After years of working with small businesses on cybersecurity, we understand the impact a security breach can have on an organization. It’s a time of high stress, tight deadlines, and competing priorities.
Responding wisely will minimize the damage done to your revenue, reputation, and loss of customer trust.
The response decisions matter a lot and so that’s why we’ve taken the time to share six tips for responding to a breach.
Table of Contents
- Tip #1: Documenting the Breach
- Tip #2: Assemble a Response Plan and Team
- Tip #3: Secure Systems and Data
- Tip #4: Communicate with Authorities and Those Affected
- Tip #5: Evaluate the Damage
- Tip #6: Prepare for the Next Breach - Get Cyber Insurance
- What Should I do Now?
As soon as a company determines a breach is in progress, the first and most important thing is to put a stop to any further loss. This could mean disconnecting the network from the system(s) being breached to stop the flow of data, or if that’s not an option, shutting down a system until it can be disconnected from the network. At the same time, be careful not to destroy any forensic evidence of the breach, and make notes of the actions taken to shut down the system:
- What is the date and time of the incident?
- What systems or applications were impacted?
- What was the last action taken before the breach was identified?
- What tipped you off?
This information can be used to identify the type of attack - phishing, malware, or a compromised device with access to company data. Knowing how the attacker got in allows the creation of an immediate containment strategy to make sure the hackers do not still have access.
Although most breaches are executed remotely, some are done in person. This could be through someone installing spyware or malware onto a PC, or using a misplaced PC or mobile device to get in. In some extreme cases, hackers gain entry by attaching another exit - such as a wifi router or other device - to the network to provide alternate access.
Vulnerability scans from your security provider can also give clues as to how the compromise may have happened. When it’s unclear how the intruder was able to gain access, looking for insecure systems and risky emails identified by the scans will point in the right direction.
Having the right team in place and ready to respond can be the difference between a catastrophe and an averted crisis. Work out a plan with key stakeholders with a few different scenarios in mind, and a “plan B” in the event the team is not able to handle it internally. The stakeholders on the team should be:
- CEO / Owner - This person needs to be kept in the loop, and may ultimately be held accountable for the breach. They need to know what the exposure is to the business, and must make the call (in conjunction with Legal) for notifications to customers and when to bring in the authorities.
- Cyber Security Professional - The best person to investigate the root cause. Applies remediation steps afterwards, monitors and configures other security tools for malicious activities and ensures the security posture of an organization keeps hackers at bay. NSI fills this role for its clients.
- IT Admin - since they will know the systems and how they are accessed,. they can access logs and other forensics to help authorities depending on the scale of the breach. This is another role that NSI fills for clients.
- Legal - This person will determine the company’s liability and the safest course of action after a breach. They may also represent the company to authorities and will be integral in crafting communications to customers who have had their personal information stolen.
- Office Manager - This person will know immediately if something looks out of place. If someone is out of office, but their laptop is sending sensitive files to a Google Gmail account, they will be the first to pick up on it. This person is one of the most valuable assets on the team since scans and analytics won’t have the knowledge this person will have in their mind.
- Accounting - This person keeps a close eye on the books and the bank, and will know if there is money out of place. Not all cybercriminals are after data - some go straight for the money and try to transfer it to their own accounts, sometimes a few dollars at a time. In the event the accounting system is compromised, the accounting person should know which backup is OK to restore to get the business back on its feet.
Depending on the size and nature of the business, other team members may be a member of the board of directors, marketing, a member of your software engineering team (to make sure software being developed was not compromised), and a compliance officer.
As the saying goes, “fool me twice, shame on me”. Breaches expose the existence of vulnerabilities in systems, so it's really important to secure the systems and eliminate those vulnerabilities immediately to prevent another breach.
Some of the controls that can be put in place easily, if not already there, are:
- Inventory of all hardware and software, along with versions
- Securing data with strong encryption, especially encrypting drives of laptops
- Require complex passwords, and use multi-factor authentication is applicable
- Use least-privilege access, so only people who need access to data get it
- Automate security patching and continuously monitor for vulnerabilities
Finding vulnerabilities can be a process of elimination. Going through each system to make sure all the software is up to date, with antivirus and antimalware software installed and current, can add up to a full-time job. And that’s just the preventative work. Scanning systems to see if something malicious was already installed is an even more time-consuming task.
Outsourcing security, especially for companies without the resources internally, is an effective way to secure systems and keep them that way. With options from vulnerability scanning to full security management inclusive of network and system updates, a company can ensure its protected and compliant on an ongoing basis.
The breach has happened, and it can’t be undone. The extent of the damage has been estimated. Now it’s time to let the authorities and those impacted know what happened.
It’s really up to the business on whether or not they want the authorities involved in their security breach. Most cybersecurity insurance policies require authorities to be involved. Depending on the extent of the breach and the parties involved, authorities that may be involved include local and state police cyber crimes unit, FBI and Secret Service. Companies should seek the advice of their legal counsel or engage a firm specializing in cybersecurity to help engage with authorities.
Once the authorities have been notified, it’s time to start crafting the communication to those affected and be ready to respond.
The message to customers should:
- Be delivered quickly. Although state laws will specify time limits for notifications, a quicker notification will go toward maintaining the trust of the customer affected.
- Be clear. Leave out the technical details. Use plain, easy to understand language that is sensitive to the potential longer-term impacts of the breach.
- Be careful. Don’t provide every detail of the investigation. This could open up speculation and cause more damage than good. Let the customer know they will be kept in the loop.
- Be useful. Give them something they can use. If financial information was stolen, tell them to watch their credit reports or bank accounts. For username or password breaches, suggest they change their passwords on other accounts.
Per Connecticut law, any company that conducts business in CT, and who maintains personal information as part of their business, is required to disclose a security breach to state residents. This disclosure has to take place without unreasonable delay and no later than 90 days from the date of the breach. The business must work with the Attorney General’s office, and provide:
- Information about the company experiencing the breach
- Detailed categories of personal information subject to the breach
- Number of CT residents affected
- The dates notifications will be sent to those residents, along with a copy of the notification
- Whether credit monitoring or identity theft protection services will be offered to the residents affected
- Whether notification was delayed due to law enforcement involvement
Companies not reporting within the required time are subject to fines and potential criminal charges depending on impact, so it’s best for everyone involved to comply with the law.
After a breach, its takes time to figure out the real damage to the business. Some of this damage may not occur immediately. Some things to think about are:
- Data integrity. A breach may include a hacker adding or changing data in computer systems, in the form of financial transactions (fake invoice), entitlements (permissions or access to a system or service), misleading data (adding a fake vendor to an approved vendor list), or altering customer records (like a shipping address) in hopes of not being noticed. This can be addressed through regular backups and a solid disaster recovery plan. Without these things it could take weeks or months to reconstruct accurate records.
- Reputation. A breach involving personal information and mandatory disclosure will have some sort of public exposure to it. Getting ahead of public opinion, showing a history of integrity and being forthcoming are all actions to help protect a company’s reputation. For incidents with high exposure, consider hiring a PR firm to help with communications.
- Financial impact. Breaches open up companies to litigation, and litigation means money. Customers can seek damages against a company that suffers a breach, even when the company’s doing everything right. Cyber insurance offsets the financial risk associated with a data breach, but may not cover the soft costs of lost sales from reputation damage.
Another big part of the evaluation is identifying the root cause of the breach and making sure it doesn’t happen again. This includes recommendations for policy changes and implementing additional security measures in the business.
Very few businesses can handle 100% of the cost of a security breach. Cyber insurance is an inexpensive way to help cover that cost when a breach eventually occurs. Policies range from liability insurance to covering the cost of restoring business systems, while other policies cover reputation damage and communications. Work with a reputable cyber insurance provider to understand what’s covered and to find the right policy.
A data breach is scary for any company, no matter how big or small. Companies should use these tips to prepare so they can act to protect their business, and their reputation when the inevitable does happen. Not comfortable taking it on? Consider an MSP to handle it all for you, from vulnerability scans to security responses, and focus on running the business instead.