13 Steps Through a Data Breach

Here is what an organization should do after a security breach occurs.

Data breach
Credit: ThinkStock

With JP Morgan Chase’s data breach fresh in our minds, it is time to walk through the 13 steps toward making your way through a data breach recovery. Mimecast’s director of technology marketing Orlando Scott-Cowley runs through these steps and of course the first one starts with panic. It’s a natural reaction, so do it quickly and get it out of the way!

Data breach
Credit: ThinkStock

Don’t panic: You might be finding out your entire IP/credit card system/customer database has been breached, but too many mistakes are made while the adrenalin is pumping.

Data breach
Credit: ThinkStock

Damage limitation: Quickly find out what’s been breached, which systems, which data etc. Seek to remove all access to those systems to prevent further breach. If you believe there’s a criminal offense being committed then pull the plug on the server – don’t shut it down, you want to preserve the OS, files and databases in a forensic state.

Data breach
Credit: ThinkStock

Patch holes: Look to patch the holes in your perimeter – this means everything from forcing password resets to removing remote access.

Data breach
Credit: ThinkStock

A team reaction: It’s likely you’ll need many business assets to deal with this problem, so convene a response team (IT, C-suite, PR, etc.).

Data breach
Credit: ThinkStock

Assess the impact: Decide what’s been breached, what data is missing, who is affected?

Data breach
Credit: ThinkStock

Full damage report: Get a small group of technical folk together ASAP who can quickly give you a full "sitrep" on the problem.

Data breach
Credit: ThinkStock

PR (or no PR): If you have customers who are affected you’ll need to tell them – be honest, open, transparent. So decide what sort of PR you’ll need to run and get on with it.

Data breach
Credit: ThinkStock

Notifications to affected: Notify those affected of what’s happened and what to do about it.

Data breach
Credit: ThinkStock

Offer damage limitation to affected: Your customers’ personal details could have been affected. If so, you’ll need to offer some form of damage limitation to help them deal with the fallout of the issue.

Data breach
Credit: ThinkStock

Notification to regulator: If applicable, you’ll need to tell your regulator. You’ll need to explain the problem, and how you’re solving it, to your business, the board and investors.

Data breach
Credit: ThinkStock

Clean up: Clear up the mess, but don’t cut corners. We know that Advanced Persistent Attacks remain resident on networks for an average of 260 days, so restoring a system from last week’s backup is not an option. It’s likely you’re looking at a full bare metal recovery of affected systems to ensure they’re really clean.

Data breach
Credit: ThinkStock

Improve protection: Get professional help in to bolster the levels of protection you had in place. Clearly what you thought was "good enough," wasn't!