Data Breach 911: Six Steps to Take After a Data Compromise
Uh-oh. It’s the worst nightmare imaginable for system administrators and security professionals, and now it’s happened to you: a data breach.
The risk of damage—to your company’s finances and its reputation—is high. But before you spiral into full-blown panic, take a deep breath and think about the best way to approach the situation. History has proven that how a company responds to a data breach, both internally and externally, is critical to minimizing fallout.
Here are six tasks to kick into gear as soon as a compromise is discovered:
1. Identify and react. Discover which machines are affected, and take them offline immediately. This will halt any communication still ongoing with those responsible for the data breach. Avoid shutting machines down, as well as running antivirus scans and utilities, to preserve forensic evidence. Determine the compromised systems and the origin of attack, so you can strengthen the attack vector moving forward.
2. Change passwords and pull audit logs. Data breaches are often the result of stolen passwords and credentials. Audit logs will help scope the scale of the incident and determine if the breach is complete or still ongoing. Change all passwords, online credentials and password Q&A for any online account affected. Remind users to choose a strong password with special characters and numbers, and never use one password for all online accounts.
3. Assess the damage. What exactly was stolen and how sensitive was the information? Email addresses alone are innocuous, whereas credit card information and SSNs are more damaging and can spur negative financial impacts. Review logs to find out what information was accessed or stolen and which accounts and machines where compromised. Refer to IDS logs to learn which systems were affected, what method of attack was used, and the duration of the breach.
4. Communicate internally. Get in touch with corporate legal counsel to determine if further action—such as alerting law enforcement—is warranted or necessary. Human Resources, Customer Service, and Public Relations all need to begin anticipating questions and formulating public responses.
5. Communicate publicly. The way a company handles (or is perceived to handle) a data breach is almost as important as preventing the next compromise incident. A forthright approach is almost always best. Outline what information was affected and what the company plans to do in the future to prevent such occurrences from happening again. Similar to an incident response team, form a special group to assist with emails, phone calls and online inquiries from the public.
6. Prepare and practice. Ideally, you’ve already done this by the time a breach occurs, but if not, get started right away. Create a data breach response policy and an incident response team. Clearly define the scope of roles and responsibilities for team members, and make this written documentation easily available within the organization. Mock up a data breach to practice your team’s response. Every hour that passes is critical. Practicing your response will speed the time to containment, remediation and review. It’s worth repeating: Have a plan and practice it.
No one wants to contend with a data breach—especially in this era, when so much personal and financial information is used online daily. However, companies have an obligation to their customers, employees and shareholders to do their due diligence and protect data effectively. Be sure you’re implementing the right security solutions to prevent would-be attackers from accessing your systems and networks. At the same time, be prepared to respond swiftly and smartly should the unthinkable ever occur.