Daily news reports are full of reports of IT security breaches, to the point where breach awareness is no longer an issue. Today, while we certainly have greater awareness and higher security budgets, executives still need to understand that getting hacked isn’t a matter of if but when. Indeed, this is the new normal in cyber security, and it changes a company’s approach to preparation and risk management.
Once a breach has been discovered, a company should take the following immediate steps:
Step 1: Survey the Damage
This step requires your company’s designated IT team members (or an outside forensics investigator) to perform an internal investigation to determine the impact on critical business functions. The initial internal investigation will help the company to assess the depth of the breach, discover unknown security vulnerabilities and determine what improvements need to be made to the company’s computer systems.
Step 2: Limit the Damage
When a breach is discovered, a company must take steps from an attack from spreading. Some preventative strategies include: isolating all or part of the compromised network, filtering or blocking traffic, and re-routing network traffic. If your company has cyber insurance, now is the time to contact the insurance carrier to report the incident, get them involved in the forensics investigation and to put them on notice according to your cyber insurance policy terms.
Step 3: Record the Details
Keep a written log of what actions were taken to respond to the breach. Most likely, this will be needed later on for documentation, to show how your company responded to the breach, and what steps were taken. The information documented should include: the type of data and network affected by the incident, the number of customers affected, the compromised accounts, the disrupted services and the extent of and type of damage done to your company’s computer systems.
Step 4: Report the Breach
A breach of your company’s sensitive information (think PII or PHI) needs to be reported to the appropriate authorities. This includes: the FBI, the U.S. Secret Service, State Attorneys General, and State and Local law enforcement, and depending on the industry sector of your company, there could be other regulatory enforcement agencies that need to be notified as well (i.e. OCR, GDPR, SEC, etc). If your company has cyber insurance, the insurance carrier will help report the breach to the proper and applicable authorities.
Step 5: Notify those individuals (or entities) affected
If your company’s breach puts an individual’s information at risk, you must notify them at once so that they can take immediate steps to protect themselves from financial harm or identify theft. In some extreme cases, if law enforcement is involved, your company may need to halt sending out notifications at the direction of law enforcement to make sure the investigation is not compromised. If your company has cyber insurance, the insurance carrier will help direct your company in notifying your customers via letter, or email and depending on the carrier, set up a 800# for your customers to call for help with signing up for credit monitoring and/or to get their concerns and questions addressed.
Step 6: Learn from your Company’s Breach
Companies can certainly learn a lot from how other organizations respond to data breaches. However, when one strikes your company, its more personal and it is important to have a process in place to learn from your company’s breach. Some processes include: document your company’s mistakes made during the breach response, and assess how the mistakes could have been avoided and implement a training program that educates your staff on the lessons learned and how to avoid making the same mistakes again.