Incident Response 101: What to do if you’ve experienced a data breach?

By Microserve

Suppose you think your organization is experiencing a data breach. Do you know what systems are affected? Do you know if your data is safe? Maintaining the highest standards of security means knowing what to do if there’s a security incident. Whether an employee told you they lost their laptop, or you notice suspicious activity, you need to minimize your risk of sensitive data exposure and to reduce the impact on your IT operations. That’s why it’s recommended to create an incident response plan to plan for data breaches. 

What is an incident response plan?

An incident response plan is a set of procedures created by the IT or security team to use in case of a cybersecurity threat. It is used to help security teams respond quickly to security incidences, and to have a plan in place to identify, isolate, and remediate security threats. The incident response plan should cover the tools to use, stakeholders to involve, and more. Once you create your incident response plan, it should be tested in different ways — at least once every three months and revised entirely once a year. 

Here are some recommended actions to take and include in your incident response plan. 

Step 1: Gather information and assess the situation

If you’ve experienced a data breach, there are a few major jobs for the security team in step 1 of the incident response process. To keep the data, device, and network safe, the security team or IT team needs to gather information to: 

  • Ensure that sensitive data isn’t compromised and to minimize the risks a data breach or ransomware attack 
  • Ensure IT operations are not (or are minimally) affected 

At this stage, the IT security team needs to remain calm and focus on minimizing the impact of the data breach. 

Step 2: Perform a risk assessment to identify the data, device, network, and assets at risk

For the security team to protect the device, data, and operations in a breach, they need to start by gathering and documenting information that will help assess the cybersecurity situation and level of risk. They need to understand: 

  • What happened to the device 
  • What data was potentially exposed 
  • What devices were impacted 
  • Whether the network was affected 

Understanding the “who, what, where, when, and why” of security incidences helps the security team to get a full picture of what is happening to the device and data so they can assess the risk. By fully understanding your risk, you can execute your incident response plan. For example, understanding what happened to the device if a laptop is stolen can help you predict the bad actor’s motives. 

Step 3: Isolate the device

Once you’ve identified the risk to your data, devices, and network, you need to isolate the risk by containing the device. Depending on your IT set up, containing the device could include several actions such as updating firewall and AV rules, locking the device, taking the device off corporate network, updating accounts and passwords, and more. 

For example, to contain a device you could: 

  • Reduce network risk by updating firewall rules and removing the compromised device from the network. By updating the firewall rules, you can completely block compromised systems from the network. 
  • Reduce data risk by locking the device or remotely wiping the data. The sooner you lock the device or wipe the data after an incident, the better. 
  • Reduce exposure to other devices by restoring backup systems for compromised systems. Malicious files or system vulnerabilities could be in systems that might take your network offline. Having and restoring a backup is a good option to ensure IT operations are not impacted. 
  • Reduce data exposure by locking the device out of accounts and updating passwords. If the bad actor is trying to get into the system to access more data, this will prevent them from accessing online accounts and databases 

Step 4: Remediate vulnerabilities

When assessing the security risks of a data breach, teams must rely on their security systems — such as anti-malware or managed detection & response solutions — to identify malware or threats. An exploited vulnerability should be patched and tested immediately.  

To comply with security standards, make sure you have a patch management strategy in place to patch known vulnerabilities reported by vendors and to have an emergency patching plan. 

Step 5: Report the incident to stakeholders and the police (if necessary)

After you’ve remediated the immediate risks and vulnerabilities, it’s time to report the incident to the relevant stakeholders involved. This may include members of the security team, leadership team, affected customers, and/or affected employees. If the device was stolen, also have the employee create a police report with their local authorities.  

Additionally, now is the time to lean on your security tools that have digital forensics consulting services, which help security teams investigate security incidences to recover devices and data. There are incident response tools that dedicate an expert to your reported incident to uncover the techniques used by the attacker, help you address threat readiness, and more. There are also data discovery tools that, for example, can track where PII (Personal Identifiable Information) is held and stored on corporate devices — no matter where they are or what network they are connected to. 

The aftermath of a databreach

If you experience a data breach, it’s important to stay calm and follow your incident response plan. Creating the incident response plan will deepen your understanding of your security coverage, help you respond quickly to security incidences, and help keep the relevant stakeholders informed. 

Depending on what kind of organization you are in, you may also need to create other response plans, such as HIPAA security incident response plans for healthcare organizations that involve informing governing compliance organizations and other industry specific responses. Outside of healthcare, organizations also need to be aware of GDPR, CCPA, and other regional compliance policies. 

In the aftermath of a data breach, it’s important to continue to assess the situation and communicate clear information about data breaches. You should also keep a record of any documents or information about the data breach. When possible, use the information to do a post-incident review with the relevant stakeholders to determine the cause of the security breach, lessons learned, and how to improve security procedures. Doing this helps ensure that you can respond faster and better if there is another security incident. 

If you need help creating an incident response plan or responding to an incident, consult the security experts at Microserve. With over 30 years of experience with IT solutions and security, we understand the latest security vulnerabilities and cyber hacking techniques.

Get in touch today to create your incident response plan and assess your security vulnerabilities. 

You might also like