author photo
By Alex Vakulov
Read more about the author
Mon | Dec 30, 2024 | 12:13 PM PST

Recent cybersecurity statistics indicate that data breaches are escalating into a significant international concern. This underscores the need not only for strong preventive measures to protect critical information but also for a well-defined strategy to contain the damage if attackers successfully breach your defenses.

A robust incident response plan is crucial for mitigating the fallout from a data breach. Here, let me outline the essential steps to take if cybercriminals gain access to sensitive or confidential information.

Guidance for companies

When a corporate data breach occurs, the response process should follow a logical sequence of actions: 

  1. Identify the source of the breach
  2. Contain and mitigate the incident
  3. Restore normal business operations
  4.  Conduct a thorough investigation
  5. Address the vulnerabilities that allowed the breach to occur

Let's examine these steps in detail.

Immediate actions upon detecting a breach

The first priority is to localize and isolate the source of the breach. This may involve identifying compromised servers, web applications, databases, or user accounts. If malware is detected on workplace computers, these devices must be promptly disconnected from the network to prevent further spread. This includes physically unplugging Ethernet cables and disabling Wi-Fi and Bluetooth connections to ensure complete network isolation.

It is important not to power off affected devices, as critical forensic artifacts—such as logs, memory snapshots, and temporary files—may remain on them and prove invaluable for the investigation. 
Disable compromised accounts or restrict their permissions immediately, update passwords for authorized users to prevent further unauthorized access.

Whenever feasible, this process should extend to all potentially affected corporate accounts, as it may initially be challenging to pinpoint the full scope of compromised credentials. Leaving attackers with a pathway back into the infrastructure undermines all efforts to contain and remediate the breach.

Physical security must also be addressed. Be sure to secure server rooms, document archives, and other sensitive areas that could be involved in the incident. Update door access codes and verify that all physical security measures are functioning properly. It is possible that these premises will need to be worked on by law enforcement and cyber forensics experts before the company can return to normal operations.

At this stage, intermediate results can be assessed: the incident has been contained, and its escalation has been halted. The focus now shifts to ensuring business continuity.

What a business continuity plan includes

Business Continuity Management (BCM) is a proactive strategy designed to help organizations anticipate and mitigate potential threats, vulnerabilities, and weaknesses before they escalate into full-scale crises. While this article focuses on handling data breaches, a comprehensive Business Continuity Plan (BCP) encompasses a broad spectrum of risks, including pandemics, natural disasters, financial instability, and human errors.

A well-structured BCP ensures that critical operations can continue or resume swiftly. The plan should include clear protocols, designated roles and responsibilities, and a roadmap for recovery tailored to the specific nature of potential incidents.

Although IT specialists often spearhead the creation of a BCP, active involvement from the management of key departments is crucial. Department leaders should contribute their expertise, ensure the plan's relevance to their operations, communicate its importance to their teams, and oversee regular updates to keep it aligned with evolving business needs and threats.

When creating a BCP, the following guiding questions can serve as a starting point:

  • How would the organization function if critical systems such as computers, laptops, servers, email, and the Internet were unavailable?
  • What are the potential points of failure within corporate processes, and how can they be mitigated?
  • Which counterparties and partners are essential for the company's operations, and how can collaboration with them be maintained during a crisis?
  • What resources—such as personnel, alternative communication channels, funds, and capacity providers—are available to the company?
  • What is the minimum number of employees required to manage critical operations, such as data centers and IT systems? What roles should they perform, and what tools do they need to accomplish these tasks?
  • What are the key skills required to restore normal operations? Are there internal employees with the necessary expertise, or will external specialists need to be engaged?

In addition to addressing these questions, the company should consult international standards that incorporate the best practices for business continuity. ISO 22301:2019 is a leading framework here. This standard assists organizations in identifying and prioritizing threats, enabling them to design robust systems for quick incident response and recovery while minimizing operational disruptions.

In addition to ISO 22301, several other standards offer valuable guidance to support business continuity planning and incident response:

  •  ISO 22313: Provides recommendations for implementing the requirements of ISO 22301.

  • ISO 22317: Focuses on Business Impact Analysis (BIA), detailing the processes for identifying and evaluating the impact of different events on business operations.

  • ISO 22318: Dedicated to ensuring supply chain continuity.

  • ISO 22398: Covers the principles of planning, conducting, and developing training programs to prepare teams for critical situations through practical exercises and simulations.

  • ISO 22399: Offers general recommendations for establishing specific performance criteria tailored to an organization's incident preparedness and business continuity needs.

  • NIST SP 800-34: Provides guidance on contingency planning for IT systems during emergencies.

A Business Continuity Plan includes tailored instructions for each department within the organization, outlining their specific responsibilities and actions to minimize the impact of a disruptive event. These instructions ensure that every team understands their role in mitigating risks and expediting recovery.

At the core of these efforts is the incident response team, which plays a pivotal role in managing the situation. This team oversees all response and recovery operations, coordinating actions across departments.

Who should be on the incident response team

The incident response team is composed of specialists with the authority to take decisive action during a crisis without requiring additional permissions. The specific composition of the team may vary based on the company's size, structure, and industry. However, the following roles are commonly included:

  • Team Leader - a senior manager, department director, or high-ranking employee who makes critical response decisions and serves as the primary liaison with senior management.
  • Project Manager- coordinates the team's efforts, ensuring that tasks are prioritized and executed efficiently.
  • Legal Specialist - advises on the legal implications of the breach, including regulatory compliance, contractual obligations, and liability management.
  • IT Specialist - focuses on technical containment, investigation, and remediation, such as isolating affected systems, analyzing the breach, maintaining data backup independence, and implementing fixes.
  • HR Representative - manages internal employee communications, addresses concerns, and oversees any disciplinary actions if necessary.
  • PR Specialist - develops and executes communication strategies for external stakeholders.

While a Business Continuity Plan offers comprehensive recommendations on maintaining the organization's operations during a crisis, effectively addressing a data compromise situation requires a more specialized document: the Data Breach Response Plan.

How to prepare a data breach response plan

A Data Breach Response Plan focuses specifically on mitigating the damage caused by incidents involving corporate data. A comprehensive Data Breach Response Plan should include the following elements:

  • Define what constitutes a data breach within the organization's context.
  • Detail the steps for evaluating the severity of a breach, including the roles and responsibilities of employees and the crisis response team during containment, investigation, and remediation.
  • Specify the company's contractual requirements that must still be honored despite the incident.
  • Outline the regulatory and legal obligations related to the type of data involved (e.g., personal data, trade secrets).
  • Provide a framework for communicating with affected individuals, partners, and contractors.
  • Define the conditions under which external entities (e.g., law enforcement, regulators, or media) should be contacted.

By the time the Data Breach Response Plan is activated, the immediate crisis should be under control. The focus then shifts to identifying the root cause of the breach and implementing corrective actions to eliminate vulnerabilities and prevent future incidents.

How to prepare a data breach response plan

After containing the data breach, the next step is to secure and analyze all available evidence to understand the incident thoroughly. Collect and safeguard critical artifacts such as event logs, system logs, and authentication records from corporate systems. 
Establish a clear timeline and recreate the sequence of events leading to the data leak.

If internal resources lack the expertise or tools to conduct a comprehensive investigation, external specialists, such as Cyber Forensics Experts and Threat Intelligence Analysts, may be required.

Before involving cyber forensics experts, organizations can perform their own preliminary investigation and address security vulnerabilities identified during the process. A good starting point is examining commonly exploited attack vectors used by threat actors.

Weak and stolen passwords

Require all employees to reset their passwords immediately following the breach. Enforce strict password guidelines that disallow weak and commonly used passwords. Introduce MFA for all corporate accounts.

Web application vulnerabilities 

To prevent attackers from interfering with the operation of web applications, experts recommend using a Web Application Firewall (WAF). It serves as a barrier between web applications and the Internet, identifying traces of various cyber attacks.

Malware

Email and file upload mechanisms to external platforms remain the primary methods for infiltrating corporate systems. Antivirus solutions, monitoring systems, and endpoint detection and response (EDR) tools play a critical role in combating these threats. However, experts point out that attackers heavily rely on phishing email campaigns. Social engineering techniques enable them to bypass technical security measures effectively.

The best defense against social engineering includes cyber literacy training, increasing awareness of current threats, and conducting regular simulated phishing attacks that closely mimic real-world tactics used by cybercriminals.

Incorrect permission settings

Not many companies currently follow the Zero Trust model, which provides users with only the minimum necessary privileges. As a result, employees are able to change the system settings of their work computers, install third-party applications, create new accounts. The Zero Trust approach can be implemented using both technical and organizational methods. There are solutions that allow IT specialists to configure access rights for thousands of corporate users in a few clicks.

Microsegmentation

To simplify control of actions in the corporate network, it is recommended not only to use security solutions but also to increase the visibility of events through microsegmentation. This reduces the amount of information that specialists have to work with and also makes it difficult for attackers to move around the infrastructure.

Staying prepared

To develop the corporate security system, consider launching a bug bounty program, organizing regular penetration tests and red team exercises, and conducting the previously mentioned cybersecurity awareness training and anti-phishing exercises.

Conclusion
 
Effective security measures not only help mitigate the impact of a cyberattack but also significantly reduce the chances of one occurring. Both businesses and individuals must adopt a thoughtful approach to protecting their data. Cybercriminals typically target the easiest victims, so by adhering to basic information security practices, you can greatly reduce your risk of being targeted.
 
Tags: Data Security, Incident Response / SIEM, Data Breach,
Most Recent
Data Security

Critical Actions Post Data Breach

Most Popular
Airline Security

Delta Air Lines and CrowdStrike Clash Over Costly IT Outage

More Like This
Data Security

Quantum Threats and How to Protect Your Data

Comments