The unthinkable has happened: your company has suffered a breach. If you are wondering how you are going to recover, here are 6 things that you need to do after a breach
Report the incident to the authorities
For a lot of organizations, this sounds like the last thing they want to do. They believe that if the public knew they were breached, it would damage their reputation. More damage is done, however, by attempting to hide that there was a breach, especially in cases where personal data may have been exposed. If your business suffered a physical robbery, the first thing you would do is contact law enforcement, so a breach in this sense is no different. Also, in some jurisdictions, reporting a breach that exposes personal information of customers or employees must be reported by law within a certain period of time. For instance, companies in the EU, are legally obligated under GDPR to inform the Information Commissioner’s Office (ICO) if they suffer a breach involving personal information of customers or employees. The same obligations exist under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the U.S. or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. By reporting the incident, not only do you help individuals to look out for suspicious activity and enable them to take steps to protect themselves, but it also helps other organizations prepare for similar attacks.
Understand the Attack
It is also important to understand the attack that you have been subjected to. Are the hackers demanding a ransom? Are the hackers phishing for information? Was any malware downloaded or has any data been stolen? These are all things that you need to understand so you can prepare the correct recovery strategy.
Contain the Attack
After a breach, it is important to contain the attack quickly to avoid it spreading to other areas of the network. The affected servers should be taking offline. Switch off the internet and disconnect all remote access points. The latest security updates should be installed, and the firewall security settings need to be maintained. Another best practice would be to change all the passwords and use different strong passwords for each account, whether that system has been affected or not. You should refrain from deleting the data on your computers because you will need it as evidence, and it could also be used as a guide to understanding the cyber attack.
Assess the Attack
After you have contained the breach, you need to understand how the attack took place. You need to determine who had access to the affected servers, and the network systems during the attack. Was it an inside job? Did the hackers break in from outside, and if so, how? You may be able to find this information by checking your security data logs through your firewall or email providers, your antivirus program, or your Intrusion Detection System. If this task is beyond your scope, there are cyber security experts, like Uzado, who will not only help assess and contain the breach but will ensure all appropriate security systems are in place to prevent a future security breach.
Understand who or what was affected
Now that you have assessed the breach, you can begin to figure out what data and how much of it was compromised. Were corporate trade secrets lost? How about the personal information of clients or employees? As mentioned earlier in the article, authorities should definitely be made aware of personal information stolen, as should any of the affected parties. Notifying clients and staff that their personal information may have been exposed will allow them to take the necessary steps to prevent identity theft.
While you were assessing the breach, you may have discovered the security gaps that led to the attack. Employees should be informed about the attack and educated them on how to avoid future attacks. For instance, was the breach the result of someone responding to a phishing email? If so, it will be necessary to address this with staff, and provide cyber awareness training going forward. If the breach was the result of stolen credentials, you may have to implement a system of privileged access so that only those that require systems access have what they need, i.e., HR doesn’t need financial data. In addition, teaching staff good password hygiene along with employing multi-factor authentication can also help in this case.
Are you ready to put together your breach response plan? If you need help putting any of these above elements in place, Uzado can help you develop a customized breach response plan. Ask about our Breach Readiness as a Service (BRaaS).