always serious enough to be targeted by threats.

Today, companies face many threats from the outside, including attackers, malware, foreign governments and APT groups. But they face many more from the inside, from malicious employees, to deprecated equipment, human error, poor coding and mishandling of data.

Fortunately, there are many methods to prevent threats from succeeding, and respond when they do. But organizations focused on prevention or remediation cannot skip the discovery process. Before risks can be dealt with, they must first be identified, measured and assessed.

The Role of Risk Assessment

A risk assessment is the controlled, systematic identification and documentation of existing risks, likeliness of occurrence and probable impact. A professional risk assessment will follow careful methodology to ensure that nothing is overlooked, and that remediation is prioritized according to severity.

The purpose of a risk assessment is not merely to prevent risks from occurring, but also to establish a suitable response that will mitigate damages if they do occur. Risk assessments therefore inform organizational policies, providing an objective, quantifiable basis for regulation and best practice.

IT infrastructure and assets change with time as old equipment is discarded, new equipment is acquired, and configuration changes are made on a regular basis. Moreover, the availability of knowledgeable and skilled personnel may change with new hires, transfers or retirement.

For these reasons and many others, risk assessment should be repeated on a regular basis as part of an organization’s overall security and auditing cycle. What held true yesterday will not necessarily hold true tomorrow.

The NIST Framework

The National Institute of Standards and Technology (NIST) publishes a risk management framework for federal agencies, partners and contractors, and maintains the Framework for Improving Critical Infrastructure Cybersecurity (SP 800-30).

NIST’s guidelines for conducting a risk assessment establish six broad steps:

  1. Identify Threat Sources
  2. Identify Threat Events
  3. Identify Vulnerabilities
  4. Determine the Likelihood of Exploitation
  5. Determine probable impact
  6. Calculate Risk as Combination of Likelihood and Impact

Other standards bodies follow NIST’s framework closely in their own publications, making it a de facto industry standard for conducting regular, thorough risk assessments as part of an overall risk management program.

Simplified, Productive Assessments

Risk is inevitable. It is a consequence of using technology and systems built by people in a world populated by people, some of them good, some bad, and none perfect. But being caught off guard is not inevitable. And when a breach, attack or system failure hits, those who are prepared will suffer the least and recover fastest.

Securicon’s risk management solutions are based on the industry standards for safety and professionalism. With years of experience in IT and critical infrastructure, we are here to protect your organization and ensure the highest quality of compliance. Contact us for more information on our Risk Assessment framework.