In this blog

  1. First 24 hours post-breach response checklist
  2. Who to notify after a data breach?
  3. When to inform the ICO of a data breach
  4. 7-step guide for data breach remediation
  5. Conclusion
Photo of Oliver Pinson-Roxburgh

Oliver Pinson-Roxburgh

CEO and Co-Founder

7th June 2022

Data breaches come in all shapes and sizes; from full data risks to minor vulnerability disclosures, all businesses will, at some point deal with the consequences of compromised or lost data. Of the 39% of businesses that reported a cyberattack in 2022, 31% estimate being attacked at least once a week, and when a breach occurs, it is the organizations responsibility to put it right and ensure they are well protected against future data breaches and cyberattacks.

Businesses that don’t have a risk management strategy, or who are limited by budget and resources tend to take a reactionary approach when faced with a breach, but by following some simple steps to security best practices, you can greatly reduce your risk of compromised business data.

This blog is a simple guide to what your organization should do in the event of a data breach, how to recover, and who to notify once a breach has been discovered. By following our 7-step guide your business can manage security incidents more effectively and plan against future data loss.

First 24 hours breach response checklist

During the first 24 hours after a data breach has been discovered, you should do the following:

  • Document the date and time of breach
  • Assess the scale and severity of the breach and whether it was caused by a cyberattack or employee error. Investigate what data has been accessed and is potentially at risk of exposure
  • Establish which areas of the business have been affected
  • Ensure the incident response team have been notified
  • Understand whether a risk assessment has been conducted and whether your company followed due diligence after discovering the data breach.

Every data breach carries a different level of severity and there are scenarios where it is not possible for businesses to mitigate the risk. For example, in the case of zero-day vulnerabilities, the average business’s expertise and budget can make these extremely difficult, if not impossible to find given that until the vendor is made aware of a breach, there is no way to tell if your business is at risk. In this scenario, an effective data loss prevention strategy includes the use of firewalls, keeping operating systems and software up to date and implementing staff training to reduce the risk of human error contributing to a breach.

After discovering a data breach, organizations also need to follow an incident response process that is consistent and repeatable, with a focus on documenting insights into the attack and following a triage process. This is vital to assess how the data breach may have occurred, what type of attack it is, what systems have been affected and what data has been stolen, leaked or shared.

Who to notify after a data breach?

In many cases, businesses are required to notify key governing bodies such as the Information Commissioner’s Office (ICO) when they experience a data breach, and depending on the level of risk, the ICO must also be informed within 72 hours from the time the breach was discovered. For example, if the breach involves personal data, the 72-hour rule applies even if there is limited information available about the extent of the attack. It is therefore vital that businesses understand the type of breach they are dealing with so they can take the correct action.

When to inform the ICO of a data breach

While businesses are not required to report every breach to the Information Commissioners Office, there are several circumstances under which the ICO must be notified if businesses believe that they have experienced one of the following data breaches:

  • A personal data breach under the GDPR or the DPA Act 2018
  • A PECR security breach – a breach of any telecom or internet service provider
  • NIS (Network and Information Systems) incident – a data breach of any organization that provides digital services to the public including online search engines, cloud services, and online marketplaces
  • eIDAS (Electronic Identification and Trust Services) breach – a security breach of any organization under the eIDAS regulation that handles the electronic verification of an individual or business’ identity and verifying the authentication of electronic documents (electronic signatures and timestamps, for example)

It’s worth remembering an organization may initially suffer a systems breach which only disrupts their network service. The ICO would need to be notified of a cyber incident like this under the NIS regulation. Personal data breaches can be a consequence of a NIS attack therefore the ICO must be informed of the breach under the UK GDPR.

7-step guide for data breach remediation

How you respond to a data breach is crucial for minimizing its impact, and the aftermath of discovering a breach can be a stressful time for security teams. This is a where a well-planned step-by-step process can help to ensure that breach remediation is conducted effectively.

Here’s a 7-step guide on how to manage a data breach:

  1. Understand the type of breach, severity and the magnitude of its impact on the business and your customers:

    • Determine whether it was a NIS breach, personal data breach, or both
    • Does the breach affect customers or employees, or both?
    • What’s the geographical spread of the attack? Will it have any cross-border impact?
    • What was the duration of the data breach? This is measured from the moment the data breach took place to when it was recovered

  2. Follow proper conduct and notify the correct regulatory bodies relating to the type of breach that has taken place. For example, the ICO will need to be informed of a systems breach under the NIS regulations and a personal data breach under the UK GDPR.

  3. Is the data breach a case of ransomware? If it is, then be as clear as possible whether you are being held to ransom for the data that has been captured. It’s important to understand what data is at risk and whether it has already been exposed. Additionally, it’s crucial to understand whether a ransomware attack is preventing access to the captured data which makes it more difficult to access and control its use.

  4. Communication is key. Be transparent with customers once you are 100% clear on what has happened. Clearly outline the consequences of the breach, who it affects, and reassure them of how your organization is handling the situation post-breach and what measures are being implemented to mitigate future data breaches.

    Have a process in place to absorb any backlash and concern expressed by customers. Outsourcing communications to a PR agency can be beneficial or appoint a board level representative to issue a formal statement at the appropriate time. Furthermore, not communicating the breach to the data subjects affected can lead to a fine and result in businesses suffering reputational damage.

  5. As part of your post-breach remediation, data exposure monitoring on a monthly or annual basis will reassure customers on whether your data has been exposed and what, if any, customer data has been stolen, leaked and shared on the internet or dark web.

  6. It’s crucial for an organization to implement an incident response (IR) plan, if one does not exist already. An incident response plan is a proactive approach to deal with a cybersecurity attack and help with preparation, decision-making and stress management under high-pressure situations.

    Post-breach incident response plans can also help streamline the remediation process. Managing a data breach in a practical and orderly way can give stakeholders peace of mind and help get businesses back on track.

  7. Have a breach response evaluation and assessment meeting detailing lessons learnt, what has been actioned, and what needs to be addressed to prevent future cyber breaches. Empower your workforce using training videos to elevate their cybersecurity awareness and test their knowledge.

Summary

With hackers becoming more sophisticated in how they breach an organizations network, there are numerous ways to breach an environment and exfiltrate data. If an organization is unprepared and doesn’t have the necessary incident response plan in place, a data breach can be disastrous and costly. However, there is light at the end of the tunnel. Post-breach remediation strategies will help organizations resume business operations whilst cybersecurity experts scrutinise and undertake the necessary measures in understanding the cyberattack and remediating accordingly.

Photo of Oliver Pinson-Roxburgh

Oliver Pinson-Roxburgh

CEO and Co-Founder

Share this article

Start securing your business today

Get in touch today to start your free trial of Defense.com and discover how we can help you take the stress out of your cybersecurity.

Related resources