Responding to a Data Breach – The Ultimate Guide
It’s every small business owner’s nightmare: you look at the activity logs and realize there’s been a data breach. You’re not sure what data is compromised or deleted or what the breach means for your business. You have a pit in your stomach, or maybe an overwhelming sense of dread.
What should you do if your company is hacked?
- Locate the cause/source of the breach
- Contain the damage & isolate devices as needed
- Determine the scope/damage of the breach
- Respond rapidly: security, legal, PR personnel, etc.
- Contact law enforcement
- Report breach to customers
- Repair/rebuild security & network
- Learn from your mistakes
There’s an in depth overview of each step below. Every piece of this response plan is crucial to recovering quickly and minimizing loss of business, so don’t skip a single one.
A Step-By-Step Guide to Respond to a Data Breach
1. Locate the Cause or Source of the Data Breach
Take a deep breath before you act. You need to uncover the 5 Ws of a data breach before you do anything else. You will answer these questions in depth later on, but you need a basic understanding of each component in order to respond effectively.
- WHO – Whose data was compromised? List every impacted individual, both within and without your organization.
- WHAT – What data was stolen/altered/destroyed? You need to identify what the affected data was in order to recover from backups and report the details of the breach to the appropriate people.
- WHERE – Where did the breach occur? Identify the source of the cyberattack. It could be a login was compromised, a phishing email containing a malware link was clicked, or someone worked at a coffee shop and unwittingly exposed your network to cybercriminals.
- WHEN – When did the breach take place, and how long did it last? It’s key to identify when the data breach began and how long it lasted. Knowing the answer to this question can confirm who was affected by the breach and develop more robust security measures moving forward.
- WHY – Why did the breach slip through your defenses? Answering this question is key to every other step in the process. When you report the breach to law enforcement, affected customers or employees, or anyone else, it’s important to understand and explain why it happened and what you will do in future to prevent the same type of breach from happening again.
2. Contain the Damage and Isolate Necessary Devices
As soon as you detect a breach, it’s best to run an antivirus program and reset everyone’s passwords. Every single one.
Once you determine the source of the hack, remove any corrupted or viral files. You don’t want to give the malware another go at your critical data!
After the damage is contained, identify all the affected devices and quarantine them from the rest of your network and the internet as a whole. You don’t want to give anything a chance to spread further.
Additionally, at this point, it’s important to isolate untouched business critical devices and systems so that they remain uncorrupted.
A preliminary pass at containing the damage and separating tech to prevent further compromise sets you up to begin your investigation and gain a deeper understanding of what has happened to your business.
3. Determine the Scope and Damage of the Data Breach
Your in-depth investigation into the data breach begins now. Return to the 5 Ws of the data breach and dive as deep as you can into the answers to those questions. Take your time and be thorough in this step. It’s crucial to later rebuilding your security.
Create a map of how the breach occurred and spread. Review your company social media accounts to ensure there are no unauthorized posts or messages. Search for the compromised data online and compile a list of the sites you find it on. Go to them and request they take the data down.
Record everything you uncover. You’ll need to share what you discover with your crisis response team, law enforcement, customers, and maybe even compliance officers.
4. Respond Rapidly by Deploying Security, Legal, and PR Staff
Speaking of your crisis response team, now is the time to get them involved. Ideally you already have information security, legal, and marketing staff identified in your recovery plan to head up the different prongs of your inquiry and recovery process. If you never made a recovery plan in the event of the breach, that’s okay.
First you need an experienced security expert, ideally one that has helped in the recovery of a breach before. They’ll help you navigate the crunchy technical aspects of the investigation and reconstruction without having to become an expert yourself. This is a service CloudNexus is happy to provide, please reach out for more information!
Next you’ll need a legal representative, one that’s well versed in privacy law. They can handle the reporting of the breach and ongoing correspondence with law enforcement and the necessary compliance or regulatory agencies. You also need them to help you ensure that the system you rebuild is up to the highest legal standard.
Finally, you need to appoint someone in your marketing department to handle the non-legal reporting aspects of the breach. This person should focus on providing accurate and up to date information to anyone whose data was compromised and summarize your efforts to remediate the breach. They may have to handle reporters if those affected talk to the media, so keep that in mind when choosing your representative.
5. Contact Law Enforcement
After you’ve contained the damage and rallied your response team, it’s time to report to the authorities. Your local law enforcement branch may have a cyber crimes unit, or be in touch with one who can investigate the criminals responsible for the breach and attempt to bring them to justice.
It’s extremely important to get the police involved as soon as you can. Law enforcement has access and methods to obtain information that you and your staff, as civilians, do not. While there is no guarantee they’ll apprehend those involved, it helps law enforcement to document how breaches occur and learn the patterns of cyber criminals.
6. Report the Data Breach to Your Customers
How you handle this step is key to the integrity and reputation of your company moving forward. While it may be tempting to stay silent and wait and see if there is any negative impact to the data breach, if there turns out to be any impact whatsoever, you will deeply damage your reputation if you do so.
Additionally, if your business is legally required to undergo regular PCI audits or held to HIPAA compliance, you are legally required to report a breach to all your customers, not just the affected ones. Furthermore, you must provide a detailed report of when the breach occurred and what data was touched.
IBM’s 2021 Cost of a Data Breach Report highlights that it typically takes small businesses 212 days to detect a hack. However, most firewalls, servers, or cloud based EHR systems delete access logs in as little as 7 days.
That means that by the time you have detected a breach, you no longer have the information you are legally required to provide to your customers. The fines for failing to meet these legal requirements are steep. It’s crucial to set up a detailed and backed up method of all your log data, so that you can trace a breach when it happens.
Curate an open, honest, and comprehensive announcement letter to send to all your customers. Make sure to tell them how the breach occurred and what data was compromised. Send it out as soon as it’s ready. Keep your customers and staff informed as new developments arise.
7. Repair and Rebuild Your Security and Network
Once your investigation of the breach and thorough documentation is complete, it’s time to fix what has been broken.
Replace compromised tech if you can’t reliably remove all of the malicious code. If you can, wipe those devices to factory settings, reinstall your security software along with necessary applications and put them back into circulation.
Restore your most recent backup before the breach on all company computers, so that you have your necessary data.
Push security updates on all your company devices and send out cybersecurity refreshers to all your staff. Revisit password change protocols and other human elements of security that can help your company protect itself.
8. Learn From the Data Breach and Your Mistakes
Last but certainly not least, after the rebuild of your company’s network and applications, review every step of the data breach.
Please fight the urge to return to business as usual without reflecting on your processes and how they could serve you better in the event of another breach. It’s entirely possible that it could happen again and you need to prepare.
After a breach is a great time to do a security audit and have a third party tell you where your vulnerabilities are. If the expense of the breach drained your savings, consider purchasing a cyber liability insurance policy to further protect your business.
Review your cybersecurity plan and recovery plan. Why were you a target? What were your security strengths and gaps before the breach? How did you respond well during the breach? What changes can you make to wrap your data in more layers of security? Did your breach response team perform well? How could you better prepare for another breach?
Unfortunately cyber attacks and data breaches aren’t a one and done obstacle. You can and likely will face more than one in the life of your business. It’s best to prepare for the worst and hope for the best.
Preparing For a Possible Data Breach
Armed with this general data breach response plan, you will be a little more prepared than you were before. It is our hope that this blog will be only the beginning of the conversation around your recovery plan and security strategy.
Helping small business owners create security strategies and a comprehensive business recovery plan is our specialty. To continue the conversation with a CloudNexus expert, consider scheduling a complimentary preliminary audit today!