BLOG HOME > Cybersecurity > Incident Response: 10 Things to Do if You Have a Data Breach

Incident Response: 10 Things to Do if You Have a Data Breach

Among other things, the SecurityMetrics Security Operations Center (SOC) works with small-to-medium sized businesses to help them understand the best way to respond to a data breach.

SecurityMetrics Pulse Helps You Manage Threats

Start Here

The SecurityMetrics SOC typically focuses on proactive activities to help prevent a breach, while the SecurityMetrics Incident Response Team provides the reactive response after a breach. What is challenging for businesses of all sizes is ensuring a breach response plan is in place, tested regularly, and applies to the threats that typical businesses would face.

Many of the common mistakes that occur before, during, or after a data breach are a result of gaps in incident response plans.

Whether an incident response plan is in place or not, there are steps you can take to minimize the impact of compromise. Here are our top ten recommendations and best practices when responding to a small-to-medium sized business data breach.

Ten tips for data breaches

1. Stay calm and stop the breach:

This is easier said than done during a high-stress event. It is especially true if your entire network goes down, and you're unable to process credit card transactions, or, worse yet, you get a notice from a threat actor with a ransom request for your encrypted data. You might be tempted to rush into recovering. 

However, if you start panicking and randomly turning on/off compromised machines, asking your IT person to just quickly patch the hole, or close off the port on the firewall just to get your business back up and running, it could possibly make the situation even worse. 

2. Ensure your Information (or Data Security) Policy contains an Incident Response (IR) Plan:

Chances are this was a requirement for compliance, so you may have a security policy already created. Be aware that your IR plan may be part of your overall information security policy or written as a separate document. What you want is immediate guidance on how to handle potential security incidents. Your goal is to avoid critical response mistakes in this high-stress period. A written checklist or IR plan helps provide some structure and guidance.

3. No policy? No IR Plan? Find an emergency incident response plan (or outline) for guidance:

Do this BEFORE you investigate or turn the business back on. If you do not currently have an IR plan, you should create a temporary response plan, or, at a minimum, find an IR outline to help guide you.

While your business will not be able to take advantage of every step found in the emergency response plan, it will provide a quick reference tool for guidance to help minimize impact and ensure business continuity with a faster recovery following an incident.

White Paper: How to Effectively Manage a Data Breach

Download Here

4. If you have a policy or IR plan, find guidance from these two key critical areas:

If you're lucky enough to have an IR plan, then quickly review organizational responsibilities and communication channels. When stress is high the last thing you want to do is start finger pointing, creating more confusion with employees, or begin communicating the wrong information which accidentally (on intentionally) gets leaked on social media or in the local news.

If your employees do not clearly have a need to know what is going on or have expertise in responding to the incident, then response steps will get missed, slowed, or create more confusion and chaos. This leads to greater impact (or response cost) to your business. 

5. Manage and control the flow of communication:

Only certain parties and employees need to be in the know. Your goal is to increase the efficiency of the response communication process. You must do all you can to avoid sensitive information being disclosed to unnecessary parties.

Employees, unintentionally or unknowingly, can damage your business reputation or increase cost of the response efforts simply because you may potentially over-communicate everything you are doing to respond to this situation. Be cautious about what you communicate and to whom.

6. Assess the damage to determine if you need to call in the cavalry:

It is always best to have someone on retainer (or speed dial) to help engage the IR response process. Many medium, small, or micro sized businesses rely on their IT person to conduct IR response and recovery. Keep in mind that IT staff typically do not specialize in security and incident response. Their focus is generally getting your network up and running while ensuring everything stays connected. 

Therefore, finding the right IR vendor or third party who can work within your budget and ensure all breach legal requirements are fulfilled is key. Vetting vendors and having IR contracts in place prior to the breach is a great best practice. The SecurityMetrics Incident Response Team offers a variety of price options and IR services to meet the response needs of all types of businesses. 

Additionally, the SecurityMetrics SOC has established relationships with a variety of law enforcement partners for assisting in the recovery process. No matter which partner you choose (internal vs. external), the goal is always to stop the breach and assess the damage. The right IR vendor will have a response plan that follows a minimum of four key steps: contain, assess, notify, and review.

7. Determine your legal requirements:

You can quickly brush up against your local, state, and regulatory breach notification laws, including any data defense laws. If you are lucky enough to have a lawyer on retainer, then this can help your efforts. Whatever damage was uncovered by the investigation will have applicable state, federal, or industry regulations. 

Breach notification laws are a confusing patchwork of legislation, with many states that are now enacting data breach defense laws which provide you with more protections if you are able to prove certain security controls were in place prior to the breach. You can find data breach defense examples here from Utah and Louisiana. This is why having an incident response vendor on retainer can be helpful, as they can assist identifying and collecting specific evidence for reporting requirements.

8. Notify those that are affected or impacted:

The timeline for reporting breaches is always governed by regulations. As the investigation is wrapping up, you will begin to discover who was–or could have been–affected. 

Notifying your customers and following your state’s reporting laws can be a daunting process. You may be required (based on your state, federal, or industry regulations applicable to your business) to notify the authorities, employees, third parties, vendors, and specific sets of customers (versus a blanket announcement to all). 

You will also want to ensure your notification is done through proper channels. Notifications may include emails, mass emails, social media postings on your website, phone calls or a combination of all mediums of communication based on applicable laws. What should be included in your notification can be dependent on laws that you are governed by, so you may need to include the date of the breach, what was compromised, where it was compromised, and what steps you are taking or have already done, including what the recipient can do for further protection. 

This is your opportunity to be candid, forthright, and maintain organizational integrity to save your business’s reputation, combat any negative press backlash, or prevent legal disputes. 

Finally, remember that not following through on notifications could subject you to state or federal penalties including future legal troubles or in some cases, the ability to no longer use a specific credit card vendor. 

9. What to do in the recovery phase:

As you begin to move into the recovery phase, you’ll want to perform a security audit. This audit can be performed internally, however; it is best to use a vendor who can provide objectivity and expertise. 

An outside auditor can give you a better defense in courts that demonstrates your business took any and all reasonable efforts to perform due diligence. An audit vendor like SecurityMetrics can provide this level of scrutiny for a post data breach versus a routine audit.

Many businesses perceive their IT staff is sufficient enough to conduct this type of data breach audit, however this is not always the case. An audit after a data breach should analyze the situation before the breach and after. These deep level audits must examine all systems and attack surfaces so that a proposition for implementing new fixes and policies can be provided that works within your budget and staffing restrictions.

10. Prevent future attacks:

Once the business has reached a point where they have contained, assessed, notified, audited and taken all appropriate steps for recovery, it's time for preparation. It is not a matter of if it happens again, but when. The importance of preparing for another attack can’t be stressed enough. 

Threat actors know you are a target and the chances that you will be attacked again rise substantially. It is entirely possible that the same threat actor or group of attackers will try again months or years later since they have proven success attacking your business.

You will want to develop a more proactive, defense in depth approach to security such as the low cost SecurityMetrics SOC services. SOC services have threat hunters on staff who specifically find and notify you when threat actors are targeting your business. 

Additionally, your defense in depth recovery plan should include purchasing endpoint security software, writing new privacy policies, offering more security awareness training for employees, and enforcing policies with third-party businesses. 

Lastly, spend time improving your incident response plan through testing, evaluating, or updating the plan. You should go through these steps at least semi-annually. If time permits, you should conduct a tabletop exercise with your management staff so they know what to do during the next breach. When employees understand their duties during a breach, then the overall response is much better for the next security incident. 

Director of SIEM Operations

Join Thousands of Security Professionals and Subscribe