What to do after a data breach

What to do after a data breach

A data breach is the business equivalent of a natural disaster. The initial experience brings business as usual to a halt, and the recovery period is long, arduous — and expensive. As with natural disasters, an emergency plan can mitigate the impact of a data breach. Is your business prepared for the worst-case-scenario?

One in three companies will experience a data breach in the next 24 months. Forbes, Newegg, OXO, Quest Diagnostics, and Ticketmaster are just a few well-known companies that have been compromised in the past year as a result of web skimming attacks — an attack that aims to skim sensitive data like credit card numbers, social security numbers, passwords, and more from form fields or cookies.

The average data breach costs a company $3.92 million in remediation costs, fines, and lost business. Unfortunately, human error causes 27 percent of data breaches —for example, 24 million loan records were exposed in 2019 due to a misconfigured S3 bucket. 

3 steps to take immediately after a data breach

Whether attackers infiltrate your corporate server or malicious third-party scripts are used to exfiltrate customer data, taking immediate action can minimize financial repercussions and loss of consumer trust. As you read through the recommendations below, keep in mind the key to a successful post-breach response is having a well-defined plan in place before disaster strikes.

Step 1:  Secure operations and fix vulnerabilities

Take affected equipment offline and use “clean” machines if possible. Search for any sensitive data that may be posted online and ask the site owner to remove it. Other actions may include:

  • Resetting passwords for internal users and external service providers 
  • Monitoring entry and exit points 
  • Removing access for non-essential personnel
  • Changing access codes at your physical business (if applicable)

Step 2: Preserve evidence as you investigate

The FTC recommends leaving affected equipment powered on until forensic experts arrive. Other investigative actions you can take include:

  • Creating disk images for future reference
  • Determining who had access when the breach occurred
  • Interviewing the individual(s) who discovered the breach
  • Documenting anything that seems out of the ordinary

Step 3: Notify appropriate parties

Law enforcement, customers, legal counsel, and company stakeholders are just a few of the groups you should notify. The requirements of who you must notify and when varies by state. If the breach involves health information, you may be required to notify the FTC and the media. 

  • Develop a communications plan in advance so you know who to contact and in what order
  • Anticipate what questions may be asked and create talking points for employees
  • Be sincere and use clear, plain language
  • Accept responsibility if your company was at fault
  • Don’t withhold details consumers may need to protect themselves from ID theft
  • Decide what you might offer as remediation for affected parties
  • Tell staff where to forward information related to your investigation

View the complete list of FTC post-breach recommendations including sample communications.

Additional steps to take 30-45 days after a data breach

If you have an auditing system that provides network recording, engineers can conduct forensic analysis of your records to determine the exact cause of the breach. If not, consider hiring an unbiased, third-party IT company specializing in security breach analysis to evaluate what happened and whether your business is secure going forward. Lastly, ensure service providers have taken the necessary steps to protect your business against future attacks.

Perform network penetration testing regularly. One of the reasons security breaches are so expensive is because they take an average of 69 days to contain after detection. In addition, the first attack can be one of many — one in five businesses that suffer a web skimming attack by Magecart are reinfected within a few days. 

Data breach response times are crucial to securing operations

Responding quickly to a data breach is the best way to mitigate damages. Research from IBM highlights how rapid response can reduce financial losses. According to their 2018 study:

The average cost per lost or stolen record in a data breach is $148, but this drops to $134 for companies with an incident response team. When multiplied by 31,465 (the number of compromised records in an average data breach) the cost savings approaches half a million dollars.

IBM also found companies that contained a breach within 30 days saved more than $1 million. That said, the best way to save money is to avoid having a security disaster in the first place.

Secure your web presence with a modern cloud security solution

Unlike natural disasters, you can prevent catastrophic security events. Far too many companies make the mistake of only taking steps to detect breaches and fail to focus their strategies around prevention, making it easier for cybercriminals to penetrate their security. Unfortunately, it takes a shock to the system, such as a data breach, to make companies realize that security solutions like a web application firewall alone was not enough. By then, the damage has been done.

A multi-layered strategy, such as the Instart web application and API protection (WAAP) platform, provides complete security with deep client-side capabilities that protect against common and emerging threats from the origin to the browser — preventing sophisticated bot attacks, data exfiltration, and browser-based threats targeting third-party JavaScript and code.  Don’t wait for the worst to happen. A safe and secure web presence starts with the right solution.