According to recent research by Identity Theft Resource Center, data breaches jumped nearly 70% in 2021 over 2020 — hitting an all-time high of 1,862 incidents. As the frequency of data breaches increases, it becomes even more crucial to have clearly defined data breach incident response plans in place. Here are five key action items that every response plan should include.
Jump to a section…
The 5 Essential Data Breach Incident Response Plan Action Items
Alert Your Incident Response Team
Audit the Breach
Mitigate the Threat
Develop Key Learnings
Communicate Your Findings
Upgrade Your Breach Response Toolkit
Learn more about how to protect against and respond to cybersecurity incidents with Symmetry Systems’ Cyber Security Incident Response: The Ultimate Guide.
The 5 Essential Data Breach Incident Response Plan Action Items
Alert Your Incident Response Team
Every organization should have an incident response team (IRT) that includes representatives from every part of the business — from IT to PR — to handle all aspects of the breach resolution process. Once it’s clear that a breach has occurred, the first step is to inform the IRT so they can get to work.
The next step is to contact your insurance company. As long as you’ve negotiated your coverage well ahead of time, ensuring that the most plausible cyber incidents fall within your policy, your insurance provider will be a key ally as you navigate this challenging time. It’s not uncommon for insurance companies to have an investigative team of their own as well as other resources you can draw upon for additional support.
Next, it’s important that you handle your internal and external communications with care. No one in your team should be sharing details of the breach with the outside world at this point, as you do not know the scope of the issue and the use of any loose language could result in serious legal issues down the road. You might make a public statement later, but that comes after determining exactly what has happened and consulting extensively with your legal team.
When communicating with your employees, keep your language reserved and concise. Explain that there has been an incident, the response team is in action, and leadership will share more detailed information as it becomes available.
Audit the Breach
After this, your team must unearth and document as many details as possible about the incident. They need to determine when the compromise occurred, how it was identified, the scope of the breach, what parts of the business have been impacted, what clients could be affected, and more.
This investigation must be as thorough as possible. Cutting corners here will almost definitely leave you more vulnerable in the future. For instance, if you don’t deeply scour your network for evidence and artifacts, a malicious actor could leave a backdoor for themselves to return and do more damage in the future. A comprehensive audit will also improve the quality of the adjustments you make to your security strategy and any communications you share with employees, clients, and the press later on.
Mitigate the Threat
As the auditing process gets underway, the IRT also needs to take immediate action to contain and neutralize the threat. These steps include isolating infected systems from the rest of the network, deactivating any compromised equipment, disabling functions, and cleaning systems that have undergone cyber-forensic examinations.
After working through these steps, the IRT needs to focus on long-term threat mitigation strategies. They’ll need to eliminate all the accounts that the malicious actor has compromised, remove any backdoors they installed in the system, and implement security patching wherever necessary. They’ll also need to go through the painstaking process of eradicating every trace of the malicious actor in the network. This phase often involves eliminating malware, reimaging systems, and destroying any remaining malicious artifacts.
Develop Key Learnings
With the breach under control and your audit completed, it’s time to review the information with your IRT to generate key learnings from the incident. During this evaluation process, you want to get an in-depth understanding of the cause of the breach, assess the effectiveness of your response, and propose the changes to your security architecture that ensure your organization will not be susceptible to another such attack.
Once again, thoroughness during this step is crucial. Your organization has just gone through a difficult and likely painful ordeal, so the instinct of many involved might be to put the incident in the past as fast as possible. Resist this impulse. While no business wants to experience a breach, such events can provide your organization with tremendous value if you learn everything you can from them. They can help you identify your strengths, shore up your vulnerabilities, and ultimately raise your security posture.
Communicate Your Findings
You’re now ready to communicate your findings with external parties. When preparing to notify your clients of what happened, make sure to have all your messaging reviewed by legal experts and your insurance company. Although you want to help your clients understand what happened, how they were affected (if they were), and what the next steps are, you also want to avoid creating undue liabilities for your organization.
The same process should be followed if your team decides to draft a statement for the press: Everything should be thoroughly vetted by experienced legal counsel. When you release a statement, your company should provide multiple communications channels so your clients or other interested parties can contact you with their questions or concerns. Regardless of who’s at fault, your reputation is in a fragile place, so you want to do everything you can to assure your business partners that you’ve got the situation under control.
Upgrade Your Breach Response Toolkit
While having a data breach incident response plan will certainly help your organization navigate these challenging scenarios, you’ll also need a strong cyber toolkit to resolve a data breach quickly and effectively. This is especially true in the auditing phase, where response teams struggle to determine how an attack impacted data objects.
A Gartner Cool Vendor, Symmetry Systems DataGuard provides organizations with complete, real-time visibility into every data object across their entire IT infrastructure. This solution allows the IRT to know precisely what data objects are involved in a breach, ensuring they can accurately assess the scope of the incident and effectively remediate the threat. Request a demo today to see the power of DataGuard for yourself.
Share this entry