You woke up to an active data breach: what now?
You get a call in the middle of the night. Your security team alerts you to an active data breach. What do you do?
First, don’t panic! Take a deep breath and explore your options.
Every company, big and small, experiences security incidents from time to time. The ones who stay out of the headlines already have a plan in place to respond to such events.
Although different types of security incidents demand different kinds of specialized responses, some common steps cover them all. For example, although it sounds obvious, the first step is to remove active attackers from your network and contain the incident.
In this blog post, we’ll go over some logical and effective steps to respond to an active security event.
Contain the data breach
You must stop a data leak as soon as possible. Your only goal right now is to get active intruders off your network to prevent further unauthorized access. You can do this by isolating the affected systems, devices, or even the network.
If the data breach is limited to a single device (like a desktop or a server), remove that device from the network immediately. This is simple as you can just unplug the network cable or disable wireless access. If active processes keep running, do whatever you can to kill those activities.
If you don’t know which device was compromised, but you’re able to trace it to a particular area of your network, segment and isolate the region from the rest of your network. If you’re unable to separate it, disconnect the network from the router, firewall, or ISP.
Assess the damage
Once the threat is contained, you must conduct a forensic investigation. You should trace how your data was accessed, what was accessed, and the overall impact of the incident.
- Are yourself the following questions:
- What was the attack vector?
- Was the attack based on?
- Was it social engineering? Or was it an insider threat?
- What type of data was affected?
- Was any sensitive data accessed?
- Was any of the information considered high-risk?
- Was that data encrypted?
- Did we backup the data?
The answers to these questions above will shed light on what happened. It’ll also give you an idea about how dire the consequences will be. But regardless of the answers, get your team to work resetting passwords and implementing multi-factor authentication (if you haven’t already!).
Don’t hesitate to notify those affected
If the unthinkable happens, don’t hide it. Notify those affected by the data breach immediately. Coming clean quickly will also help you when dealing with regulatory bodies (like GDPR).
It’s undoubtedly a good idea to wait until all systems are deemed safe before breaking the news. But that doesn’t mean that you can wait for weeks or even months to do it.
The sooner you notify all those impacted by the breach, the better. If you delay or try to hide it, the impact it’ll have on your brand image would be catastrophic.
Conduct a security audit
Once the worst is over, perform a security audit. While it’s important to do this regularly, it’s critical to conduct an audit right after a data breach.
First, ascertain how the hackers were able to penetrate your network. Examine all rDNS records, open ports, network and server systems, and even employee logs. Your findings might come as a surprise as social engineering and brute force attacks remain rampant.
It’s also essential to examine the fall-out from this incident. What did the hackers steal? Has this information ended up on the dark web? Can they leverage it and initiate more attacks? If cybercriminals stole sensitive customer data, you must inform them immediately.
Update your disaster and recovery plan
Going through the steps above feeds into a review of current processes. After a few months, it’ll be a good idea to review how you responded to the data breach. It’ll also help you understand what could have been done better.
Your post-breach analysis could turn into a learning opportunity. This approach also helps avert another potential data breach.
As there isn’t a turn-key cybersecurity solution, you’ll always have to take a proactive approach to security. Part of this process is to keep training employees and keep them alert to suspicious activities.
- Don’t panic!
- Contain the data breach
- Assess the damage
- Reset passwords
- Notify everyone affected by the breach
- Conduct a security audit
- Update your disaster and recovery plan
Keeping the above in mind, it’s also important to address a glaring problem across industries. For most companies, responding to a security event isn’t the primary issue. What’s challenging is knowing when a cyberattack is taking place.
In many cases, enterprises took more than six months on average to detect a data breach. While that figure boggles the mind, it reaffirms the fact that we’re still not doing enough to ensure security and privacy.
If you need help securing your enterprise infrastructure, we can help. Reach out to one of our in-house security experts.