Hidden hacker works in the dark to steal data online showing incident response for data breach

DEFCON NOW: Six Immediate Steps To Take When Experiencing a Data Breach

An accomplished and seasoned security expert, Jim brings 20+ years of in-depth knowledge in engineering powerful security solutions. Having worked with notable companies in finance, healthcare, manufacturing, technology and more, he advises on complete security infrastructure, from assessments, vulnerabilities and risk management to phishing training/simulation, DDOS mitigation, endpoint protection and Managed SOC.

We all hope it never occurs, but the amount of reported cybercrime attacks is growing steadily – if not skyrocketing – especially within the context of the modern hybrid workplace. Since the pandemic began, forcing the switch to remote work, the FBI has seen cybersecurity incidents rise over 400%. And this isn’t to mention the alleged amounts of breaches, ransomware payments, and cyberattacks that go entirely unreported.

The effects of these attacks are immense, costing companies money and trust. When disaster strikes, prioritizing an immediate, fast-paced response is crucial. IT downtime can cost $5,600 on average per minute and this number can get even higher for businesses that work with data transactions such as banks. Therefore, taking advantage of the first hours following a cyberattack are pivotal in saving money and limiting damages from the attack.

Hopefully, you’re reading this as a precautionary measure rather than while experiencing a data breach, but regardless, here are the six fundamental moves to make within the first 24 hours of experiencing a breach.

Step 1

The first step is the most critical. Across your organization, immediately begin using other means of communication. They are already inside your network or systems, and the use of email or other internal methods of communication is likely only going to exacerbate the problem.

Viruses, malware, and ransomware are specifically designed to spread as fast as possible, and even further, they can read the countermeasures that you’re employing and circumvent them. Go offline, organization wide, as fast as possible, and quickly make it known to every employee and functionary that may unwittingly spread a containable problem or allow the threat actor access to information about your instant response plan.

Step 2

The second step might seem self-evident, but it’s more than worth noting: limit and isolate the exposure. Throw your Incident Response Plan into action as soon as possible. If you don’t have an Incident Response Plan, create one today and make sure it is well tested. 23% of companies have never tested their plan and when they go to enact it, the flaws will show.

Having this plan is going to be critical to isolating and rerouting traffic. The goal of the threat actor is to have their cyberattack method replicated on as many devices as possible as fast as possible, so isolation is paramount to capturing and killing it before any more damage is done.

Step 3

Once you’ve isolated and contained, you’ll need to start taking thorough documentation. Record everything you can so you can learn from these mistakes. If you’ve paid a ransom to a threat actor, don’t think the problem has been averted. You’re now a name on their list and the holes in your security are known to them. Documenting and recording thoroughly creates a blueprint for the backdoors for which you don’t have stopgaps. You need to discover how it happened in the first place.

Step 4

The fourth step, one that has received a fair amount of pushback from clients of mine in the past and is of debate among organizations – contact law enforcement. While you may be worried about the negative publicity your company might receive, that confidence can be restored when the threat actors are brought to justice.

Most local law enforcement doesn’t have the full range of technology necessary for detection, but as the Department of Justice website notes, the federal agencies handling these cases are myriad: everyone from the FBI, to the Secret Service, to the Federal Trade Commission have devoted sectors to combating cybercrime and, they are legally bound to confidentiality unless your breach involves the public interest at large.

Step 5

At this point, you need to survey how to remediate this problem. It’s happened and will likely happen again without creating the stopgaps necessary. If you have a vigilant internal information technology department, this should be their top priority. If you don’t, you need to consider hiring a third-party cyber security consultant. As I mentioned before, just because you put this fire out doesn’t mean you aren’t now on the arsonist’s list of flammable locations.

Step 6

Finally, while it might seem obvious, you need to learn from this breach. You need to grow and adapt with agility after a cyberattack from the top down. Be proactive. Enable surprise simulations at every level so employees learn to identify questionable communications and potentially dangerous code that might make its way into your organization. You can never fully prevent a cyberattack so learn from it, then get ready because it may happen again. And, as a professional with over 25 years in this field who’s seen a major system breached by an aquarium’s e-thermometer, let me say it never hurts and is almost always advantageous to have a third-party security firm assess your level of risk.

After all the steps have been enacted, get ready because companies that have been hit once are extremely likely to suffer another attack, and usually within the same year. But, if you are consistently improving your security posture, you’ll be ready for it when it comes. The bottom line is to act fast and keep learning.