Twenty years ago, data breaches were uncommon, and when they happened, they tended to be small. But thanks to digital infrastructure, a worldwide community of skilled attackers with powerful tools and a black market for personally identifiable information (PII), login credentials and financial accounts, large-scale data breaches are now a significant threat to organizations large and small.
In 2018, more than 6,500 data breaches resulted in billions of compromised consumer records. This year, 28% of organizations polled by the National Cyber Security Alliance reported a breach within the past 12 months. There’s a price to pay for negligence: the average cost of every stolen record is $242, and – according to one study – 60% of small businesses are forced to close their doors within 6 months of a cyber-attack.
Today’s businesses bear a great responsibility to their customers and shareholders. Protecting data can mean the difference between staying open and facing bankruptcy: strict security compliance is therefore required to combat the growing number of attackers both domestic and abroad.
But no matter how prepared an organization is for the worst, data breaches can still occur, and when that happens, rapid response is required to mitigate damages. In this article, we’ll share 12 tips for surviving in the aftermath.
What to Do Immediately After a Breach
In the hours after a data breach is discovered, an organization’s actions can potentially save millions of dollars. Staying focused and following strategy is paramount to survival and damage reduction.
1. Isolate the breach – locate the systems affected by a breach and – if possible – physically isolate them from both the Internet, and the rest of an organization’s network infrastructure. However far the attacker has already penetrated, this will prevent them from going any further.
2. Locate threat source – study the location of a breach and determine the origin of an attack. If you aren’t already using traffic monitoring tools, start packet capture to monitor inbound and outbound traffic. Tools such as Wireshark, Snort or Bro will assist in determining type of data being exfiltrated, ports/protocols being utilized, and source and destination of files.
3. Remove threat source – when the malicious actor has been discovered, block further access through blacklisting. Analyze logs to find the attacker’s entry point, and reset any credentials used along the way.
4. Record and document – while working to eliminate the threat source, record and document any discoveries. Ensure that logs from the time of attack are preserved. Note system configurations, the type and extent of data accessed, entry point, and path of propagation for later analysis
5. Harm reduction – if login credentials were accessed by the attacker, immediately reset them and send a notification to users. Even encrypted information can be cracked, sold, and used to access user accounts.
Dealing with The Public
In the past, organizations often hid data breaches for a long period of time before informing the public, if they ever did at all. Today, emerging legislation requires publishers to disclose a breach soon after it occurs – 72 hours under GDPR. Handling it well is important for maintaining trust.
6. Seek legal counsel – before taking any other actions, prepare for the possibility of litigation under consumer privacy laws. Calculate the probability of a lawsuit, likely expenses, and decide on a course of action should defense be necessary (settlement, or fight?)
7. Inform everyone affected – if a crime has occurred – especially by insider threat – begin by informing law enforcement. Afterwards, inform any victims of data theft directly, then move to tell stakeholders, relevant government entities, and finally the public. Be transparent about the breach itself, and the steps taken in response.
8. Prepare for questions – in collaboration with your legal, PR, business and IT departments, prepare honest and informed answers to probing questions. Doing this ahead of time allows an organization to maintain their reputation by staying in control of the narrative and helps them to avoid sharing confidential details.
Analyze the Incident
After a breach occurs, an organization will likely spend several months analyzing the incident to avoid a similar one in the future. Areas to analyze include Severity, Vector, root cause, and financial impact.
9. Determine severity of breach – what was stolen, what was its value, and what systems were compromised in the course of the attack? Answer these questions as thoroughly as possible to find areas of priority.
10. Determine attack vector – determine the exact parameters of the intrusion, including any vulnerabilities exploited. Interview staff members to determine whether social engineering was used to gain access credentials.
11. Conduct a security audit – beyond the nitty-gritty of an attack, audit your organization’s security strategy, infrastructure and staff training to find areas of weakness that may have contributed to the breach.
Prevent Future Attacks
In some cases, a data breach can be a blessing in disguise. It provides organizations with the impetus to modernize infrastructure and allocate resources to security. Armed with new information and better safeguards, organizations can avoid more serious incidents down the road.
12. Calculate expenses – determine the cost of infrastructure that needs replaced and include it in future budgets. Expenses may include networking equipment, storage and security systems, software licenses and building plans.
13. Improve infrastructure – aging infrastructure is inherently vulnerable, and a data breach can prove that. Based on information gathered in the aftermath of a breach, update anything that may have contributed to the breach, prioritizing critical systems first.
14. Train personnel – ensure security administrators are prepared for rapid response in the event of another data breach; train personnel throughout the organization for cyber hygiene practices, especially if attackers gained entry through social engineering, phishing attacks, or malware originating through email and web.
Building an Incident Response Plan
Work to reduce the impact of a data breach through rapid and effective response. The best form of harm reduction is harm prevention, and that can be achieved through a proactive enterprise security strategy that includes a protocol for incident response.
Before a cyberattack hits, invest in thorough risk, management, and compliance solutions to prepare your company for the worst. With the help of vulnerability and penetration tests, cyber hunt and asset management, your organization can stay one step ahead of attackers and prevent the worst from ever happening.
Securicon’s risk management solutions are based on industry standards for safety and professionalism. With years of experience in cyber security, we are here to protect your organization from data breaches. Contact us for more information.