Data breach response: How to react when your business gets hit
Would you know what to do if an online attacker got their hands on your data? We outline the first steps you should take following a security breach
As businesses settle into a new post-pandemic normal, cyber criminals have been busier than ever. Check Point Research reports that cyber attacks on corporate networks increased by 50% in 2021, compared to the previous year; by December, businesses were experiencing an average of 925 attacks per week.
Of course, not every attack is successful, and even when criminals do manage to get into your systems, that doesn’t always result in a data breach. But you need to plan for that possibility. “We know that data breaches like ransomware are pernicious, effective and on the rise,” Ed Williams, director of Trustwave SpiderLabs (EMEA) says. “No matter what the size of the business is, they should be planning for the worst – while ensuring, through good cyber hygiene, that it doesn’t happen.”
We’ve spoken to incident responders and cyber security experts to determine just what your business should do once a breach has been detected.
Begin at the beginning
Any kind of security response requires a methodical investigation. As Dave MacKinnon, chief security officer with N-able says, this means addressing the five Ws – “who, what, when, where and why?” – and you can also add an H for “how”.
The first step is identifying what has been targeted, what data or resources have been exposed and how the breach happened. Was an external malicious actor at play, or could a non-malicious insider have been involved? Because mistakes and accidents do happen.
“Based upon your analysis of the Ws, you can then determine what level of response is required,” MacKinnon says. At this early point you should also be asking yourself whether you are actually capable of completing the investigation without external assistance. “It’s okay to ask for help,” he says: “The largest organisations in the world do it all the time.”
The three Cs
While considering the Ws, you should also get moving on the three Cs as quickly as is feasible – those being “confirm, contain and communicate” the breach.
Understanding the economics of in-cloud data protection
Data protection solutions designed with cost optimisation in mindFree Download
The first step might sound like the easy one, but it’s not always as straightforward as it sounds. Kris Mitchell, security operations centre team lead at UK data breach detection and response business Socura warns that “confirmation and validation is the hardest part of data-breach detection and response. If a business detects a distributed denial of service (DDoS) attack it needs to understand if this is the full extent of the attack, or whether it is a smokescreen for something more sinister. It’s often a precursor to an attacker exfiltrating data, but only a cyber security professional will know to look for data exfiltration during DDoS and not fall for the distraction.”
You can also argue that “keep calm” should be a fourth C on the list. Panicking won’t help your breach response, but it’s understandable if you’ve been wrong-footed. “There’s nothing worse than suffering a cyber security incident and then trying to work out what needs to be done,” comments Cliff Martin, cyber incident responder of GRC International Group. The secret is to have an incident response plan already in place that you can turn to. “Having a plan up front will significantly reduce the impact and time taken to recover,” Martin notes – and it can also assist greatly with the next C, containment.
Containing the threat
Naturally, in the event of a data breach it’s an urgent priority to stop the bleeding and limit the threat actor’s ability to do more harm. “If you suspect the attacker is still present on your systems,” advises Alistair Thompson, product management lead at Adarma, “take steps to deny them access to things that they can use against you.” The specifics will, of course, be different for different attack scenarios and business operations, but you might consider temporary measures such as:
- Restricting access between company devices and external networks
- Suspending access between cloud and externally facing services
- Disabling vulnerable and compromised domain and email accounts
- Isolating infected endpoint devices
Martin adds that containment can also include “disabling or changing user credentials, blocking specific IP addresses, taking backups or digital images for further analysis and running antimalware scans.”
All of this might sound like a big project, and again this type of scenario is something you should plan for in advance, so you can take action quickly when needed. The smallest of businesses may well have to implement their containment plan themselves, but if you can it’s often worth engaging an external expert to help with your incident-response planning: “Trust the professionals, not Google,” advises Mitchell.
Communication is key
It’s embarrassing to admit you’ve been hacked, but covering up is not an option. If the security incident has led to the destruction, loss, unauthorised disclosure of or access to personal data, then you may be legally required to report it to the Information Commissioner’s Office (ICO) within 72 hours. You’ll find more information, along with a self-assessment process to determine the status of your incident, on the ICO website.
When reporting a breach, you’ll be required to confirm both the type of data that may be at risk and how many individuals are likely affected; this is one reason why the first C is for confirmation, as getting your facts right is imperative. External support agencies may be able to help with this, but be clear that the ultimate responsibility is yours. “If you enlist the help of a cyber incident response specialist, make sure that they have the relevant legal expertise in data protection and that they are well-versed in liaising with the ICO on behalf of their clients. In some cases, this can be the difference between whether the ICO chooses to impose a fine, or not,” warns Pete Bowers, COO at NormCyber.
Don’t think you can just fill in the ICO form and move on either. “Businesses also have a duty to report all cyber attacks to the police,” Mitchell warns, “and they should also report phishing attempts to Action Fraud.” This isn’t likely to result in squad cars showing up at your premises, but, as Mitchell points out, “reporting breaches can aid police efforts to catch and prosecute cybercriminal gangs, preventing other businesses from falling victim to the same attacks.”
You should also report the incident to the National Cyber Security Centre (NCSC), and any other bodies that deal with regulatory compliance in your industry – financial services companies will need to report a data breach to the Financial Conduct Authority (FCA) for example.
Once you’ve finished talking to the authorities, your next call should be to your insurance company. This isn’t just a courtesy call: as Oscar Arean, head of operations at Databarracks, reminds us, “insurers can help by providing cyber forensic experts to help deal with the incident. It’s also important because if you don’t involve them early on, you might not be able to claim back costs you incur.”
Then comes the part that businesses, especially smaller ones in competitive sectors, may be particularly hesitant about: contacting customers. But handled properly, disclosure doesn’t need to hurt. “Businesses worry that they will lose customers if they think they have a breach,” Irfahn Khimji, chief systems engineer at Tripwire notes. “However, the reality is that a well-handled breach response increases customer confidence.” Even if you don’t know all the details at first, keeping customers informed that a breach has occurred, and is being investigated, is crucial. “It’s better to be transparent about what has happened, and what might be the impact on your customers, than to try and hide facts, lose trust and potentially receive a GDPR fine,” explains Hugo van den Toorn, manager of offensive security at Outpost24.
The one thing to avoid is apportioning blame. When a breach happens you may naturally want to protest your innocence, but that’s the wrong call. “It makes you look bad if you try to pin the blame on someone else,” van den Toorn warns. “Take responsibility, and focus on the future; how will things be better now that you’ve learned this painful lesson?”
The privacy breach response perspective
We’ve focused so far on data breaches caused by cyber attacks – but there are plenty of privacy breaches that aren’t security incidents. “You might have misconfigured cloud storage making sensitive information publicly available, or an employee might have accidentally emailed sensitive information to the wrong person,” explains Oscar Arean, head of operations at Databarracks. Situations like this are simpler to deal with, though no less serious.
Chris Linnell, senior lead data privacy consultant at Bridewell Consulting, says that the steps to take depend on whether you’re dealing with a breach of confidentiality, integrity, or availability.
“Confidentiality breaches are unauthorised or inappropriate disclosures or theft of information. They can be via many means, including use of malware, phishing attacks, social engineering or human error,” he explains. “In the event of a confidentiality breach, organisations need to quickly ascertain what has been lost or stolen and when, and what technical controls are in place, such as access controls, encryption at rest or in transit, or complex password policies, to mitigate the risk.”
“Integrity breaches concern the completeness and reliability of data or assets. These breaches commonly involve viruses or human error in configurations of assets,” he continues. “Depending on the manner of the breach, the focus is likely to be more on data recovery, which is where the use of back-ups and replication comes in.”
KRI basics for IT governance
How information technology & information security can implement this crucial part of risk managementFree Download
That leaves availability breaches, where “there is a loss of access or destruction of data or assets.” Typically this type of breach could be caused by things like ransomware or denial of service. “In responding to a breach like this, the first step is to work out how the bad actor got in, what has been destroyed, accessed or transferred – and then how to recover from the vulnerability using patching or additional threat detection.”
Regardless of the type of breach, you once again need to think about your legal disclosure obligations, and to inform customers and stakeholders. “An organisation will need to ascertain to whom the data belongs” Linnell advises – “and where in the world it is being processed, to determine the jurisdiction.”
Long-term post-incident action
Once you’ve addressed the immediate aftermath of a breach, you can start to look at the bigger picture and work to stop the same thing happening again. If you can afford a full security audit – and there’s a good argument to suggest that you can’t afford not to – then you should be able to uncover the root causes of the breach, as well as other potential security problems that could bite you down the road.
“There is never a better time to push through improvements than after an incident,” Arean says. “It’s also a good time to review your incident response plan and update it too. Did the plan work for you, and could it be improved?” Chester Wisniewski, Principal Research Scientist at Sophos, suggests hiring a penetration testing firm to provide a detailed analysis of your weaknesses and advise on which things you should prioritise for improvement. “Criminals are basically pen testers gone bad,” he says, “so having some of the good ones help you identify weaknesses goes a long way.”
One thing is for sure. As Joani Green, managing consultant for incident response at F-Secure, concludes, “traditional prevention tactics are no longer enough for SMBs, as threat actors become more advanced. SMBs must possess the ability to predict, prevent, detect, and respond against potential threats. For small businesses, this comes down to acquiring basic expertise in all these areas and the solutions to support IT staff.”
The state of Salesforce: Future of business
Three articles that look forward into the changing state of Salesforce and the future of businessFree Download
The mighty struggle to migrate SAP to the cloud may be over
A simplified and unified approach to delivering Enterprise Transformation in the cloudFree Download
The business value of the transformative mainframe
Modernising on the mainframeFree Download
The Total Economic Impact™ Of IBM FlashSystem
Cost savings and business benefits enabled by FlashSystemFree Download