Recovering from a breach

September 22, 2020

Cybersecurity article series:

  • Cybersecurity risk analysis
  • Staff training
  • Detecting a breach and immediate action
  • Recovering from a breach

Even after going through months and years of training your team to prevent and detect data breaches, it is of course still possible that your business gets added to the ever-growing list of victims of a hack. Remember that a criminal only has to be lucky once in order to gain access to your data. If your business has been proactive in keeping your devices and networks safe and in preparing for a possible breach, you’ll have the upper hand legally and ethically if one does occur.

Once it has been confirmed that systems, networks or data have been compromised, there are a few specific actions that will help you along the road to recovering.

  • Secure your systems from further intrusion – this should have been done when the initial breach was detected but it’s a good idea to make sure that no further data loss can occur. The only thing worse than a data breach is multiple data breaches.
  • Determine exactly what data has been compromised. If necessary, divide the data into 3 categories:
    • Least sensitive: Names and addresses, this is information that is most likely already available in the public domain and is generally not a serious cause for concern.
    • More sensitive: Email addresses, DOB, payment account or credit card numbers. Stolen email addresses may increase the likelihood of spam and phishing emails, account and card information will likely result in recoverable fraudulent charges. DOB by itself is not necessarily a risk but combined with other data is more valuable
    • Most Sensitive: Social security or national insurance numbers, bank account information, login and password information.
  • Identify the members of your recovery team. Depending on the size of your business you may need to include:
    • Legal Counsel will be your bridge between senior management, law enforcement and public relations.
      Senior Management will need to be advised of all steps in the process.
    • Operations. If day to day operations are affected, you will need to plan for a smooth transition back to normal.
    • Information Security/IT. Members of your IT team will be the most valuable part of the team. Having team members who can identify subtle differences in network traffic, application changes and data manipulation will help to identify vulnerabilities that may have been exploited.
    • Human Resources personnel will be able to assist in managing the team and identifying additional resources that may be required.
    • Computer Forensics. To find traces the attackers may have left behind during the breach, it may be necessary to bring in computer forensics experts. It is unusual to find someone with this expertise in a small business so hiring a third party to assist may be unavoidable.
  • Log everything during the recovery phase. It will be essential for law enforcement officials to know what your team has done to stop the intrusion and to keep a record of any pertinent information that is discovered during the investigation.
  • Fix vulnerabilities that are discovered throughout the process. Identify key areas that can be optimized for additional security like:
    • Third-party service providers. If you utilize any third-party services that have access to your networks or data, examine precisely what they can access and decide if access privileges need to be updated.
    • Network Segmentation. If you have more than one server or office, it is likely that your network was segmented to prevent a breach in one area from affecting another. Work with the forensics and information security teams to ensure that the segmentation plan was effective. If changes need to be made, implement them now.
    • Work closely with your Forensics team. Find out what security measures were in place at the time of the breach. Were firewalls correctly configured? Was data encryption being utilised? Analyse backups that might help restore network functionality. Review system logs to determine who had access to which parts of the network at the time of the breach. Determine if those people really need access to those resources.
  • Determine your legal requirements. It may be necessary for you to report data breaches to law enforcement officials and or regulatory agencies. Make sure you comply with those legal obligations.
  • Update your risk register. Include all of the information relevant to the breach to ensure it can be reviewed and considered for future risk assessments.
  • Have a communication plan. Create a comprehensive plan that reaches all affected audiences; employees, customers, investors, business partners, and other stakeholders. Don’t make misleading statements about the breach and don’t withhold key details that might help anyone protect themselves and their information. Also, don’t publicly share information that might put people or businesses at further risk. Your legal team will probably hold the keys to the timing and nature of information regarding the breach and it is important to listen to their guidance. It is necessary and noble to want to tell those affected about the breach, but it is equally important to ensure it is done in the right way.

Navigating the process of recovery can seem like a long and arduous task, but with the right people and plan, it can be much easier to manage. The biggest thing that everyone should take away from the process is that they do not want to do it again! Learning from the process and fixing vulnerabilities and training gaps will be the best way to ensure you only have to experience it once.


Leave a Reply

Comments made with personal email addresses will not be considered for publication.