What Should Companies Do After a Data Breach?

Few companies expect to be at the center of a newsworthy data breach incident. However, according to some sources, cybercriminals can access 93% of businesses in an average of two days. Around 150 million data records were compromised in the third quarter of 2022 alone.

Businesses are increasingly reliant on data systems such as cloud computing and remote working to compete in the modern workplace. While this data use empowers organizations, it also leaves businesses, customers, and third-party vendors at risk of additional cybersecurity risks, such as data breaches.

How a company responds to a data breach can have a significant impact on its liability, reputation, and business continuity following a cyber incident. This guide will help businesses prepare a comprehensive response to a data breach.

Common Causes of Data Breaches

To understand the impact of a data breach, it’s worth looking at some of the most common causes of data leaks and data breaches. Potential data breaches and data leaks are more common than many companies think. With a combination of malicious hackers and careless employees, many firms are only a click away from a critical incident.

• Phishing
• Ransomware
• Social engineering scams
• Software misconfigurations
• Weak passwords
• Physical device theft
• Third-party breaches

What To Do After Suffering A Data Breach

Once cybercriminals gain access to a company’s files and systems, they could potentially leak billions of stolen and leaked records to the dark web. Once sensitive data like personally identifiable information (PII) is exposed or compromised, it may lead to more serious problems like financial fraud or identity theft.

Types of data usually at risk include names, emails, addresses, financial information, bank account details, credit card numbers, social security numbers, and other sensitive information.

Broadly speaking, if a data breach occurs, a company needs to accomplish three main goals:

1. Contain the situation to prevent the data breach from worsening.
2. Notify the affected parties of the situation. This also complies with regulatory bodies to report any cyber incidents and demonstrate intent to protect or restore sensitive data.
3. Fix the breach and remediate risks to prevent future incidents and return the business to a fully operational state.

A data breach can damage finances, customers or clients, and reputation. Responding quickly will help limit the fallout. Failing to adhere to the laws set by data protection regulatory bodies may result in significant penalties in the event of a data breach, particularly if:

1. The company could have prevented the breach with basic procedures and policies
2. The regulatory body doesn’t believe the company did enough to fix the situation after discovering the breach.

Here’s what companies should do immediately after detecting a data breach:

1. Act Quickly

Responding accordingly to a data breach involves responding quickly to minimize damage. Disaster recovery and incident response plans must be put into immediate effect to limit the scope of the security breach and protect personal data and customer information.

It’s important to act quickly and collaborate with the relevant law enforcement agencies to get the situation under control and ensure compliance with reporting laws.

At the moment of a data breach discovery, the systems have likely been compromised for some time. A breach lifecycle — the period between a data breach’s start time and the moment it is contained — is typically 277 days, most of which is spent unaware that a data breach existed in the first place.

2. Contain the Breach

In 2022, on average, it took more than two months to contain a data breach. Here are some actions to take to contain and prevent further access into critical systems quickly:

• Disconnect all connected networks, systems, and devices from the access point — If it’s unclear whether the breach was internal or external, disconnecting everything from the access point of the malware or threat actor can limit the scope of the attack. However, turning compromised machines off without expert advice can be a mistake.
• Gather information — As a business goes through the data breach response process, the IT team needs to collect evidence of the data breach and focus on identifying the compromised systems and servers to isolate them. Information collected during the data breach can help the cyber forensic analysis to determine how the hacker was able to gain unauthorized access.
• Restricting access to critical systems — Upon discovery of the data breach, access to all critical data should be removed or restricted to only those who absolutely require it. This prevents cybercriminals from gaining access through employee permissions. This also allows time for updating firewalls, antivirus, anti-malware software, and other security software.
• Reset passwords — If the breach was the result of a hacked employee account, it might serve to reset passwords for the entire organization in case of other compromised accounts. Businesses should also practice mandatory password resets every six months to a year to prevent further incidents. Multi-factor authentication (MFA) should also be implemented to increase password security.

• Seek expert help — A specialist IT team or data forensics team can help determine when a system is contained, taking images of the affected systems, analyzing evidence, and determining the scope of the breach and remediation action. A company can also ask law enforcement for advice regarding when it can return to business.

3. Perform a Damage Assessment

When you’ve quarantined the affected systems, it’s time for the company to investigate how the data breach occurred and what data was compromised. With digital forensic experts or trained IT personnel, you can learn what type of information was compromised and the number of records and people potentially affected.

At this stage, you can also decide whether any network segmentation was effective at keeping hackers that accessed one server from entering another.

Determining the Source

Intrusion detection (IDS) and intrusion prevention system (IPS) software automatically log security events, allowing the user to pinpoint the location and time of the data breach. Collecting the relevant information is possible without this kind of IT system, but it would likely be more labor-intensive, time-consuming, and costly.

The damage assessment should investigate if the breach occurred due to human error or software misconfiguration. It’s imperative to work out what happened and where, if it occurred internally or externally, so the company can prevent the problem from recurring.

To determine where the data breach occurred, the company should provide a list of every user with access to the compromised system or systems. Software that logs activity will be beneficial as it may show which network connections were active during the security breach.

4. Identify and Fix Vulnerabilities

Knowing the source of the breach helps make remediating risks and vulnerabilities easier. Real-time threat detection and response tools offer a great solution here. They would help with diagnosis and security even if they weren’t already installed and running at the time of the data breach.

At this stage of the data breach response process, organizations need to examine their entire attack surface. Companies must monitor their entire attack surface for potential vulnerabilities, including the environments of third-party vendors. A company’s data breach response plan should detail the aspects of the system that are most critical so that security solutions can be prioritized. It should also consider balancing short-term and long-term solutions to minimize damage and speed up recovery.

Employing attack surface management (ASM) tools here can greatly help the process along and quickly identify where the most critical risks are and how to begin remediation processes. Some ASM tools may also provide instant security scoring, continuous monitoring services, and compliance help to add to a company’s security program.

5. Inform Relevant Parties

Here are the main parties to notify following a data breach:

Regulatory Bodies and Law Enforcement

Depending on the sector, the type of breach, and the impact of the data loss, a company suffering a data breach may need to notify the relevant law enforcement authorities to remain compliant with federal or state laws.

Data protection laws, such as the Data Protection Act 2018, General Data Protection Regulations (GDPR), and the Health Insurance Portability and Accountability Act 1996 (HIPAA), require companies to report data breaches within a specified amount of time. A company’s data breach notification should be timely, detailed, and thorough about how it occurred, why, and what the company is doing to resolve the issues.

Customers, Clients, and Stakeholders

Once the data breach has been reported, the company needs to determine how to notify the affected parties and explain how the cybercriminals accessed the data and how they have used the stolen information. Companies should also provide contact details for any additional questions regarding the situation.

With prompt data breach notifications, affected parties can manage their personal risk by changing passwords and contacting credit bureaus like Equifax for credit reports, ongoing credit monitoring, and fraud alerts. Affected firms may offer free credit monitoring for victims of a data breach.

Informing stakeholders should also be prioritized, so they understand the incident. Doing so demonstrates a company is responding to the incident quickly and effectively, which can protect a company’s reputation and stakeholder trust.

Cyber Insurance Companies

Cyber liability insurance is highly recommended, especially for companies operating with critical data they cannot afford to lose. Cyber insurance doesn’t prevent data breaches but can cover the financial damages resulting from the data breach.

Staff and Third-Party Entities

In addition to customers, clients, business partners, and authorities, companies should inform the internal staff. It’s important to build trust not only outside of the company but also within. The internal message should outline the broader details of the incident and the steps being taken to resolve the issue.

Companies must also inform any third-party agencies affected by the breach. If the data breach involved account access information but the affected company doesn’t maintain those accounts, it should notify the organization that maintains the accounts. If the data compromised includes social security numbers, the major credit bureaus should also be notified, and the company should provide credit counseling services.

6. Test Cybersecurity Defenses

Once a company has followed through with its data protection procedures, it needs to test its security to determine if another attack would cripple the systems again.  New cyber defenses must address the issues and update the policies and procedures to prepare for future cyber attacks or data breaches.

The organization should use penetration testing and ethical hacking to ensure the vulnerabilities no longer pose a significant risk. At the very least, it should be impossible for another hacker to replicate the original method of cybercrime. Annual testing should be performed to ensure new threats can be defended against and that all software has the proper protections in place.

7. Implement New Data Security Policies and Procedures

Following a data breach, the company needs to review its internal policies and see if security gaps led to the incident. If so, the security measures need to be revised to mitigate the chances of another incident occurring again. Incident response plans should cover all the bases of a company’s attack surface and clearly state the exact response procedures following any incident. If any of these plans are unclear, it may be time to rewrite them.

Additionally, business continuity and disaster recovery plans are essential to determine how the company can continue operating even after a data breach. All plans — incident response, business continuity, and disaster recovery — should be reviewed regularly.

Organizations with incident response plans have reduced data breach damage costs by more than half compared to companies that had to scramble and learn as they went along. Companies prepared for a data breach had $2.66 million less in costs than the worldwide average.

Companies would also benefit from a designated individual or team to lead the response, ideally a CISO (chief information security officer) or CIO (chief information officer). They can build IT security response teams to focus solely on the protection of customer data.