Maybe your company has suffered a data breach in the past. Or you’ve just suffered one. Or maybe you know someone who went through a data breach.
A data breach is the second worst event that can happen in an organization; mismanagement of communication about the response is the worst. The time spent on a breach is longer than you might think. The time spent, including audit, regulatory, and litigation can last years.
If a breach occurs, these are the eight steps we think you should do within 48 hours to manage and contain the situation as best as you can. Regardless of the type of breach that occurs, these steps can be applied if there’s a single device, series of systems, or a company-wide intrusion.
Take the devices that are affected offline, but don’t shut them down or make any changes – yet. The goal for this step is to stop any ongoing activity by limiting communication to and from the systems that are impacted, but not taking any action that could erase clues, affect evidence or assist the attacker.
In the case of virtual machines or other systems you can snapshot, do so at this point so you’ll have a recorded version of the system at the time of the breach. You’re able to analyze the snapshot at a later time and in an offline state.
Make Sure That Auditing and Logging is Ongoing
Making sure that the existing auditing system remains intact and has been working is one of the most useful steps you can take to determine the scope of the breach and create improvement methods. If auditing has been disabled (to cover one’s trail, for example), restore it before moving forward. This will also help with knowing whether the breach activity is ongoing and when the breach can be determined that it’s done.
Change Passwords or Lock Credentials
Changing passwords or locking credentials is a common tactic in preparing to investigate a breach since it’ll help to figure out when the breach ends. Also, since data breaches are relied on compromised passwords and credentials. Make sure to apply this step to all the accounts that are involved, whether they are confirmed or suspected.
Determine the Impact
Now the investigation begins. You figure out what exactly happened; what information was accessed, systems compromised, and which accounts may have been used. You’ll have to get the logs referenced in step 3, as well as the tools discussed in step 2. Determine and establish the scope of the breach to communicate how to solve it.
Determine How It Happened
It isn’t enough to repair a breach solely on the impact. You have to find out the root cause or you might as well put a temporary band-aid on the situation.
There are a variety of situations that can cause this. Did someone give out their password? Was a system not patched for a particular vulnerability? Did someone plug in an unauthorized laptop into the company network which them led the organization to receive malware? Or did an employee leave their unencrypted phone in a taxi cab and then it was exposed to blackmail?
One thing that often gets missed is that if your organization is targeted, it’s not uncommon for multiple groups to attack without awareness of one another. This could be through attacking directly, supply chain, partners, subsidiaries, or contractors.
Determine What Needs to Be Done
This is the step where you build out a remedy. You’ll need to establish whether you need to remotely wipe a stolen mobile device, update software, change network firewall rules, segregate subnets, run anti-malware scans, increase logging and altering/other technical steps. Each of these needs to be planned out. Then, they need to be acted upon immediately.
Communicate the Details to the Appropriate Internal Personnel
It’s not just the technical steps that need to be worried about. There’s also the communication and notification process.
Who needs to be involved to let them know that the breach occurred, how it occurred, what details are involved, and what needs to be done? You might have to talk to the legal, PR, customer service, stakeholders, and HR departments that need to be involved in the post-breach clean-up.
Make Public Announcements and Prepare for Responses
This isn’t going to be the most fun step in the process, but it will be up to someone to make a public announcement. This could be through a press conference, series of emails, announcements on social media, website announcements, or any other form of communication that exists between your company and the outside world.
Make sure that the organization describes what’s been done to fix the breach, what the intensions for the future are, and if there are any steps customers should take to protect themselves. This could be through changing passwords, contacting their credit card companies, or even through placing fraud alerts.
After the Breach
Even after the breach there are a few things you should do. These are to engage reinforcement after the dust has settled. Plus, they are steps you should take to ensure that you won’t find yourself in the same place in the future.
Identify Areas for Improvement
Every breach occurs through a gap.
For example, a gap in training, awareness, security measures, technological capabilities, etc. If you figure out where the gaps occurred so you can fill them, through increased education and more compliance, then apply as needed.
Work on Preventing the Next Data Breach
Focus efforts on reducing the risk of recurrence.
Improve patching tools if misused vulnerabilities were the source of the breach. Mandate encryption if company information was stolen from a micro-SD card in an Android tablet. Utilize improved authentication (2-factor authentication is highly recommended) methods where required. Consider other elements that can help your company’s chances in the future and apply them as necessary.
We hope that you won’t have to follow these steps in your company’s future. But, if you do, we hope that these steps are useful. Data breaches can happen to anyone, so it’s good to be prepared. If you have any comments, feel free to use the form below.
Matteson, S. (2017). 8 steps to take within 48 hours of a data breach. Retrieved from https://www.techrepublic.com/article/8-steps-to-take-within-48-hours-of-a-data-breach/