7 critical steps you need to take as soon as your data is breached
Despite our best intentions, sometimes the worst can happen. We’ve talked about how to prevent a data breach and keep your business assets safe from criminals before, but what do you do when a breach happens regardless??
According to insurance company Zurich, nearly one million SMEs suffered a cyber security breach in the last 12 months. And of the businesses affected, 21% reported that it cost them over £10,000. With these kinds of statistics, it’s important to be realistic with your cyber security efforts and ensure that you know how to respond if a data breach occurs.
Whether the breach is of just one device or of companywide systems, here are the steps to take to give yourself the best chance of survival and recovery.
1. Stop everything
When data is breached any affected device should be taken offline immediately, but they should also be left on and no changes made right away. Why? The key just after an attack is to halt any communication between systems or devices, but not to hinder later analysis of machines by deleting clues or erasing evidence. Doing this could also help the attacker.
If the breach happens on a system or virtual machine where you can take a snapshot, it’s a good idea to do this as soon as the attack is discovered. Once you’ve gone offline you’ll be able to analyse it to see what happened.
2. Make certain auditing and logging is regularly occurring
Ensuring that your system auditing and logging is fully operational is something that you, ideally, need to organise before a data breach. But it is also important to make sure it is intact after a data breach occurs. System auditing will help you to understand how far the breach has gone and remedy the situation. If after a breach you discover auditing has been turned off, make sure to restore it before you go any further as this will ensure you are better able to know if the breach is still ongoing or if it has ended.
3. Switch up passwords and any login credentials
It might seem simple but in the stress and panic that can surround a data breach, it might be something that gets forgotten. As soon as a data breach occurs you should change your password or any login or lock credentials. This will work to ensure that the breach doesn’t go any deeper, particularly as the most common attacks work by stealing credentials and passwords. Any involved account should be changed, no matter whether it is definitely involved or just suspicious.
4. Analyse the impact/effect
Once you’ve taken systems and devices offline, check your auditing system, and changed credentials, you can start to look at the impact a data breach has made. Begin to consider what exactly happened, see if you can ascertain the information that was accessed, the systems that were compromised, and the accounts that could have been used. You can use your audited systems and logs as a guide to get a good 360-degree view of the effect of the breach. With this knowledge, you can determine the level of impact and effect on the business.
5. Work out what exactly happened
To really recover from a cyber attack you need to know the real root cause. Was it a password exposure? A patch that wasn’t updated? Was a device connected to the network that wasn’t authorised? Was an infected email link clicked on? Or was a company device lost or stolen? These are all common causes of a data breach and ones that require different methods to remedy.
Again, taking a look at the audits and logs and trying to work out the root cause will ensure you can effectively stop it from happening exactly the same way again. It’s also important to note that if your business has been attacked once, it may be on other cyber criminals' lists too so you need to be even more careful and ensure that you have closed any loopholes in your security system.
6. Decide what has to happen next
This is where you take the details and information you’ve gained from completing the previous two steps and use it to come up with a plan of action to recover from the damage. Do you need to update software or hardware, update anti-malware, employ an IT cyber security expert, or improve your audit and logging systems for example?
Once you’ve looked through and planned these all out you will need to start putting them into practice almost immediately.
7. Speak to the people
Once all the technical aspects are out of the way it’s time to talk to the people involved. Decide who you need to talk to about the breach, and also what you need to tell them. Some of the people you may need to have a conversation with include HR, legal, PR, customer services, and even stakeholders and customers.
You’ll also need to announce the details of the breach publicly. This is the step that strikes the most fear into people after a breach occurs. Even big companies try to avoid it. Uber was recently exposed for going to great lengths to cover up their data breach. But the truth almost always comes out, so it is better to be honest and transparent about any breach from the beginning. Especially if you own a customer-centric business.
Once you’ve gone through all these steps your work isn’t over. Data breaches occur because of flaws in a business’s security system and so to make sure you haven’t been exposed to cyber criminals in the same way again you must find a solution. Whether it’s through training, new security systems, additional technology, or building awareness, make sure to take the time to work out how to prevent the next breach.
Talking to IT cyber security experts can help lower your level of risk for cyber attack. At Xenace, we come up with personalised security systems to help keep your business safe. Contact us now via our online form or give us a call on 0333 444 4402 to find out more about what we do.