5 steps to take when a data breach hits

As hackers get increasingly sophisticated, though, companies must prepare for the inevitability of such an event.

The IT industry has an answer to almost every security problem. Need to lock down an app server to ward off hackers? There's likely a product available for that. Same goes for making sure a stolen Android phone uses strong authentication to keep a hacker from stealing data.

However, if the worst does happen say, the hackers manage to break into a server and steal credit card numbers from a database it can be hard to know what to do next (other than panic). CIO.com spoke to several security and legal experts to find out what to do after a leak occurs. Here are their five steps for how to survive a data breach, in chronological order.

Address the breach immediately

Experts agree on the first step: Solve the problem and fix the data leak. Marc Malizia, the CTO of the IT consulting firm RKON Technologies, says it's important to address the security flaw. Determine what server, or servers have been compromised.

"Once located, a disk image of those servers should be made in order to preserve their state," he says." To protect chain of custody in the event of a lawsuit, these images should be read-only and secured." Finally, he adds, put in place a containment strategy "to ensure the compromised server cannot infect other servers or devices.

Form a task force

Almost every expert says another critical early step is forming a team to deal with the breach. You can't report a breach to the authorities and the legal department until you have a task force to lead the charge and communicate about progress.

[ How-to: Breach blanket: To contain the damage, plan ahead way ahead ]

Pat Calhoun, the senior vice president and general manager of network security at McAfee, says a "Seal Team" needs to be assembled immediately to carry out any additional steps. Attorney Tatiana Melnik adds that a company has to speak with one voice after a data breach; this team is response for making sure all information about the issue is reported in a concentrated effort.

Test the security fix

Once the problems have been resolved and a team is ready to lead a counter-offensive and even before moving on to the stage of communicating about the breach outside of the organisation it's important to make sure the flaw is fully resolved.

This may require having the security team look through server logs again or running penetration tests. It may require investigating whether other servers, or a cloud infrastructure, are also susceptible.

"Companies should undergo a rigorous penetration test by an external team of experts," says Chris Pogue, senior vice president for cyber threat analysis at Nuix, a company that analyses unstructured data.

"This is really the only way of ensuring that the fixes that have put in place are fulfilling their intended purpose. The penetration test will also help to identify potentially unknown attack vectors that could be used by future attackers."

Contact outside parties

Once the problem is under control, Calhoun says the task force should start notifying the local authorities, the internal legal department (and any outside legal experts), and the public relations department. It's important to communicate about the breach after the problems have been resolved meaning, all resources should be used to stop the breach first.

In some industries, such as healthcare and financial services companies, there are requirements for reporting the data breach within a set period of time. Data breach notification laws vary on state and federal levels, but they could require disclosure in as little as 24 hours. However, Calhoun says not all data breaches come with that requirement: "Disclosure comes as a part of what happened if credit cards were stolen vs. a breach of internal intellectual property."

Resolve any related issues

It might seem obvious, but companies must address the long-term implications of the breach by resolving any other related problems throughout the organization. The security flaw that led to a breach must be fixed immediately, but "remediation" is a thorough process that can take much longer and involves looking for other potential flaws, Calhoun says. Without remediation, another strike could occur, as the firm has become now a target for attack.

[ Tips: Rein in the High Cost of Data Breach Mitigation ]

"Companies should make a remediation plan that's tailored to the incident. This means that the company must undertake a true and honest assessment of what happened and the cause or causes for the incident," Melnik says. "The remediation plan should include addressing any security issues, but also employee training and monitoring programs."

After this remediation stage, there are additional steps to take continued analysis of the security infrastructure, for example, as well as more penetration testing and additional remediation. But Calhoun says the first steps of fixing the breach and reporting it to authorities are the most critical.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breach

More about Nuix

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Brandon

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts