24 Hours After a Breach: How should you react?

How would you deal with a cyber attack?
How would you deal with a cyber attack?

You’ve been hacked. Despite all of your preparation and investment your business has lost mission critical data, leaving your customer details and brand reputation at risk. While it’s clear no organisation is safe, that’s no excuse for not having a response plan in place. In this situation you need to act quickly to not only meet various compliance regulations, but also to limit the scope of the damage caused by the breach. In a recent report, Juniper Research predicted that the cost of data breaches will amount to £1.3 trillion by 2019 - showing just how costly data breaches are becoming, and the importance of having a contingency plan in place.

If a breach happened right now, would you be prepared? Would you know what to do and how to act? If the answer is no, then you need to create a robust, clear policy. This plan should be well-defined, concise and rehearsed. Much like a fire drill, all employees of your organisation should be aware of the procedures and how to act almost instinctively. So, what does such a plan look like? While levels of urgency will depend on the severity and scale of the breach, here’s some advice for what you need to do in those crucial first 24 hours.

1-2 hours – Triage - Assess the situation. When a patient is admitted to A&E the first thing the doctor will do is determine the severity of the injury. This is the perfect analogy for what a business needs to do in the immediate wake of a breach. Someone in the business with sufficient training should take a step back, assess the situation and classify it accordingly: Has a device been stolen? Has your server been hacked? Have you been hit by a denial of service attack? Once the threat has been identified this would now be the time to enact automated controls - for instance in the case of a stolen laptop a company would activate any underlying embedded technology solution to either remotely delete the data, track the stolen device or cut the network connection.

2-8 Hours – Legal & Containment- This is the stage where roles need to be assigned amongst your team. Once you have identified the severity of the breach your legal teams can advise on the best course of action. Your company must also appoint somebody with sound communication skills and a thorough knowledge of the problem to interact with the relevant authorities (dependent on data regulations in your region). You should also use this time to make sure that your automated controls have worked and confirm that the threat is contained.

8 -18 Hours - Analysis & Investigation - Documentation is everything and you must make sure that you have all of the facts at hand. Depending on the type of data that has been compromised, your customers and the authorities will want the full picture. Evidence has to be properly collected and logged; not only for these reasons but so the root of the cause can be properly identified, and prevented from happening again. Once established you should ensure that you have several people in the organisation that can liaise with anyone who may be concerned about the breach, be that business partners, worried customers, or the press.

18 - 24 hours - The Recovery Phase - Once the threat has been identified, contained and analysed, you can get your system back up and running (once you are certain that it is safe to do so). It is at this point that you need to analyse on your existing policy to establish what was handled well, and how it can be improved for the future.

Further Recovery:

You’ve made it through the first 24 hours - but more work still needs to be done. Threats to your data do not remain static; they are in a constant state of flux and require your business to stay ahead. Following the breach your business must:

- Provide a new (or refreshed policy)

- Issue breach notifications to your customers (although this must be taken hand in hand with your legal team)

- Implement a regular, robust security audit. As with most businesses these are done quarterly - however you should seek to continuously audit your business’ data security, not just on an ad-hoc basis

- Educate your staff: The weakest link in the organisation is always the individual and so awareness of what is expected and what the risks are should be regularly enforced. It is vital that this information is not communicated in overtly technical language and that all your employees understand the risks and what is expected of them.

At the end of the day you cannot ever be in a position where you can be 100 per cent confident in preventing a breach from happening. However you can ensure, through policy and practice, that your business is ready to respond in the correct way - no matter the situation.