Globally, data breaches are estimated to cost in excess of $4.2m per incident today. And they’re happening on an unprecedented scale as organizations build out their digital infrastructure – and unwittingly expand the corporate attack surface. In the US, for example, the number of reported breaches by Q3 2021 had already exceeded the number for the whole of 2020. It takes way too long for the average organization to find and contain data breaches – an estimated 287 days today.
However, once the alarms go off, what happens next? The presence of ransomware actors, an increasingly common precursor to modern data breaches, will complicate matters even further. Here’s what to do, and what to avoid doing, following a breach.
A data breach is likely to be one of the most stressful situations your organization ever finds itself in, especially if the incident was caused by ransomware actors who have encrypted key systems and are demanding payment. However, knee-jerk responses can do more harm than good. While it’s obviously important to get the business operational again, working methodically is crucial. You’ll need to run through the incident response plan and understand the scope of the compromise before taking any major steps.
Given that it’s not a case of “when” but “if” your organization is breached today, an incident response plan is an essential cybersecurity best practice. This will require advanced planning, perhaps following guidance from the likes of the US National Institute of Standards and Technology (NIST) or the UK’s National Cyber Security Centre (NCSC). When a serious breach is detected, a pre-assigned incident response team featuring stakeholders from across the business should work through the processes step-by-step. It’s a good idea to test such plans periodically so everyone is prepared and the document itself is up-to-date.
One of the first critical steps following any major security incident is to understand how badly the company has been impacted. This information will inform subsequent actions such as notification and remediation. You’ll need to know ideally how the bad guys got in, and what the “blast radius” of the attack is – what systems they’ve touched, what data has been compromised, and whether they’re still inside the network. This is where third-party forensics experts are often drafted in.
After a breach, you need to know where the organization stands. What liabilities do you have? Which regulators need to be informed? Should you be negotiating with your attackers to buy more time? When should customers and/or partners be informed? In-house legal counsel is the first port of call here. But it may also want to draw in experts in the cyber incident response space. This is where that forensic detail on what actually happened is vital, so those experts can make the most informed decisions.
Under the terms of the GDPR, notification of the local regulator must take place within 72 hours of a breach being discovered.
