How to Deal with Unthinkable, Inevitable Security Breaches

Monday May 3rd, 2021

For the longest time, Europeans believed that all swans were white. So much so that the existence of a black swan was felt to symbolize all that was impossible. 

That was until in the mid-17th Century, when Dutch explorer Willem de Vlamingh came across black swans in Western Australia.  Something that had seemed impossible was now proven to be fact.  Just like a catastrophic security breach: in an instant, something that seemed unthinkably unlikely became harsh, irrefutable fact. 

So how should you respond to the unthinkable, yet all-but inevitable, event of a data breach? 

What do you do when you are faced with that horrible moment of discovery that what you thought was impossible is now very, very real? That your systems have been compromised and your data potentially stolen?  Because, sooner or later, the reality is that it’s very, very likely to happen.

The first thing, of course, is to not panic. Breaches happen, and in many cases they are the result of simple mistakes that can be remedied readily. However, the first few hours after the discovery of a breach are critical and how you respond will significantly shape the long-term impact on your business. There are a lot of excellent sources for advice here – most notably the FTC has a great summary of immediate steps to take once you discover the breach. If you haven’t seen it, I recommend you take a look.

Next, you should immediately lock down the breached systems and potentially tightly control access to them. However, resist the temptation to wipe the systems or restore them to a previous “safe” state. Doing so could destroy critical information that you’ll need to identify the cause and scope of the breach itself.

Now it’s time to bring in experts. Bringing in a third party can augment your own team’s expertise and will help you ensure you capture all the relevant information regarding the breach – information you’ll need if and when you contact law enforcement agencies, partners and customers. They should be able to help you identify how the breach occurred, what systems were affected and what the scope of the breach was. Simply because a breach occurs doesn’t mean that data, sensitive or otherwise, was stolen. Many attackers will breach a system and then use that to expand their beachhead in your business over time before they are able to gain access to something of value. With good security controls in place, you have a fighting chance of spotting the early moves long before you find yourself with a serious breach on your hands. This is why it’s important to preserve the systems that are breached – if you wipe them clean you may lose your only chance to identify how badly you’ve been hit.

Depending on the results of your team’s analysis, you can decide if you should inform law enforcement.  Again, many breaches are accidental in nature and may need nothing more than a change in policy and better education. On the other hand, finding that hackers have stolen your customers’ or employees’ personal data is something that must be escalated quickly. There’s a good guide on the website for the Cybersecurity & Infrastructure Security Agency on when and how to inform the government on a breach.

Finally, you’ll need to start remediation – cleaning up the breach, implementing new security controls and policies, and notifying affected parties.

So, what can you do today to help prepare for the arrival of the unthinkable?

In addition to investing in good technical security controls (Intrusion Detection Systems, log management, correctly configured firewalls, and so on), it’s important that you invest just as much in your employees. Security training is essential to avoid attacks that focus on the human element of your business (phishingdrive-by attacks, etc.)

Lastly, you’ll need a plan for what to do if the worst does happen. Have a documented process of who to call, when, and what to do next – so that regardless of who discovers the breach, everyone knows what to do (and what not to do) and you won’t lose critical hours trying to figure out what to do now.

Because sooner or later, regardless of how much you might think otherwise, a black swan will swim by…

Geoff Webb

Vice President of Product Marketing