Finding out that your organization has been the victim of a data breach, either directly or through a third party vendor, can be scary and confusing.
Data breach costs rose from USD 3.86 million to USD 4.24 million in 2021, with remote work, compromised credentials, and human error as leading causes. In the US, the number of breaches reported by Q3 2021 has already exceeded the total number for 2020.
Don’t panic! Here’s what to do if your organization gets hit.
Data Breach Response: A Guide for Businesses
1. Secure Your Operations
Time is of the essence. In order to stop the spread and prevent additional data loss, secure your systems, change passwords and access codes, and fix any explicit vulnerabilities that may have caused the breach. If you don’t have a breach response team, assemble any personnel that may be able to help: legal, IT, security, operations, PR, and management.
Take all affected equipment offline, but don’t turn it off. Every piece of evidence is useful for the post-breach investigation. Make sure you’re closely monitoring all entry and exit points, especially those involved in the breach.
2. Assess the scope of the breach
Once the first critical steps are taken, take a deeper dive into researching what happened to better understand how badly the organization has been impacted. These findings will lead to subsequent actions such as notification and remediation.
Ideally, you’ll need to know how the attackers got into the network, and what’s the scope of the attack – what systems were impacted, what data has been compromised, and whether they’re still inside the network.
Consider hiring independent specialists, like forensic investigators or legal counselors with privacy and data security expertise. This will help you collect and analyze evidence, and outline remediation steps.
3. Think About Your Third Parties
If service providers or other third parties are involved, check what personal information or network applications they have access to, and change their privileges if needed.
Make sure your service providers are taking the necessary steps to prevent another breach, and are abiding by the security standards established in your contract.
Read More: What is TPRM? The Ultimate Guide To Secure Your Vendor Ecosystem
4. Involve Law Enforcement
Call your local police department immediately to report the situation, especially if there’s any potential risk for identity theft. If the local authorities are not familiar with cybersecurity incidents, you could also contact the FBI or the U.S. Secret Service directly.
If there was a ransomware infection, authorities might be able to help you negotiate, or even put you in touch with security specialists that offer decryption keys and mitigation tools.
Read More: 10 Ransomware Tips from a CISO – How to Prevent, Detect, Contain, and Respond to Attacks
5. Notify Affected Parties
Once you’ve gathered enough data to understand the scope of the breach, reach out to all affected audiences — employees, customers, investors, business partners, and other stakeholders. Be transparent and share any advice that could help consumers protect themselves and their information.
Provide details on:
- What happened
- Why or how it happened
- What data was compromised
- How it was used
- What remediation actions you have taken or will take
- What actions can consumers take
- How to contact your designated team
It’s common practice to post FAQs, as your website is the first place where people would expect to find updates. Answering their questions up front can limit their concerns and frustration, and will allow your team to focus on remediation.
6. Assess Your Legal Requirements
Your legal advisors will help you understand where your organization stands in terms of liabilities and regulations. Most states have enacted legislation requiring notification of security breaches involving personal information, such as CCPA.
If your organization is subject to the GDPR, notification to the local regulator must take place within 72 hours of the breach being discovered. However, it’s important to understand what the minimum requirements for notification are, as some incidents may not demand it.
Depending on your industry and the types of information involved in the breach, there may be additional laws or regulations that apply to your situation. For example, if electronic health records were affected, you could be subject to the Health Breach Notification Rule and would need to notify the FTC. Or you could be covered by the HIPAA Breach Notification Rule, and would need to notify the Secretary of the U.S. Department of Health and Human Services (HHS).
In the case of other data like credit cards, bank account numbers, or Social Security numbers, notify the institution that stores them so they can help monitor the accounts for fraudulent activity. If you collect or store personal information on behalf of other organizations, notify them of the data breach.
7. Begin recovery and remediation
Once the scope of the breach is clear and the researchers are confident the attackers no longer have access to the network, it’s time to get things back up and running.
When you get the green light, start restoring systems from backup and reconnecting compromised machines.
8. Start building defenses for future attacks
Threat actors are increasingly returning to compromise organizations multiple times, which makes it even more important to learn from what happened in order to stay ahead.
This could mean improving the patching cadence, updating network segmentation, changing password policies and user privileges, increasing security awareness training, implementing multi-factor authentication (MFA), strengthening your third party risk management program, or other changes to processes and technology.
9. Refine your incident response plan
Whether you had it before the incident or not, there are surely new lessons to be learned. Make sure you create or update a formal incident response plan. You could follow guidance from entities like the US National Institute of Standards and Technology (NIST), the SANS Institute, or the UK’s National Cyber Security Centre (NCSC).
Be sure to test the plan periodically so everyone is aware and prepared, and the document itself is up-to-date.
A plan of this sort is an essential cybersecurity best practice in today’s interconnected business world, as organizations expand their digital infrastructure – and therefore the attack surface.
10. Focus on prevention
Vetting your vendors before engaging with them, performing continuous monitoring, prioritizing alerts, and proactively remediating risk vectors enable you to reduce data breach risks.
ThirdPartyTrust complements robust data breach response plans by helping you understand and continuously monitor the security posture of your third parties, giving you complete visibility into your supply chain and the effectiveness of its controls. When something changes or does no longer meet your security standards, you’ll be notified so that you can more efficiently prevent a data breach.
Learn more about the ThirdPartyTrust TPRM Automation Platform
Staying Calm Under Pressure
Being the victim of a data breach can be a stressful situation, especially if there are other threats involved, such as ransomware actors demanding payment. However, working methodically is the only way to get the business operational again.
Try to avoid knee-jerk reactions and follow your incident response plan. If you don’t have one, this can serve as a learning experience to make sure that any pathways used by the attackers can’t be exploited again in the future.
It is often said that data breaches are no longer a matter of ‘if’, but ‘when’. So ‘when’ it happens, your customers, partners, and investors will expect to be able to trust your organization. It’s the way you react that will determine whether they stay or leave.
Put Cybersecurity First In Your Supply Chain
Rising regulatory pressure is coupled by increasing third party risks, and your organization needs to extend cybersecurity practices beyond its own perimeter.
This strategy guide explains how to sustain a secure vendor ecosystem by solving security and compliance problems for enterprises and third party vendors.
