How to respond when a breach occurs?
As discussed above, managers and organizations should take preventative steps to avoid the risk of a breach occurring. After spending time planning, spending money, and training employees, someone still manages to break through the organization’s security measures? What do you do now?! Once a breach has been discovered, the organization should take the following immediate steps to limit the breach.
Step 1: Survey the damage
Following the discovery of the breach the designated information security team members need to perform an internal investigation to determine the impact on critical business functions. This deep investigation will allow the company to identify the attacker, discover unknown security vulnerabilities, and determine what improvements need to be made to the company’s computer systems.
Step 2: Attempt to limit additional damage
The organization should take steps to keep an attack from spreading. Some preventative strategies include:
- • Re-routing network traffic
- • Filtering or blocking traffic
- • Isolating all or parts of the compromised network
Step 3: Record the details
The information security team should keep a written log of what actions were taken to respond to the breach. The information that should be collected include:
- • Affected systems
- • Compromised accounts
- • Disrupted services
- • Data and network affected by the incident
- • Amount and type of damage done to the systems
Step 4: Engage law enforcement
A major breach should always be reported to law enforcement. The law enforcement agencies that should be contacted are: • The Federal Bureau of Investigation (FBI) • The U.S. Secret Service (USSS) • The U.S. Immigration and Customs Enforcement (ICE) • The District Attorney • State and Local law enforcement
Step 5: Notify those affected
If a breach puts an individual’s information at risk, they need to be notified. This quick response can help them to take immediate steps to protect themselves. However, if law enforcement is involved, they should direct the company as to whether or not the notification should be delayed to make sure that the investigation is not compromised. The individuals are usually notified via letter, phone, email, or in person. To avoid further unauthorized disclosure, the notification should not include unnecessary personal information.
Step 6: Learn from the breach
Since cybersecurity breaches are becoming a way of life, it is important to develop organizational processes to learn from breaches. This enables better incident handling, should a company be effected by a breach in the future. Some learning issues include:
- Document all mistakes
- Assess how the mistakes could have been avoided •
- Ensure training programs incorporate lessons learnt
- Organizations must put the proper resources in place to ensure that any form of cybersecurity breach is dealt with swiftly and efficiently.
- There should be an effective Incident Response Plan.
- Thoroughly check all monitoring systems for accuracy to ensure a comprehensive understanding of the threat.
- Engage in continuous monitoring of their networks after a breach for any abnormal activity and make sure intruders have been inhibited thoroughly.
- It is important to perform a postincident review to identify planning shortfalls as well as the success in execution of the incident response plan.
- Be sure to engage with Law Enforcement, and any other remediation support entity, soon after the threat assessment is made to allow for containment of the breach and to inform any future victims.
- Documentation is paramount. Thorough documentation from the onset of the breach through the clean-up must be a priority to ensure continual improvement of the Incident Response Plan.
- It is critical to the success of a business to integrate cybersecurity into its strategic objectives and to ensure that cyber security roles are defined in its organizational structure.