Data breaches worldwide today cost more than US$4.2 million per incident. As organizations strengthen their digital infrastructure, they also expand the company’s attack surface. More violations reported in the US in the third quarter of 2021 than in all of 2020. It takes quite a long time for an average-sized organization to find and contain a data breach, and it is estimated to take 287 days today. So, what to do when breach alarms go off? ESET experts shared the following information about what to watch out for;
The increasingly common ransomware actors that are at the forefront of modern data breaches make things even more complicated.
1. keep calm
A data breach is one of the most pressing situations for an organization. This creates a lot of pressure, especially if this event is carried out by ransomware actors that encrypt host systems and demand payment. However, impulsive responses can do more harm than good. Getting the company back up and running is of course very important, but in this case it is vital to have a method. You should put in place an incident response plan and understand the extent of the violation before taking any major action.
2. Follow your incident response plan
You should consider the “if” event today rather than “when” about the organization’s breach, and that an incident response plan is cybersecurity best practice. This requires advanced planning; Guidance from organizations such as the US National Institute of Standards and Technology (NIST) or the UK’s National Cyber Security Center (NCSC) can be sought. Once a serious breach is detected, a pre-determined incident response team, involving stakeholders across the company, should work through the processes step-by-step. It’s a good idea to test these plans regularly so everyone is prepared and documentation is kept up to date.
3. Assess the extent of the violation
One of the most important steps after a major security incident is to understand how badly the company has been affected. In this way, you will be informed about post-infringement actions such as reporting and remediation. You need to find out how the malicious people got into the systems and how large the “effector” of the attack was, i.e. which systems they had access to, what data was at risk, and whether they were still on the network. This is where third-party forensic experts usually come into play.
4. Include the legal department
You should know where your organization is after a breach. What are your obligations? Which regulatory bodies need to be notified? Should you bargain with attackers to gain more time? When should customers and/or business partners be notified? The internal legal department should be your first point of contact in this regard. However, you can also involve experts in the cyber incident response field. Information forensics about what really happened is vital at this point so these experts can make informed decisions.
5. Know when, how and to whom to report
In accordance with GDPR (EU General Data Protection Regulation) and KVKK (Personal Data Protection Law), the local regulator must be notified within 72 hours after the breach is discovered. However, it is important to understand what the minimum requirements are for such a notification as this is not required for some events. At this point, in-depth knowledge of the scope of the violation is important. If you don’t know how much data was received or how threat actors got into systems, you should assume the worst when informing the regulator. The UK Information Commissioner’s Office (ICO), which played a key role in creating the GDPR, has helpful guidance on this. In addition, the Data Security Guide prepared by the Personal Data Protection Authority is also an enlightening resource containing applicable and understandable information on the subject. If you want to examine the processes and examples of violation notifications in detail, you can also visit the relevant page of the Personal Data Protection Authority (https://www.kvkk.gov.tr/Icerik/5362/Veri-Ihlali-Bildirimi).
6. Inform the law enforcement units
Regardless of regulatory requirements, it is in your best interest to have law enforcement agencies on your side in case of data breaches, especially when threat actors are still in your network. You should involve law enforcement agencies as soon as possible. For example, in the case of ransomware, law enforcement may enable you to contact security providers and other third parties that offer decryption keys and risk prevention tools.
7. Tell your customers, partners and employees
This is another step that should definitely be on your post-violation to-do list. But again, the number of customers/employees/business partners you need to inform, what you tell them and when you tell them depends on the details of the incident and what was stolen. First, convey a statement that the organization has noticed an incident and is currently investigating the incident. However, you should share more details shortly, as rumors about it will spread quickly. IT, Public Relations and Legal departments should work in close contact with each other on this issue.
8. Start recovery and fix work
Once the scope of the attack has been determined and the forensics/incident response teams have made sure that threat actors are no longer gaining access to the network, it’s time to get things back on track. This can mean restoring systems from backup, reimaging compromised machines, patching affected endpoints, and resetting passwords.
9. Start building a solid structure for future attacks
Threat actors often share information underground in cybercrime. In addition, organizations that fall into victim status are being violated more and more. Ransomware is used for this purpose. Therefore, it is more important than ever to use information obtained from threat detection and response as well as forensic tools. This way, you can be sure that all the paths used by the attackers the first time will not be used again in future attacks. This could mean improvement in patch and password management, better security awareness training, implementation of multi-factor authentication (MFA), or more complex changes to people, processes and technology.
10. Examine worst-event response
The final item in the event response puzzle is learning from experience. As mentioned above, building a more solid structure for the future is part of this. You can also review other examples. Past data breaches include many high-profile incidents with poor response. In one highly controversial incident, a phishing link was tweeted four times from a compromised company’s corporate Twitter account, mistaking it for a link to the company’s breach response site. In another case, one of the UK’s major telecommunications companies came under heavy criticism for publishing contradictory information.
20963
