Few topics catch at the attention of the media like a data breach at a large company. When Target, Home Depot, and Equifax suffered data breaches, their stories were covered by every major network. Moreover, the news traveled fast and far given the millions of consumers who had their private data stolen.
Large companies like these can marshal resources in the form of consultants and PR firms to handle the response. They may appear to be calm and collected to the public, but they have much work to do behind the scenes. We will look at what steps companies, from big to small, should take following a data breach.
Let your employees and customers know what happened, even if you do not have all the details. Share with them what you can as soon as possible. An honest, concise email might be enough for employees to get back to work and put your customers at ease until more details of the attack are available.
Communication is the key to earning back the trust of employees, partners, and customers after a breach has occurred. Take this time to share why the incident happened, and what you are doing to make sure it does not happen again.
As Target found out in 2013, it is best to be the one to deliver the bad news. Target delayed announcing the breach. That choice allowed security expert Brian Krebs to make an unofficial announcement after he noticed various credit cards that Target customers had recently used being sold on the darknet. As difficult as it is to admit you have been the victim of an attack, going on the offensive allows you to tell your story before someone else does.
Once you realize there has been a breach, you must determine how to stop it. This might mean isolating servers and computers by taking them off the network, or it may require that you shut down WiFi and VPN for a time. Once the breach hits, the clock is ticking, and you must stop the attack from spreading. Eliminating the threat is of the highest priority.
Many incident response plans are created around mitigating, investigating, and preventing another attack. The plan should also include how your company will function if you must take critical pieces of infrastructure offline for a time. What if your company does not have an incident response plan? Salesforce engineer, Kelly McCracken, put together a helpful guide to creating one.
The key to mitigating an attack is speed. There is no time to place blame or begin forensics. You may need to bring in an outside data security expert to help track down the point of compromise to understand the scope of the attack.
This overlooked step might be the key to tracking down the culprit. Saving evidence might include preserving a log of actions taken before the breach, as well as continuing to log all operations after the offense is discovered. Data thieves might try to disable auditing on any system they used. Restore auditing if that is the case.
Security experts will often turn to the logs kept on various devices to search for clues. If possible, instead of turning off any systems, isolate them from the network by unplugging the network cable. Work with your security expert before logging in as ROOT to attempt to change any passwords.
Contact your legal representative to ensure you are meeting all reporting requirements. Legal will be able to help you navigate the laws in your state. As of 2018, all 50 states require companies to notify customers when their personal information is stolen.
Legal will also advise if you should report the breach to law enforcement. Law experts may encourage you to remain silent until the threat is over because a leak could reach the media and provide critical details about the attack that could be used to exploit others.
Once the immediate threat is over, it is wise to review your response to the breach. Get IT involved to audit the affected systems and understand precisely what happened. Perform a risk assessment of your infrastructure to determine further vulnerabilities and shore them up.
Do not be surprised if you track the attack back to human error. For example, a data breach at Tesla was traced to Kubernetes container without a password. If such an oversight can happen at a large company like Tesla, it’ll undoubtedly occur at others. Ongoing staff training can help prevent future attacks. Even helping your employees recognize phishing attacks will go a long way in securing your networking and data.
Data has become such a valuable business differentiator that thieves will continue to use it for their profit. It’s a challenge for security experts to stay a step ahead of the criminals. However, having a response plan will allow your company to begin the process of putting the pieces back together if you do get hit.