Oh S*#@! You’ve Been Breached: What Should You Do?
When it comes to cyber security, nothing is 100%. No matter how advanced your defenses are, hackers can find a way around them if they have enough time, money and resources. Because breaches can affect any business, it is important that you are prepared for worst case scenarios ahead of time. The right planning will help minimize damages to your business and help it to get back on its feet sooner.
Before the Breach: Getting Ready
The first step to recovering from a breach comes well before you have detected any intrusions. You need to develop a clear plan of how you will respond, with resources and stakeholders in place to ensure that you can act quickly.
When devising your plan, you should consider your company’s key assets, particularly which data is most sensitive and likely to be targeted. Use this to prioritize what should be protected, and to determine the most likely intrusion scenarios. Evaluate the threats and their respective likelihoods and plan your responses accordingly.
Part of your response plan will necessitate having an incident response team on call 24/7. This is critical, because fast action can help reduce the damages to your business. A response team will need to include a wide range of skills in order to rectify the wide-ranging damage of a data breach.
This team will need to include those with technical skills, such as security engineers and forensics experts that can help to investigate the threat and put a stop to it. It should also include legal experts, human resources managers and public relations managers who can help to deal with any of the non-technical fallout.
If the breach affects employees, you will also want to engage employee representatives. If intellectual property has been stolen, you may also need IP experts who can attempt to recover the stolen property. Data protection experts may also be necessary if you want to minimize the impact from a breach.
Smaller companies or those that lack the specialized skills may want to engage outside firms for some or most of these tasks or may want to outsource applications (e.g. email, file storage, web server hosting, credit card processing) to other companies who will then be responsible for data protection. Bringing in incident response professionals can help to mitigate damages and enable your business to recover more quickly.
Detection and Monitoring
When it comes to breaches, speed is everything. It can take time for hackers to work their way into your network, and even longer for them to exfiltrate your data. This is why it is so important that your business has the necessary processes in place to detect breaches as soon as possible. Quick detection can change an attack from absolutely devastating to just a minor annoyance.
Prevention measures such as firewalls are still important, but businesses also need to be looking out for attacks that have already breached these defenses. Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM) systems are important components for early discovery, however next-generation technologies that embrace machine learning can be even more effective.
When a Breach Is Discovered
Once you discover an attack, your organization needs to to jump into action. This is where all of that pre-planning comes in handy – you can react much more quickly when everything is ready to go.
Assemble Your Incident Response Team
You need to get your incident response team into action as soon as possible. Security professionals are important for trying to put a stop to the attack, while legal and PR experts are essential for helping to reduce the other ramifications. The legal complications of breaches can be complex, and it is important for an organization to understand their legal rights and responsibilities as soon as possible.
You should also get your legal representatives to check your insurance. They can see if you are covered by your cyber insurance or other policies. Some policies will cover the costs of remediation and legal expenses, but only from the date that the insurance company is notified. This is why it is important to look at your policy immediately.
Take Stock of the Damage
Your security engineers will need to look into your systems and networks to find out just how far the attack has reached. After this initial evaluation, they can prioritize which aspects need to be protected or salvaged first. As they do this, they need to take forensic images of the systems that have been affected.
It is important to take detailed logs and records of both the attack and the response, because this information may be needed by regulators, outside investigators and for your company’s own analysis. Your engineers need to restrict access to these logs to protect their integrity.
Contain the Breach
Once you have discovered the extent of the threat, you need to secure your systems to prevent the attack from spreading further. You may need to suspend or isolate part of your network in order to put a halt to it. If the attack is bad enough, you may even have to temporarily take down the entire network, however this can create significant disruptions to your business’s operations.
Alert the Authorities
As you are evaluating the threat and trying to contain it, you also need to bring the authorities into the fold. Many businesses may be reluctant to bring in the authorities for fear of punishment or disruption of operations, but agencies such as the Secret Service and FBI can be helpful in these situations.
They can work alongside your business to investigate the attack and also liaise with the media. If there have been other victims, they can coordinate information which may help to mitigate the effects.
Analyze and Investigate
Once the attack has been contained, it is time to analyze the situation and figure out what has taken place. This includes finding out when the breach occurred, how it happened and what was affected. Once your organization knows more about what happened, it can begin planning how it will rectify the situation. Each step of the investigation also needs to be documented to meet regulations.
After the breach, you should analyze what went wrong in order to learn from the event. Your company may need to update its policies to prevent future attacks in a similar vein. This may include more employee training, further security measures or changes to how the incident response team functions.
Remediate the Situation
After the breach has been halted and understood, it is time for your company to begin its recovery from the attack. The necessary actions will depend on the extent of the breach, as well as your industry. If your company is found to be negligent or at fault, it may have to pay fines or other penalties.
It is hard to give specifics on any legal ramifications, because in the US there is a patchwork of laws that vary by jurisdiction and by industry. This is why it is important to have experienced lawyers on hand. Your company may be required to notify the public, the media, or individuals if their data has been affected.
If this is the case, it is best to have public relations experts onboard who can help with damage control. Your company’s reputation is important, so you may want to offer any affected parties some form of compensation as well. In the case of individuals whose credit card data has been breached, it is common to offer free credit card monitoring.
A Breach Can Happen at Any Time
When it comes to breaches, you shouldn’t be thinking in terms of if, but when. Cyber criminals are incredibly resourceful and the number of attacks continues to grow. If your company hasn’t suffered any significant attacks yet, you should be considering yourself lucky. It is important to not become complacent with your defenses – instead, you need to make sure that your incident response team is always ready for action. You never know when you’re going to have a really bad day.
- HIPAA and Heartbleed … Are you automatically in breach?
- 3 Things You Can Do Now to Protect Against the Latest Hacker Attacks
- HIPAA Has Teeth and They are Long and Sharp – Don’t Get Bitten
- Is SSL/TLS Really Broken by the BEAST attack? What is the Real Story? What Should I Do?
- Jump/Thumb Drives and PHI Don’t Mix