A data breach is a potential nightmare for any business, but a good team can handle anything with the right plan and the right tools. According to Verizon’s latest Data Breach Investigations report, 5,258 confirmed data breaches occurred in 2020 alone (out of a dizzying 79,635 security incidents surveyed).
Whether your organization has recently fallen victim to a data breach or you’re just making sure you’re prepared ahead of time, familiarizing yourself with data breach response best practices can make a massive difference for the security of your organization’s most important asset — its data.
Jump to a section…
Follow your response plan
Stand ready to identify breaches
Response team composition
Let your team lead the way in securing systems and data
Communicate the issue ASAP
Evaluate and improve
Improve your data security posture management
Learn more about how to protect against and respond to cybersecurity incidents with Symmetry Systems’ Cyber Security Incident Response: The Ultimate Guide.
Follow Your Response Plan
The most important item on the list of data breach response best practices is to have a response plan before you need it. If your organization is responding to a breach without a framework already in place, or you’re looking for ways to augment a response framework that is already in action, here are some key steps to follow from initial investigation to post-action evaluation.
Be Ready To Identify Breaches
The first step in responding to a breach is identifying its method of access and the extent of data and systems which may have been compromised. With the rapid growth of hybrid cloud environments and ever-expanding data sprawl, malicious actors have access to an expanded attack surface. Fortunately, Symmetry Systems DataGuard can assess your enterprise’s complete data security posture management in a few short hours — giving you a big leg up in locking down potential attack vectors before they begin.
While much of your response will be by its very definition reactive, this phase should be ongoing. Your security team should use network monitoring tools to watch for unusual user activity such as repeated login attempts, and the same performance monitoring tools that could reveal a piece of equipment nearing the end of its life can also tip you off to suspicious activity such as high loads outside of normal business hours. Much of this monitoring can be automated, though regular and spot check-ins are also essential to ensure your monitoring methods have not themselves been compromised.
Response Team Composition
Different team members and partners will be better suited to aid in the response to different kinds of breaches; with the threat identified, you are now prepared to bring in the ideal response team for this particular event. The team should be composed of members from affected parts of the organization as well as the security team itself — here’s a quick rundown of some of the most common parts of the business who may need to be involved, and why.
- IT department: The constant in any data breach response, representatives from the IT department should be chosen for their ability to communicate and collaborate effectively with other departments.
- Product team: While operations may need to be interrupted as you identify and secure the breach, including a representative from the product team will ensure your organization is prepared to return to work as efficiently as possible.
- Human resources: Sometimes the threat comes from inside the building, such as the recent example of four Pennsylvania lawyers stealing files to help launch their own new office. Human Resources should be involved for incidents where any internal malfeasance is suspected.
- Marketing & communications: As we’ll outline briefly, proper messaging is essential during and after a breach. Involving marketing from the outset will help them craft the right message to share the news at the right time.
Striking a balance between including response team members from across the organization where relevant, and keeping the team lean and agile, is essential to effective and timely action. Until you’ve ascertained whether internal communications have also been compromised, you should favor in-person discussions or phone calls over company chats and emails where possible.
Let Your Team Lead the Way in Securing Systems and Data
With the breach identified and your response team assembled, it’s time to address the lynchpin of the process: securing your systems and data to seal off the current breach if it’s still ongoing, and to prevent any similar attempts in the near future from the same attacker or potential copycats. The rest of the organization should be ready and willing to “clear the decks” and follow the directives of the team, bypassing standard reporting arrangements where necessary.
Beyond rectifying the vulnerability, you should immediately begin working to defend your cloud assets post-compromise. A recent webinar featuring cybersecurity expert and Symmetry Systems co-founder and CEO Mohit Tiwari addresses how purple team tactics can be used to help security teams surface hidden vulnerabilities and achieve a Zero Trust posture in cloud environments.
Communicate the Issue ASAP
The next step is reckoning with how to communicate the issue beyond the boundaries of your business. Myriad compelling reasons exist to not simply stay silent on the breach, with the most pressing being legal and ethical requirements in the likely event that compromised data may be sensitive for people outside of your organization.
Even aside from such compelling concerns, there’s a real possibility that the news may leak even if you try to keep it suppressed. Though you shouldn’t feel obliged to share everything right away, especially if elements of the threat are ongoing, presenting the news in a controlled manner on your own terms is always your best bet.
Evaluate and Improve
Simulated incidents and responses are essential for building up your ability to put data breach response best practices into action. However, the most powerful tool for improvement is looking back at your practical results. Once the incident has been resolved, take a breath, and begin a frank assessment of the response methods you used and how they performed.
Each member of the response team should be involved with this process, though it can also be helpful to bring in external assessors for a more distanced and critical perspective. Remember, the point of this exercise is not to assign blame for the breach or for any issues which came up as you addressed it. It is also not meant to fill up your response framework with one-off solutions that may not be relevant to other types of incidents. Instead, it’s meant to be a comprehensive look at the processes used in reaction to the breach, and how they could be improved for responding to a range of potential issues. For instance, are there any hybrid cloud security best practices you could implement in the future?
Improve Your Data Security Posture Management
As you fine-tune your organization’s unique implementation of data breach response best practices, it’s time to consider how you can better protect your data in the future. One of the most proactive measures you can take is to invest in a Data Security Posture Management platform. This new, data-centric security solution gives organizations a direct line of sight into their data across the cloud as well as on-premises workloads.
Symmetry Systems DataGuard is the market-leading solution for DSPM, bridging data security and identity and access management to protect the key assets of enterprise data. It takes less than an hour to run DataGuard through your system and gain critical insights and recommendations, helping to strengthen your security posture everywhere it matters most. Contact us today to learn more about how Symmetry Systems DataGuard can help you protect your business.