How to Respond When Data Breaches Hit the Fan

incident response plan

Not many companies anticipate being the focal point of a significant data breach incident. However, cybercriminals can infiltrate around 93% of businesses within an average of two days. In the third quarter of 2022 alone, approximately 150 million data records were compromised

In today’s competitive business landscape, companies increasingly rely on data systems like cloud computing and remote working to stay relevant. While these data practices empower organisations, they also expose them, along with their customers and third-party vendors, to additional cyber security risks such as data breaches.

The response of a company to a data breach can have a profound impact on its liability, reputation, and ability to sustain business operations following a cyber incident. This guide will assist you with preparing a comprehensive response plan for potential data breaches.

Common Causes of Data Breaches

Gaining insight into the causes of data leaks and breaches is crucial to understand their impact. Companies need to recognise that potential data breaches and leaks are more prevalent than they might expect. With a combination of malicious hackers and inadvertent actions by employees, critical incidents are often just a single click away.

Here are some of the most common factors contributing to data breaches:

  1. Phishing
  2. Ransomware
  3. Social engineering scams
  4. Software misconfigurations
  5. Weak passwords
  6. Physical device theft
  7. Third-party breaches
  8. Insider threat

Once cybercriminals breach a company’s files and systems, they have the potential to expose billions of stolen and leaked records on the dark web. This exposes sensitive data, such as personally identifiable information (PII), which can lead to severe consequences like financial fraud or identity theft.

Types of data usually at risk include names, emails, addresses, financial information, bank account details, credit card numbers, social security numbers and other sensitive information.

In the Event of a Data Breach, Companies Typically Aim to Achieve Three Primary Objectives:

  1. Contain the Situation: Swiftly implement measures to prevent the data breach from escalating further, ensuring that the breach is contained, and the damage is mitigated.
  2. Notify Affected Parties and Comply with Regulations: Inform the individuals or entities affected by the breach promptly. This step also involves complying with regulatory requirements, reporting the incident to relevant authorities, and demonstrating a commitment to safeguarding and restoring compromised data.
  3. Remediate and Prevent Future Incidents: Take necessary actions to address the breach, fix vulnerabilities, and eliminate risks to prevent future incidents. Restoring the business to a fully operational state while implementing measures to enhance data security is vital.

Neglecting to Comply with Data Protection Regulations Can Lead to Substantial Penalties, Especially in cases where:

  1. The breach could have been prevented through the implementation of fundamental procedures and policies.
  2. The regulatory body deems the company’s remedial actions insufficient following the discovery of the breach.

Here’s What Companies Should Do Immediately After Detecting a Data Breach:

1. Act Quickly

Don’t panic but act quickly. It is crucial to act promptly to minimise the extent of the damage. Immediate implementation of a comprehensive disaster recovery and incident response plan is necessary to contain the security breach, safeguard personal data, and protect customer information.

Timely action should also involve close collaboration with relevant law enforcement agencies to bring the situation under control and ensure compliance with reporting requirements and legal obligations.

It’s important to note that by the time a data breach is discovered, the systems may have already been compromised for a considerable period. On average, the lifecycle of a breach, from its initiation to containment, spans around 277 days, with a significant portion of that time elapsing while unaware that a breach had occurred in the first place.

2. Contain the Breach

In the year 2022, it took an average of more than two months to successfully contain a data breach. Again don’t panic but do respond promptly and implement measures to restrict further access to critical systems. Here are the recommended actions to achieve this:

  1. Disconnect all connected networks, systems and devices from the access point: In cases where the source of the breach is uncertain, it is crucial to swiftly disconnect all components from the access point used by the malware or threat actor. This proactive step helps contain the attack and limit its impact. However, it is important to exercise caution and seek expert guidance before shutting down compromised machines to avoid unintended consequences.
  2. Gather comprehensive information: During the data breach response process, it is imperative to gather relevant evidence and focus on identifying compromised systems and servers. By doing so, the IT team can isolate the affected components and gather valuable insights for conducting a thorough cyber forensic analysis. This analysis helps in understanding the unauthorised access methods used by the attacker.
  3. Restrict access to critical systems: Upon detecting a data breach, it is essential to swiftly restrict or remove access to critical data. This ensures that only authorised personnel who genuinely require access can interact with sensitive information. Additionally, this action provides an opportunity to strengthen security measures by updating firewalls, antivirus software, anti-malware tools, and other security software.
  4. Reset passwords: If the breach originated from a compromised employee account, it is advisable to reset passwords for the entire organisation as a precautionary measure against further potential compromises. Regular password resets every six months to a year can significantly enhance security and mitigate the risk of future incidents. Implementing multi-factor authentication (MFA) also adds an extra layer of protection to password security.
  5. Seek expert assistance: Engaging the expertise of specialist IT teams or data forensics teams is highly recommended. These professionals can assess the situation, determine when the breach is contained, capture system images, conduct a detailed analysis of evidence and ascertain the extent of the breach. Seeking guidance from a legal firm can also provide valuable advice on when it is safe to resume normal business operations.
  6. Perform a Damage Assessment

Once the affected systems have been quarantined, the incident response team must initiate a thorough investigation into the security incident and the extent of data compromise. By enlisting the expertise of forensic investigators or trained IT professionals, valuable insights can be gained regarding the specific type of information that was compromised and the potential impact on records and individuals involved.

Furthermore, this stage of the investigation provides an opportunity to evaluate the effectiveness of network segmentation in preventing unauthorised access from one server to another. By analysing the breach and its impact on different segments of the network, valuable lessons can be learned about the strengths and weaknesses of the existing network segmentation measures.

3. Determining the Source

Intrusion detection (IDS) and intrusion prevention system (IPS) software automatically log security events, allowing users to pinpoint the breach’s location and time. While possible without these systems, gathering information manually is more laborious and costly.

The damage assessment should identify if the breach resulted from human error or software misconfiguration. Understanding the cause, location (internal or external), and user access helps prevent a recurrence.

To pinpoint the breach, provide a list of users with access to compromised systems. Logging software can reveal active network connections during the breach.

4. Identify and Fix Vulnerabilities

Understanding the origin of a data breach is essential for effectively addressing risks and vulnerabilities. Real-time threat detection and response tools can be invaluable in this regard, even if they were not previously installed or active during the breach.

During the data breach response process, organisations must assess their entire attack surface. This includes monitoring for potential vulnerabilities across their systems as well as the environments of third-party vendors. A comprehensive data breach response plan should outline the critical aspects of the system, enabling prioritisation of security solutions. It is important to strike a balance between short-term and long-term solutions to minimise damage and expedite recovery.

5. Inform Relevant Parties

Here are the main parties to notify following a data breach:

  1. Regulatory Bodies and Law Enforcement: Depending on the industry, nature of the breach, and data loss impact, a company experiencing a data breach may be obligated to inform appropriate law enforcement agencies to ensure compliance with federal or state laws. Various data protection regulations like the Data Protection Act 2018, General Data Protection Regulations (GDPR), and the Health Insurance Portability and Accountability Act 1996 (HIPAA) specify timeframes for reporting data breaches. Timely, comprehensive, and transparent communication regarding breach details, causes, and remedial actions should be provided in the company’s notification.
  2. Customers, Clients and Stakeholders: After reporting the data breach, the company must devise a plan for notifying the individuals impacted and providing an explanation of how the cybercriminals gained access to the data and exploited the stolen information. Contact information should be supplied for any further inquiries related to the incident. Swift notifications enable affected parties to take necessary measures, such as changing passwords and reaching out to credit bureaus like Equifax for credit reports, ongoing monitoring and fraud alerts. Some affected organisations may offer complimentary credit monitoring services to data breach victims. Prioritising communication with stakeholders is also essential, as it demonstrates the company’s prompt and effective response, safeguarding its reputation and earning stakeholder trust.
  3. Cyber Insurance Companies: It is strongly advised for companies handling sensitive data that they cannot afford to lose to consider obtaining cyber liability insurance. While cyber insurance does not prevent data breaches, it provides coverage for the financial losses incurred because of such breaches.
  4. Staff and Third-Party Entities: Apart from notifying customers, clients, business partners, and authorities, companies must inform their internal staff as well. Building trust within the organisation is equally important. The internal communication should provide a comprehensive overview of the incident and outline the steps being taken to address the issue. Furthermore, companies should inform any third-party agencies that have been affected by the breach. If the breach involved account access information that is not maintained by the affected company, the organisation responsible for maintaining those accounts should be notified

6. Test Cyber Security Defences 

After completing the data protection procedures, you should assess the effectiveness of your security measures and determine if they would withstand future attacks. The implementation of new cyber defences should address any identified issues and update policies and procedures accordingly, to be prepared for potential cyber-attacks or data breaches.

To ensure that vulnerabilities no longer pose a significant risk, the organisation should conduct penetration testing and ethical hacking. This testing will verify that it is no longer possible for another hacker to replicate the original method of cybercrime. Regular annual testing should be conducted to stay prepared against emerging threats and to ensure that all software has appropriate safeguards in place.

7. Implement New Data Security Policies and Procedures 

After experiencing a data breach, the company must conduct an internal review of its policies and identify any security gaps that may have contributed to the incident. If such gaps are identified, the security measures should be revised to minimise the likelihood of a similar incident occurring in the future. Clear and comprehensive incident response plans should be in place, covering all aspects of the company’s attack surface and providing specific procedures to follow in response to any incident. If any of these plans are unclear, it is necessary to consider rewriting them.

Furthermore, business continuity and disaster recovery plans are vital to ensure the company’s ability to continue operating after a data breach. Regular reviews of all plans – incident response, business continuity, and disaster recovery – should be conducted to keep them up to date.

Companies that have well-prepared incident response plans have significantly reduced data breach damage costs compared to those that must react and learn on the fly. On average, prepared companies have incurred $2.66 million less in costs than the worldwide average.

It is also beneficial for companies to have a designated individual or team, such as a Chief Information Security Officer (CISO) or Chief Information Officer (CIO), to lead the response efforts. This individual or team can assemble dedicated IT security response teams to safeguard customer data.

Most importantly, plans should be practised. You should have regular ‘dress rehearsals’ to measure your team’s readiness — the time it takes to identify a breach and respond. If this isn’t something you’ve done internally yet, a good place to start is by attending a training course that simulates real scenarios and tracks effectiveness and response times.

Embrace Risks Before They Hit the Fan

The significant risk of a data breach response plan cannot be overstated in today’s digital landscape. The increasing frequency and sophistication of cyber-attacks pose significant threats to organisations of all sizes and sectors. By defining roles, responsibilities, and communication channels in advance, an incident response plan ensures a coordinated and organised approach during the critical moments following a breach.

Data Breach Academy -Risk Crew








Risk Crew