Photo of Oliver Pinson-Roxburgh

Oliver Pinson-Roxburgh

CEO and Co-Founder

7th June 2022

Data breaches are something that in most recent years seems inevitable. Of the 39% of businesses that reported a cyberattack in 2022, 31% estimate being attacked at least once a week. Data compromises also come in all shapes and sizes from full data risks to minor vulnerability disclosures. Once a breach occurs, it is the organizations responsibility to put it right and ensure it is well protected against future cyberattacks and data breaches.

Businesses that either lack knowledge of cybersecurity and how to manage risk, have limited budgets and resources or those who are taking a reactionary approach to cybersecurity will be most at risk. There’s a lot of advice on how to best defend against opportunistic and targeted attacks . By following simple security best practices, you can greatly reduce your risk of a significant compromise.

This blog is a simple guide to what your business should do in the event of a data breach, how to recover from a breach, and who to notify once a breach has been discovered. By following our 7–step guide on post–breach remediation, your business can manage security incidents more effectively and plan appropriately to prevent future data breaches from occurring.

First 24 hours post–breach response checklist

During the first 24 hours after a data breach has been discovered, you should do the following:

  • Document the date and time of breach
  • Assess the scale and severity of the breach and whether it was caused by a cyberattack or employee error. Investigate what data has been accessed and is potentially at risk of exposure
  • Establish which areas of the business have been affected
  • Ensure the incident response team have been notified
  • Understand whether a risk assessment has been conducted by identifying the associated risks of the breach and assessing whether your company followed due diligence following the discovery of the breach.

Every situation varies in levels of risk and severity. Businesses and consumers need to realise that not every breach should be considered equal and that there are scenarios where it would not be possible for a business to mitigate the risk. An example of this is zero–day vulnerabilities. The average business’s expertise and size of budget will make it very difficult, even impossible, to find these types of vulnerabilities given that until the vendor is made aware of a breach, there is no way to tell if you are vulnerable. SIEM tools can help detect abnormalities that are indicative of zero–day attacks, however businesses can improve their chances against zero–day attacks by using firewalls, keeping operating systems and software up to date and implementing staff training as zero–day attacks can capitalise on human error.

From the moment an organization suffers a data breach, they need to follow a process that is consistent and repeatable. The focus needs to be on documenting insight into the attack and following a procedure to triage. It’s vital to assess how the data breach may have occurred, what type of attack it is, what systems have been affected and what data has been stolen, leaked or shared.

Who to notify after a data breach?

When a data breach occurs, it’s pivotal for organizations to ascertain what type of breach it is. In many cases, it will be necessary to notify key governing bodies such as the Information Commissioner’s Office (ICO) on the type of data breach that has happened, no matter its risk level. There are certain instances, for example, when reporting a personal data breach, that the ICO must be informed about within 72 hours of your business becoming aware of the incident. This should be the case even if you have limited information about the cyberattack in its immediate aftermath.

When to inform the ICO of a data breach

There is not a requirement to report every breach to the ICO. organizations need to inform the ICO if they believe they have experienced one of the following data breaches:

  • A personal data breach under the GDPR or the DPA Act 2018
  • A PECR security breach – a breach of any telecom or internet service provider
  • NIS (Network and Information Systems) incident – a data breach of any organization that provides digital services to the public including online search engines, cloud services, and online marketplaces
  • eIDAS (Electronic Identification and Trust Services) breach – a security breach of any organization under the eIDAS regulation that handles the electronic verification of an individual or business’ identity and verifying the authentication of electronic documents (electronic signatures and timestamps, for example)

It’s worth remembering an organization may initially suffer a systems breach which only disrupts their network service. The ICO would need to be notified of a cyber incident like this under the NIS regulation. Personal data breaches can be a consequence of a NIS attack therefore the ICO must be informed of the breach under the UK GDPR.

7 Step Guide for Data Breach Remediation

How you respond to a data breach will be crucial to minimizing the impact of the breach. It can be a stressful time for security teams in the immediate aftermath of discovering a data breach which is a why a well–planned step–by–step process is required to ensure the post–breach remediation is conducted effectively.

Here’s a 7–step guide on how to manage a data breach:

  1. Understand the type of breach, severity and the magnitude of its impact on the business and your customers:

    • Determine whether it was an NIS breach, personal data breach, or both
    • Does the breach affect customers or employees, or both?
    • What’s the geographical spread of the attack? Will it have any cross–border impact?
    • What was the duration of the data breach? This is measured from the moment the data breach took place and when it was recovered
  2. Follow proper conduct and notify the correct regulatory bodies relating to the type of breach that has taken place. For example, the ICO will need to be informed of a systems breach under the NIS regulations and a personal data breach under the UK GDPR.

  3. Is the data breach a case of ransomware? If it is, then be as clear as possible whether you are being held to ransom for the data that has been captured. It’s important to understand what data is at risk and since the breach, whether it has already been exposed. Additionally, it’s crucial to understand whether a ransomware attack is preventing access to the captured data which makes it more difficult to access and control its use.

  4. Communication is key. Be transparent with customers once you are 100% clear on what has happened. Clearly outline the consequences of the breach, who it affects, and reassure them of how your organization is handling the situation post–breach and what measures are being implemented to mitigate future data breaches.

    Have a process in place to absorb any backlash and concern expressed by customers. Outsourcing communications to a PR agency can be beneficial or appoint a board level representative to issue a formal statement at the appropriate time. Furthermore, not communicating the breach to the data subjects affected can lead to a fine and result in businesses suffering reputational damage.

  5. As part of your post–breach remediation, data exposure monitoring on a monthly or annual basis will reassure customers on whether your data has been exposed and what, if any, customer data has been stolen, leaked and shared on the internet or dark web.

  6. It’s crucial for an organization to implement an incident response (IR) plan, if one does not exist already. An incident response plan is a proactive approach to deal with a cybersecurity attack and help with preparation, decision–making and stress management under high–pressure situations.

    Post–breach incident response plans can also help streamline the post–breach remediation process. Managing a post–data breach in a practical and orderly way can give stakeholders peace of mind and help get businesses back on track.

  7. Have a post–breach evaluation and assessment meeting detailing lessons learnt, what has been actioned, and what needs to be addressed to prevent future cyber breaches. Empower your workforce using training videos to elevate their cybersecurity awareness and test their knowledge.

Summary

With hackers becoming more sophisticated in how they breach an organizations network, there are numerous ways to breach an environment and exfiltrate data. If an organization is unprepared and doesn’t have the necessary incident response plan in place, a data breach can be disastrous and costly. However, there is light at the end of the tunnel. Post–breach remediation strategies will help organizations resume business operations whilst cybersecurity experts scrutinise and undertake the necessary measures in understanding the cyberattack and remediating accordingly.

Start securing your business today

Get in touch today to start your free trial of Defense.com and discover how we can help you take the stress out of your cybersecurity.