Steps to Take After a Data Breach

Oct 18, 2022
Zachary Amos
In a perfect world, you’ll never have to worry about what to do after a data breach. Unfortunately, cybercrime is too sophisticated and growing too fast to safely rest in that assumption.

The reality is that 52% of all businesses have experienced a disruptive event in the past five years. Cybercrime accounts for an increasingly significant portion of that disruption, and it’s always evolving. While it’s essential to have strong cybersecurity defenses, breaches can still happen, so you need an emergency response plan. Here’s what you should do after a data breach.

1. Contain the Breach

The first step to take when you discover a breach is to contain it. If you can stop it from spreading early, you’ll minimize the damage. Conversely, failure to contain it could result in massive losses.

Alert your IT department or security response team immediately so they can get to work stopping it. That process should involve finding the breach’s source, looking for vulnerabilities to secure, and taking things offline to prevent it from spreading. Because many breaches come from insiders, you should restrict user accounts’ privileges until you learn more.

As teams go through this process, it’s important to record everything. Save a copy of the breached system, avoid deleting any data, and write down what you find and do. These records will help you later.

2. Assess the Damage

Once you’re sure you’ve contained the breach, look through your systems to see what the incident affected. Remember to check everything – not just where you found the breach – because sometimes attacks are more extensive than they seem initially.

Check system logs to see what files people or systems accessed around the time of the event. Looking through the records you kept during the first step can also help. As you discover what kinds of data or accounts the incident affected, consider the future damage it could cause.

Learning the true extent of the data breach will help you know what else you should do. If you discover the attacker found employee email addresses or names, you’ll know phishing may be a bigger threat in the future. You can then alert everyone to stay on their toes and run more anti-phishing training.

3. Inform All Affected Parties

Next, it’s time to inform any employees, partners, or customers the breach might’ve affected. Part of good cybersecurity is teaching workers to report suspicious activity and respond to emergencies, but they must know about events to act. The quicker you can tell everyone, the faster they can take action to reduce the impact.

Many legal regulations require businesses to notify users of data breaches. While these timelines aren’t always specific, it’s best to do that sooner rather than later. Europe’s General Data Protection Regulation (GDPR) says to alert them without undue delay, so communicating within a few days of the event is likely the best way to go.

These alerts should include what happened, how it may affect the party in question, what you’re doing about it, and how they should respond. Some actions on their part, like changing passwords, may be necessary.

4. Test New Security Patches

As you investigate the breach, your IT or security team should be able to patch the vulnerability that led to the event. Rolling out these updates quickly is essential, but ensuring they work is equally critical. Once you have a fix in place, test it.

Just as fire departments test fire hydrants against set standards, IT departments should test security patches to see if they hold up. Without these tests, you can’t be sure another attacker won’t breach your network the same way the last one did. Be sure to apply this across your whole organization, not just where the incident occurred.

It’s also a good idea to make this penetration testing part of your regular business continuity plan. As your business grows, networks and security systems often become more integrated and interconnected, but with more complexity and connectivity also comes more attack surfaces you need to cover. Every time you change something about your IT environment, test it against the kind of attack that breached your systems the first time to ensure it doesn’t suffer the same fate.

5. Review and Improve

Finally, take this event as an opportunity to improve your security posture. After you’ve fixed the vulnerabilities, informed all parties, and settled any legal side effects, have a meeting to review the situation.

Look over what happened, how everyone responded, and how those actions impacted the outcome. What worked well? What didn’t? You can use the answers to these questions to see where and how you can improve your data breach response in the future.

Having a defined business continuity plan will lessen the overall cost and damage of a future emergency. Creating and refining such a plan requires understanding your strengths and weaknesses, which these reviews provide. Ideally, you’ll never suffer a data breach, but if you do, don’t let this real-world experience go to waste.

Data Breaches Don’t Have to Spell the End

Data breaches are an intimidating prospect and an increasingly likely scenario for many businesses. While these events can be damaging, they don’t have to be disastrous. Quick responses and proper planning will mitigate their impact.

These steps will help you contain a breach, lessen the damage, and prevent future ones. If you can do that, you can ensure your business thrives despite these attacks.

Zac Amos is the Features Editor and a writer at ReHack, where he loves digging into business tech, cybersecurity, and anything else technology-related. You can find more of his work on Twitter or LinkedIn.

Cybersecurity Checklist

Check for signs that may lead to a data breach and explore preventative measures to safeguard your operations.