The reality is that nearly every company is at risk for a data breach or data loss. In this post, we’ll talk about a data breach: when a malicious party gains unauthorized access to your company’s data. In a follow-up post, Part II of our series, we’ll address a data loss situation where data goes missing and disaster recovery options are needed.
Some companies are more at risk for a data breach based on their infrastructure – others have made a significant effort to implement technologies and services to prevent the type of malicious hacking activity that leads to a data breach.
But any business of any size has a certain level of complexity that make it difficult to manage and mitigate all threats, known and knew.
Data breaches also come with big costs – Ponemon, a leader in risk evaluation, has estimated that the average data breach for 2018 costs a company $3.86 million.
That’s not a small amount – and companies are paying attention, trying to figure out the best ways to safeguard systems, and how to respond to a data breach.
Dealing with a Data Breach
So what do you do after a data breach has occurred? That is, after someone has found out about the breach and tried to figure out when it began. Understanding dwell time and the timeline for identification can be important in doing damage control and containing an active threat.
This guide will help your company take the necessary steps after a data breach, and remediate systems to get the business back and running and stable again.
The Discovery Process
One of the first steps in addressing what to do after a data breach is the discovery process. That process starts from the first moment someone realizes a data breach has occurred.
Specific tools and resources can help expedite discovery. Event log monitoring and network observation systems can help spot the activity that leads to stolen data. Tools like device status mappers and netflow analyzers (as described in this Helpsystems article) are assets in the fight against sudden hacker infiltration.
During the initial discovery process, it's important to figure out what was compromised – what parts of the system were compromised? What data assets are in the hands of a malicious party? And, last but not least, has the unauthorized user changed anything, including deleting important data, corrupting vital data sets or providing a “back door” for continuous or future access?
In this phase, companies also try to assess “dwell time” – how long a data breach has been hiding under the radar. It's important to contact your Security and Compliance team responsible for affected systems or data in addition to notifying management and potentially the board and the public depending on the scope and information compromised.
Isolation and Documentation
This step is a two-fold process – the company tries to wall off infected areas of a network and isolate malware or other type of threats.
At the same time, business leaders are also doing their best to document the problem. Team leaders responsible for breach discovery and remediation have to be precise on their findings and documenting steps being taken to remediate the issue and ultimately help prevent a recurrence.
One good rule of thumb is to immediately consider whether stolen data falls under any of these regulatory frameworks:
- HIPAA (Health Insurance Portability and Accountability Act)
- PCI (Payment Card Industry)
- NERC (North American Electric Reliability Corporation)
- NIST (National Institute of Standards and Technology)
Some of these are industry-specific. Others are based on general privacy and security guidelines. All of them are absolutely important for the businesses that they apply to.
On another practical level, businesses have to think about how hackers could use data to trigger liabilities whether it’s financial data, PII, HIPAA data, corporate IP, etc… all come with different, but significant liabilities if used in a nefarious way.
Throughout this process, the company leaders will continue to look at dwell time and what happens throughout the time-frame that a threat was active – a “threat autopsy,” if you will – while considering data breach solutions.
The Disclosure Stage
One of the first responsibilities of a company after a data breach is to notify impacted customers. The Personal Data Notification and Protection Act, a federal law passed a few years ago, lays out when and how companies must disclose data breach information.
This is such a common responsibility and response that boilerplate letters are often kept on hand showing customers exactly what information was compromised.
Here's a step that some companies don't think about – data breaches that have any bearing on government activity should be reported to the applicable government agencies. A Data Breach Response Guide from the Federal Trade Commission gives this advice:
“Call your local police department immediately. Report your situation and the potential risk for identity theft. The sooner law enforcement learns about the theft, the more effective they can be. If your local police aren’t familiar with investigating information compromises, contact the local office of the FBI or the U.S. Secret Service. For incidents involving mail theft, contact the U.S. Postal Inspection Service.”
Federal agencies can help make the call on whether any sensitivity applies to the particular breach, and in some cases, what a business data breach response plan should look like.
The System Restoration Challenge
Here's where the company gets active in setting operations back up and making sure that business runs without a hitch after a data breach has caused IT problems.
That may involve wiping various storage systems, recovering from backups and rebuilding data sets and applications.
Companies that have invested in data breach security services, partners or technologies often have redundant systems and failover systems that help to reconstruct databases and other parts of their IT infrastructure.
Some of these systems, disaster backup systems, work for both hacking emergencies like data breaches, and other disasters that can impact business operations.
Failover systems help to synchronize the backups so that the business doesn't have as much of a hiccup while it's restoring damaged systems.
The Path Toward Resolution
After the important restoration work has been done, and it's clear that systems are no longer at risk, the business can move forward.
Communication will be key, both during and after the event so all impacted parties are aware of what occurred, how, the impact and what can be done going forward to prevent another similar breach.
Then there's the work of making sure that a particular data breach doesn't happen again – closing vulnerabilities and gaps etc.