Data breaches and intrusion attempts aren’t the first thing on anyone’s mind when starting a business or organization, but the realities of today’s cyber ecosystem have pushed cybersecurity to the top of the priority list.
Knowledge of cyberthreats and your organization’s vulnerability have become paramount to ensuring the continued success of any company or organization. It’s this information that allows you to build a preventative cybersecurity infrastructure, drastically reducing the chances of a data breach. Preventative security measures, smart policy, and employee awareness/training are the hallmarks of your cybersecurity strategy. Unfortunately, despite proper preparation and prevention, intrusion attempts are a reality of operating in today’s market, making breaches a very real possibility.
If a breach should occur at your place of business, it’s your incident response protocol that should navigate your employees’ immediate response… but what should you do after the dust settles?
1. Return to Business as Usual
The priority is to return to business as usual as quickly as possible after the containment. When it’s safe to do so, have your organization return to its normal operating routine. When the status quo has been restored, you can begin to execute phase 4 of your cybersecurity strategy:
2. Coordinate with Those Involved
Your organization’s leadership will need to meet with those most familiar and knowledgeable with the breach and your data:
- Chief Technology Officer (CTO)
- Cybersecurity team
- Incident Response (IR) team
- IT team
- Others directly involved with cybersecurity efforts
When you begin dissecting data points, collaborating with these resources will produce the results needed to uncover the determining factors and sequence of events leading up to the breach. Deciphering these factors and events will help determine the questions you’ll need answered…
3. Find Out What Happened
Suffering a data breach isn’t ideal, but it can lend insight to the efficacy of your current cybersecurity efforts. Phase 4 is all about answering who, what, when, where, and how the breach occurred and collaborating to arrive at conclusions. In a previous post, we mentioned that your incident response team will need to sift through various data points to highlight abnormalities.
These abnormalities and red flags should be separated from the rest of your data and used as clues to solve your cyber mystery. You’re looking to determine:
- Where did the cyber criminals slip in? Decipher the location of the breach.
- When did the breach occur?
- What data was affected or possibly affected?
- How did the breach occur? Were organization internet policies bypassed or ignored? Did a firewall fail to prevent a targeted attack?
- Who is responsible for the breach, if anyone? Did it occur via an employee’s user account? Is negligence involved? Could an employee have reasonably prevented the breach?
4. Make Revisions and Improvements
After determining these circumstances, decide what policy revisions and other improvements are needed to deter a breach in the future.
What can be changed or implemented to prevent contributing factors from occurring in the future?
One recommendation we can make is to back up your data and store it on a separate server or removable media (e.g. an external hard drive). If you practiced this prior to the breach, consider the frequency… should you back up your data more often? And remember, your backup data should be encrypted just like the source data it came from.
Additionally, is your organization particularly prone to breaches? Does your data contain consumer information that attracts cyber criminals? Perhaps you should consider cyber insurance. Cyber insurance works similarly to other types of organization insurance and can aid your recovery efforts.
Remember to always communicate any changes to policy or procedures with all employees and update your cybersecurity policy as needed.
5. Involve Additional Parties When Necessary
Involving key internal resources and stakeholders allow you to uncover actions that led to a breach and how to proceed further. Collaboration with these entities is a pivotal element of the review and revision process… but collaboration with other internal and external resources may also be required or helpful:
- Human Resources: If an employee’s negligence contributed to a breach, you’ll likely need to contact your HR department. Infractions, termination, probation, etc. can be co-navigated with your HR team.
- General Counsel/Legal Aid: Working with an attorney to some extent after a breach is likely. State laws differ on required public disclosures, and an attorney can help decipher if a public statement is advisable. Counsel will also be needed should affected parties choose to pursue legal action against your organization. Attorneys will help determine liability and use forensic data collected as evidence should legal action ensue.
- Audit and Risk Management Specialists: Specialists can help decipher advisable improvements and changes to your security infrastructure to reduce risk and vulnerability. You may want to look at bringing on these external specialists if you’re having trouble determining the source of the breach or what improvements to make.
- Management: If your organizational hierarchy includes managers of different departments, have a conversation with these employees to ensure they are aware of protocols and how to deal with immediate cyber situations within their department.
- Public Relations: If your PR is handled in-house, contact this team and discuss how external communications will be handled. If you don’t have a team or someone to handle public affairs or if the magnitude is beyond their comfort, consider hiring an external crisis PR team.
Prevention efforts will diminish the chances of your organization suffering a breach, but a failsafe defense simply doesn’t exist when it comes to cyberattacks. Having an incident response plan and team in place to handle attacks and breaches and a post recovery plan is the best way to remain prepared!
Look for our eGuide on developing an all-encompassing, start to finish cybersecurity strategy coming out later in 2017!