4 Things You’re Not Supposed To Do After A Breach

You are probably quite familiar with the words ‘data backup’, ‘data recovery’ as well as ‘endpoint protection’ as more than thousand blogs have already been written on how to stay away from cyber attacks as well as what to do when you have already been targeted. These solutions are undoubtedly helpful and can protect you from online threats. However you need to remember that during a data breach, some of your actions can be as dangerous as they’re helpful.

In this blog, I will discuss what you should avoid doing once you realize that your systems have been breached.

Please don’t try to improvise

When you have already been attacked, your first instinct will ask you to start the process of correcting the situation which may include protecting the endpoints that have been targeted or reverting to backups in order to close up the entry point. However, if you had not developed a strategy earlier, then whatever decisions you make now could worsen the situation and have a reverse effect.

“The first thing you should not do after a breach is create your response on the fly,” said Mark Nunnikhoven, the Vice President of Cloud Research at cyber security solution provider Trend Micro. “A critical part of your incident response plan is preparation. Key contacts should be mapped out ahead of time and stored digitally. It should also be available in hard copy in case of a catastrophic breach. When responding to a breach, the last thing you need to be doing is trying to figure out who is responsible for what actions and who can authorize various responses.

Ermis Sfakiyanudis, President as well as CEO of data protection services company Trivalent, also agrees with this approach. He said it is very important that organizations “do not freak out” after they have been hit by a data breach. “While unpreparedness in the face of a data breach can cause irreparable damage to a company, panic and disorganization can also be extremely detrimental,” he said. “It is critical that a breached company not stray from its incident response plan, which should include identifying the suspected cause of the incident as a first step. For example, was the breach caused by a successful ransomware attack, malware on the system, a firewall with an open port, outdated software, or unintentional insider threat? Next, isolate the effected system and eradicate the cause of the breach to ensure your system is out of danger.”

He also said that when companies are in over their heads, they should ask for help. “This includes legal counsel, outside investigators who can conduct a thorough forensic investigation and public relations and communication experts who can create strategy and communicate to the media on your behalf,” he added.

“With this combined expert guidance, organizations can remain calm through the chaos, identifying what vulnerabilities caused the data breach, remediating so the issue doesn’t happen again in the future, and ensuring their response to affected customers is appropriate and timely. They can also work with their legal counsel to determine if and when law enforcement should be notified.”

Don’t remain silent

Once you’ve been hit, you may feel relieved thinking that no one outside of your inner circle knows what has happened. But you should not remain silent. You should communicate with your employees, vendors, as well as customers and let everyone know what has been accessed, what steps you have taken to remedy the situation, as well as what plans you made in order to ensure that no similar attacks occur in the future. “Don’t ignore your own employees,” advised Heidi Shey, Senior Analyst of Security & Risk at Forrester Research. “You need to communicate with your employees about the event, and provide guidance for your employees about what to do or say if they asked about the breach.”

Don’t close incidents too early

Now you have already closed the corrupted endpoints. You have communicated with all your employees as well as customers. Also, you have recovered all your critical data. Your crisis has finally come to an end. However, you don’t stop here. You continue to aggressively as well as proactively monitor your network in order to ensure that there are no follow-up attacks.

After a data breach is resolved, you should not assume that the technology as well as plans that you had on place before the breach will be sufficient. “There are gaps in your security strategy that were exploited and, even after these gaps are addressed, it doesn’t mean there won’t be more in the future. In order to take a more proactive approach to data protection moving forward, treat your data breach response plan as a living document. As individuals change roles and the organization evolves via mergers, acquisitions, etc., the plan needs to change as well,” said Sfakiyanudis.

Don’t forget to investigate thoroughly

Sfakiyanudis asks companies to document everything while investigating a breach. “Gathering information on an incident is critical in validating that a breach occurred, what systems and data were impacted, and how mitigation or remediation was addressed. Log results of investigations through data capture and analysis so they are available for review post-mortem,” he said.

He also asked to interview anyone involved as well as document their responses carefully.

Our Work

Portfolio