It’s a sad reality of our current time that a security or data breach can be considered an inevitability, rather than a possibility. With that in mind, many businesses are correctly wondering what to do when the worst happens. In his latest column, Netitude's Adam Harling runs through what to do after a breach.
Step 1 – understand
It sounds obvious but -- if you believe you have suffered a breach, the first thing to determine is what has actually occurred. Have credentials been compromised, has someone in the organisation fallen foul of a targeted spear-phishing attack and transferred funds, or perhaps files have been encrypted and you are staring at a ransom note.
If the breach is internal, promoting honesty in this situation is the best policy. Mistakes happen, and the attacker is at fault. Your IT team will be much better equipped to deal with the situation if they have a good idea of how the breach occurred and the route taken.
If the breach is outside of your organisation and direct control, perhaps where a third party holds your data, look to the organisation to provide exact details.
Step 2 – impact assessment
The next step is determining the impact of the breach. If credentials have been compromised, change passwords quickly, use strong passwords (this online tool can help), and enable multi-factor authentication if you have not already.
If you are staring at a ransom note, with encrypted files on your network, I’m afraid to say your likely only recourse is the restoration of backups. There is a small chance that a site like No More Ransom may be able to help and unlock the files, but this is very much the last resort.
If you store personally identifiable information was any of this data harvested? Your GDPR policy should already outline the steps to take if you do find customer data has been compromised. This can be a truly scary scenario with high impact on reputation and perhaps heavy fines from the ICO.
Step 3 – respond
Once you understand the impact and scale of the breach, rapid response is required to minimise the impact.
Change authentication credentials and ensure strong password policies are in place. Enable multi-factor authentication on your own technology. If your data is held by a third-party, they too should make use of multi-factor authentication. If not, review the risk this presents to your business.
If you are in a data recovery situation, time is of the essence to minimise downtime and lost work. Your backup is a critical part of your cybersecurity policy, so ensure you have a system in place that takes regular “snapshots” of your data, with off-site or alternative cloud data storage.
In some cases, hackers will disable backups before encrypting files. Ensure your backup systems are protected with separate credentials, and ideally within a segregated network.
Don’t wait around
While the above is a long way from a true breach policy, it should give you some immediate actions and responses.
There a numerous products and services that can truly help reduce the risks of a breach: breach detection, regular penetration tests and vulnerability scanning, and of course user awareness training to name but a few. Talk to your security partner about these technologies.
Perhaps surprisingly, according to the Ponemon Institute’s “2018 Cost of a Data Breach” Study, cyber breaches take an average of 197 days to be discovered. Let that statistic sink in, it is entirely possible that your organisation is already breached, you just don’t know it yet.