You have been breached, now what? Post-incident response guide

What do Bell Canada, the CIA and Hollywood celebrities have in common? They were victims of data breaches in 2017.

The continuing stream of news about data breaches illustrates that this year will be just as damaging to organizations as last year was. (More than three billion digital records were stolen in 2016, according to ZDNet.) As I’ve written before, it’s not a question of if your organization will suffer a data breach, but when.
Aside from implementing proper preventative and detection cyber security capabilities, having a post-incident response plan in place is the most critical step in today’s digital age. No cyber security measure is infallible; having an action plan for the inevitable breach will make the difference between it being a contained event and a spiraling unmitigated disaster. If you prefer the former outcome, here’s a five-step post-incident response guide to help your organization best prepare for the worst.

1. Assess Damage and Evaluate Losses

After a breach, there’s no time to point fingers or wonder what would have happened if your security protocols had been different. Structural review and changes can come later. First, it’s paramount to assess the damage of the breach and evaluate any and all losses.

Catalog what type of data was stolen. Was it personally identifiable information? Financial records? Proprietary data? Getting a quick handle on what was taken will help assess whether you’ve suffered a minor or full-blown breach and thus dictate the course of the incident response.

It’s critical to objectively and accurately evaluate loss. Can the breach be mitigated so it’s only a minor issue, or was the stolen information vital to your organization’s future? Determine if the breach was caused by stolen passwords that can still access servers and other accounts where more valuable data can be accessed. Act quickly, decisively and intelligently during this first step. Every decision matters.

2. Isolate Your Network

Don’t take any chances that the breach was isolated and thus containable. Assume the cybercriminals could access all files, even if the initial discovery suggests otherwise.

Change employee credentials as soon as possible for important online accounts and servers or for those you know have been breached. Do this for any access point that leads to where you store vital data. Then, if possible, go a step further and temporarily take that data offline by isolating the network.

It might seem counterproductive and risky to deny access to data and servers, or to go offline for a day or two, but you’ll need to isolate the scene of the crime. It will be hard for your IT team or cyber security partner to assess damage if employees are still accessing files.

3. Determine The Source

Trace the source of the breach by using logged data and any other audit trail you have at your disposal. More often than not, the weakest link in your system are the humans who use it.

Verizon’s 2016 Data Breach Investigations Report showed that human vulnerabilities and errors continue to be among companies’ top data security threats. Almost 70% of data breaches now involve spear phishing attacks that take advantage of human carelessness, Verizon found. When conducting your post-incident investigation, find out if an employee was similarly tricked into taking action.

Also, don’t rule out intentional internal theft. A disgruntled employee who stands to financially gain from stealing sensitive information could be behind your data breach. Chances are it was an unintentional mistake if the breach started from the inside, but it doesn’t hurt to check all avenues.

4. Report the Breach to Decision Makers

Executives and board members will want a full accounting of what happened and what can be done to contain damage. Be prepared to hear every possible question from these stakeholders. Get ready in advance by creating an all-encompassing review that leaves no stone unturned. Here is a great post incident presentation template to save you valuable time.

For this executive summary, list the assets that were compromised and the business units and processes that were involved, describe the current and future impact of the breach, talk about what allowed it, and detail how mitigation efforts with customers and potentially the government is faring.

The goal of any such executive briefing is to give board members confidence. Fully explain the incident so that board members will know you have done due diligence. The discussion that follows will focus on protecting the organization, and not on triggering executive changes.

5. Learn from the Breach

As painstaking as a breach is, it is a learning experience. The same dangers will always lurk, and, if anything, they will become more complex and harder to detect.

As long as cybercriminals and hackers can profit from data breaches, they will continue to target organizations. As long as humans use digital systems, they will make mistakes and be victims of malware attacks. It’s important to review how your organization was breached so that subsequent employee training and vigilance can incorporate those teaching moments. There’s nothing like learning from experience.

Follow these five steps and you should be in a strong position to minimize the data breach that will eventually happen to your organization.

It will also help to be prepared for that eventual board meeting. CyberInt has a handy, ‘Post-Incident Presentation’ template-pack for CISOs to use in their first board meeting after their company suffered a cyber attack. Download the post incident presentation template here.

Still need help? We’re here and can always support you during these crucial times. Speak to one of our experts today on how we can help.