What A Company Should Do After a Data Breach

Jan 09, 2024

What A Company Should Do After a Data Breach

It’s unfortunate but true - Today, we should no longer think about data breaches in hypothetical terms.

Sadly, a data breach is not a potential threat anymore. In fact, for most of us, it’s more a question of WHEN a data breach will happen rather than IF, and it’s crucial that we all have a data breach response plan and know what to do once it happens.

The good news is that this is exactly what you will learn from this guide. You’ll discover how a data breach could occur in your company and exactly what your company should do once it happens.

It’s a lot to cover so, let’s dive in.

The Most Common Causes of Data Breaches

We can actually group all the ways by which companies' data gets breached into three main categories:

Unintentional mistakes

When we think of data breaches, we often think of someone maliciously breaking through our cyber defenses to steal sensitive information.

But that’s not always the case.

In fact, many data breaches occur (or at least are initiated by) unintentional mistakes. And these can be as simple as an employee emailing documents, including sensitive information, to the wrong recipient.

Another such common mistake is the loss (or theft) of physical devices containing sensitive data - Laptops, flash drives, etc.

Insider threats

Some data breaches occur simply because of the actions of an angry or disgruntled employee. According to this report, for example, as many as 75% of insider threat cases involved a disgruntled employee or ex-employee who took company data when leaving or destroyed such data upon termination of their employment.

A good example of this is the case of the Submarine Data Leak. A disgruntled employee exposed confidential details of India’s Scorpene submarine and leaked 24000 pages of sensitive information.

But it’s not just disgruntled employees who assist hackers in breaching data. In 2006, for example, a Snapchat employee was tricked by an email disguised to look as if it came from the company’s CEO to reveal payroll information of 700 employees.

Also, in 2006, a Sage employee got arrested after disclosing sensitive data belonging to 200 of the company’s customers.

Actual malicious activity

This is what we usually consider when thinking about data breaches - It’s when a hacker or cybercriminal manages to break in and gain access to a company’s data and exfiltrates it for their nefarious purposes.

There are hundreds of examples of such data breaches. In fact, we list all the latest data breaches on this site.

RECOMMENDED READING: A complete guide to different causes of data breaches.

But why are we talking about the causes of data breaches here?

Well, the main reason is that understanding how breaches typically happen can help you develop a response plan and mitigate the effect of those breaches.

Of course, understanding those causes can help you build processes to prevent at least some of them, too. But in this case, our goal is to help you understand how your data could be breached and how these causes can affect your response plan.

How can you know whether your company suffered a data breach?

There are several methods to detect a data breach. Some involve monitoring your systems for unexplained activity or alerting your staff to be mindful of unusual password incidents.

For example, an employee receiving a password recovery request they didn’t initiate should immediately report that to the security department, and that’s for a simple reason - This would, most likely, indicate that someone is trying to gain access to the account.

But often, these methods aren’t enough. Luckily, there is another way - Data breach monitoring.

With a platform like Breachsense, you can detect data breaches in real time and stop cyberattacks before they happen.

1. Contain the Breach

When dealing with a cyber attack, the first and most critical step is to contain the potential damage. This requires identifying the affected systems and servers that were compromised and quickly isolating them to prevent the spread of the malicious code.

Here are some immediate actions you should take:

Disconnect your internet connection and remove all compromised servers, computers, and mobile devices from the network to prevent further spreading of the malware.
Disable remote access and verify all access control rules in your firewall settings.
Verify that all systems are fully patched and running the latest stable software versions.

Update passwords to strong, unique ones for each account. Additionally, check employee devices for infostealer malware. Even strong passwords are easily bypassed when an employee’s device is infected with malware. Enable Multi-Factor Authentication (MFA) where available to bolster security and reduce the risk of future data breaches.

2. Evaluate the Damage

After isolating the affected systems, your next step should be to conduct a thorough investigation into the data breach.

This investigation should identify how the breach occurred and which data was compromised. Digital forensic experts or IT personnel trained in incident response can assist in this process.

Key aspects of the forensic investigation should include:

Taking images of the Affected Servers and Systems: This preserves a snapshot of the system at the time of the breach, which can be crucial for identifying how the breach occurred and who was responsible.
Investigating the memory of affected systems: Look for traces of the attacker’s activity, such as evidence of malware or other malicious software, and analyze system and application logs to trace the attacker’s actions.
Preserving Evidence Related to the Breach: Carefully preserve system logs, network traffic data, emails, and other documents for further analysis and potential legal action. Maintain a chain of custody for all evidence to ensure its integrity.

In addition, this is the right time to assess the effectiveness of any network segmentation measures that were in place to prevent hackers from moving from one server to another.

Identifying the source of the breach can be facilitated by conducting comprehensive log analysis from various security systems, including the affected servers,WAFs (Web Application Firewalls), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and firewalls. These systems should automatically log security events and provide valuable information on the location and timing of the breach, contributing to a more thorough understanding of the incident.

During the damage assessment stage, it’s crucial also to understand the source of the breach, whether the breach resulted from leaked passwords, human error, or software misconfiguration. Understanding the root cause and location of the breach, as well as whether it was internal or external, is critical to implementing measures to prevent recurrence.

3. Address Possible Weaknesses

After a data breach, it’s important to address the weaknesses that led to the breach. This may involve collaborating with your IT security team or engaging external security experts for a forensic investigation.

Based on the findings, you can then implement both immediate and long-term solutions to address any vulnerabilities and prevent similar incidents from happening in the future.

Immediate and long-term solutions should consider the following key factors, which often contribute to ransomware attacks:

Leaked passwords: A significant number of ransomware attacks stem from leaked or stolen passwords. It’s crucial for companies to have ongoing visibility into their employees' leaked data in order to reset their credentials before cybercriminals exploit them.
Phishing: Phishing attacks are a common method cybercriminals use to infiltrate networks and deploy ransomware. To avoid this, implement advanced email filtering and monitoring solutions to detect and block phishing attempts. Provide regular employee training on how to identify and avoid phishing emails.
Unpatched servers: Maintain a regular patch management schedule for all servers and software applications. Employ continuous vulnerability scanning and periodic pen testing to identify and remediate weaknesses.

4. Notify All Stakeholders

Following a data breach, it’s crucial to notify the appropriate parties to minimize the potential harm to affected individuals and comply with relevant regulations.

Here are the key stakeholders you should inform when a data breach occurs: Regulatory Bodies and Law Enforcement. Depending on the sector and type of breach, companies may be required to notify law enforcement authorities, such as the FBI or similar, based on federal or state laws.

Data protection laws also require companies to report breaches within a specified time frame, as well as provide a detailed and thorough explanation of how and why they occurred and what the company is doing to resolve the issues.

Customers, Clients, and Stakeholders

To effectively notify the affected parties, companies should determine the best method of communication and clearly explain how cybercriminals accessed and used stolen information.

Providing contact details for additional questions is important, as is being transparent about what information was exposed and what the company is doing to mitigate the damage.

Prompt data breach notifications can help affected parties manage their risk and take necessary measures.

Cyber Insurance Companies

Cyber liability insurance is highly recommended, especially for companies operating with sensitive data.

Although the insurance doesn’t prevent data breaches, it can cover financial damages resulting from a breach, such as the costs of investigating and responding to the incident, potential legal fees, and damages resulting from lawsuits.

Having data breach insurance can help you respond to the incident effectively and efficiently.

RECOMMENDED READING: What Is Data Breach Insurance

Staff and Third-Party Entities

Companies should also inform internal staff about the data breach and the steps being taken to resolve the issue. Third-party agencies affected by the breach, such as vendors, contractors, or suppliers, should also be notified.

If the data breach involves U.S. social security numbers, it’s important to notify the major credit bureaus: Equifax, Experian, and TransUnion.

Credit monitoring services should also be provided to help affected individuals protect their credit and prevent further damage from identity theft. Victims should monitor their credit reports and enable a credit freeze with the three credit bureaus.

5. Evaluate the Effectiveness of Cybersecurity Defenses

After implementing the relevant defensive measures, a company should conduct a security test to determine whether its system can withstand another cyber attack.

To help prevent future attacks, you should conduct a penetration test to identify vulnerabilities that could be used to exploit your network.

This will make it difficult for another hacker to replicate the previous attack vectors.

It’s important to perform security testing annually, at the very least, as well as before pushing any significant changes to production.

Following this, you should update your company policies and procedures to ensure that they are better equipped to deal with future cyber threats and data breaches.

6. Update Data Security Governance Policies

After a data breach, the company needs to conduct an internal review of its policies and identify any security gaps that led to the incident.

Review your incident response plans to ensure they cover all potential attack scenarios and have clear response procedures.

If the plans are unclear, they should be revised.

Business continuity and disaster recovery plans are also essential to maintain operations in the event of a breach. Regular reviews of all plans - incident response, business continuity, and disaster recovery - are necessary.

Having an incident response team in place can help reduce the cost of damages resulting from a breach. A designated individual or team, such as a CISO (Chief Information Security Officer) or CIO (Chief Information Officer), can lead the response effort and assemble IT security response teams dedicated to protecting customer data.