That sinking feeling in your gut just overwhelmed your whole body and you almost feel a little dizzy.  You were just informed that it appears that your business is the victim of a data breach.  You aren’t sure yet whether hackers have remotely accessed your systems and stole personal information or if a trusted member of your staff accidentally exposed customer or confidential data.  The immediate question becomes “What do we do next?”  Refer to your data breach response plan.

The Federal Trade Commission (FTC) has published a guide to responding to a data breach which gives a high-level overview to how your company should respond to such an incident.

  1. Secure your operations
  2. Fix vulnerabilities
  3. Notify appropriate parties

This post will focus on the first step:  Secure your operation

It may seem obvious that securing your operations would be an absolutely necessary element of a data breach response.  However, in the heat of the moment following the news of a breach, a checklist-based approach would be a valuable guide since time is of the essence.

First, assemble a team of experts to address the issue on many fronts in order to prepare a comprehensive response.  There will likely need to be team members from the IT, legal, human resources, operations, and communications segments of your business.  Without question, top-level management can’t ignore this issue and delegate to subordinates.  Management must be directly involved and understand the scope of the issue and potential damage.  After all, they have to be prepared to allocate necessary resources immediately.

Consider hiring a third-party data forensic investigator to understand the source and the scope of the breach.  It will be much harder to complete the obvious step of securing your operations if you don’t have clarity about where the breach occurred and how much data the breach exposed.

Naturally, a call to legal will be in order.  With respect to a data breach response, your general practice attorney, whether outsourced or in-house, will probably refer a specialized attorney with cybersecurity and data security expertise.  Federal and state laws entail specific reporting requirements that will determine the content and timing of your course of action.

Local law enforcement may need to be involved as well.  This is especially true if the breach had any element of a physical intrusion.  With that in mind, it may be an opportune time to update access approaches and codes for building areas where sensitive data is stored. 

Shutting down further data loss requires a balanced approach.  The inclination is to shut down everything all at once.  That is partly right.  Initially, take the systems offline to prevent further intrusion.  But, don’t power down internal systems until that has been cleared with the forensic team.  There may be processes running that they need to review before a shut-down. 

Once the forensic team has what it needs, cleaning up the systems is the top priority.  Replace affected computers with clean machines.  Before those computers go online, update the credentials for all authorized users.  This is absolutely vital in the case of a breach that involved stolen credentials.  It is a good idea in any event to force new passwords while users are at a heightened level of awareness. 

Prepare users who discovered the breach that they should expect to be interviewed by the forensic team to assist in the investigation.  Their information and recollection of events can make a substantial difference in how quickly a determination can be made.

It probably goes without saying, but any evidence related to be breach needs to be preserved.  Like a crime scene on a TV cop show, don’t remove, erase, or tamper with the systems or the data that could help investigators track down how the bad guys got in or what they did while they had access.

The next installment of this series on Data Breach Response will address the next step:  Fix vulnerabilities.

Please contact your Responsive IT cybersecurity consultant at 630-554-0700 if this article raises questions or concerns regarding cybersecurity data breach response.