Cybersecurity article series:
- Cybersecurity risk analysis
- Staff training
- Detecting a breach and immediate action
- Recovering from a breach
There is an ever-growing list of businesses that have fallen victim to a hack. And even after years of training your team all the ways to prevent and detect data breaches, it is still possible to find your business added to that list. Remember, a criminal only has to be lucky once in order to gain access to your data. If your business is proactive in keeping your devices and networks safe from a possible breach, you’ll have the legal upper hand if one occurs.
However, if it’s already been confirmed that your systems, networks, or data have been compromised, here are 8 specific actions that will help you recover fast.
1. Secure your systems from further intrusion
This should have been done when the initial breach was detected. But still, it’s a good idea to make sure that no further data loss can occur. The only thing worse than a data breach is multiple data breaches.
2. Identify the compromised data
Obviously, you’ll want to know exactly what information was stolen. If necessary, divide the data into 3 categories:
- Least sensitive: Names and addresses. This information is most likely available in the public domain already. Therefore, it is not a serious cause for concern.
- More sensitive: Email addresses, DOB, payment account or credit card numbers. Stolen email addresses may increase the likelihood of spam and phishing emails. Also, account and card information can result in recoverable fraudulent charges. And although DOB by itself is not necessarily a risk, combining it with other data can make it valuable information.
- Most Sensitive: Social security or national insurance numbers, bank account information, login and password information.
3. Identify the members of your recovery team
Depending on the size of your business, you may need to include:
-
- Legal Counsel to act as your bridge between senior management, law enforcement, and public relations. Also, keep in mind that senior management will need to be advised of all steps in the process.
- Operations. If day to day operations are affected, plan for a smooth transition back to normal.
- Information Security/IT. Members of your IT team will be the most valuable part of the team. Team members who can identify subtle differences in network traffic, application changes and data manipulation can help to identify vulnerabilities that may have been exploited.
- Human Resources personnel to assist in managing the team and identifying additional, required resources.
- Computer Forensics to find traces the attackers may have left behind during the breach. It is unusual to find someone with this expertise in a small business, so hiring a third party to assist may be unavoidable.
4. Log everything
During the recovery phase, make sure to log everything. It is essential for law enforcement officials to know what your team has done to stop the intrusion. Keeping a record of any pertinent information that is discovered during the investigation can go a long way to help you.
5. Fix vulnerabilities discovered throughout the process
Identify key areas to optimize for additional security like:
- Third-party service providers. If you utilize any third-party services that have access to your networks or data, examine precisely what they can access. Then decide if access privileges need to be updated.
- Network Segmentation. If you have more than one server or office, it is likely that your network was segmented to prevent a breach in one area from affecting another. Work with the forensics and information security teams to ensure that the segmentation plan was effective. If changes need to be made, implement them now.
- Work closely with your Forensics team. Find out what security measures were in place at the time of the breach. Were firewalls correctly configured? Was data encryption being utilised? Analyse backups that might help restore network functionality. Also, review system logs to determine who had access to which parts of the network at the time of the breach. Determine if those people really need access to those resources.
6. Determine your legal requirements
It may be necessary for you to report data breaches to law enforcement officials and/or regulatory agencies. Therefore, make sure you comply with those legal obligations.
7. Update your risk register
Include all of the information relevant to the breach. By doing this, you can ensure it is reviewed and considered for future risk assessments.
8. Have a communication plan
Create a comprehensive plan that reaches all affected audiences. These include employees, customers, investors, business partners, and other stakeholders. Don’t make misleading statements about the breach. And don’t withhold key details that might help anyone protect themselves and their information. Also, don’t publicly share information that might put people or businesses at further risk. Your legal team will probably hold the keys to the timing and nature of information regarding the breach, so it is important to listen to their guidance. It is necessary and noble to want to tell those affected about the breach, but it is equally important to ensure it is done the right way.
By now, you’re probably thinking that the process of recovery is a long and arduous task. But with the right people and plan in place, it can be so much easier to manage. The biggest takeaway you will get should you ever need to recover from a breach is that you won’t want to have to do it again! Learning from the process, fixing vulnerabilities, and bridging gaps in training is the best way to ensure you only have to experience this process no more than once.