So, your company has suffered a security breach, and your team didn’t have a data breach plan in place to handle it. That’s bad news, but take a deep breath. You can get through this. Breaches happen, and can be a challenging time, but with some intentional responses and clear communication, you can satisfy customer concerns and move forward.
Responding well to the breach is the most important thing now. In this post, we’re going to walk you through the right steps for responding to a breach, ensuring your company recovers from this unfortunate situation.
Step 1: Ensure the Breach Has Stopped
Before you do anything else, you need to guarantee that you’re not leaking any more data. Step one in this process is identifying the affected instances and isolating them. It’s important that you don’t switch them off, though. You’re going to need the information on those servers, and turning them off could compromise that data. Instead, ensure that they’re isolated from the rest of your system and that they’re logging everything that happens.
Here’s the key: every bit of data attackers access means further erosion of your customers’ trust. Before you take any further steps, you need to ensure that the leak is plugged.
It’s possible that your internal team lacks the necessary expertise to do all of this work. If that’s true, now is the time to contract with external security experts. They might be expensive, but that investment will pay you back in the form of trust from your customers.
Step 2: Determine the Scope of the Breach
Before you start trying to figure out why this breach happened, you still need to know exactly what happened. That means an exhaustive audit of what data attackers accessed. During this step of the process, you’ll gain a lot more clarity as to the relative damage done to your company.
To determine the scope of the breach, you’ll first need to figure out whether attackers simply read data or if they modified it. Ideally, you have backups of your critical business data. If so, you can compare those backups with the data on your affected servers.
If you don’t have good backups, you’ll need to use application logs to find out what happened. And if you can’t trust your logs, then you should find an expert on each silo of data within your company. Engage with them and have them work to check the data to attempt to determine if it’s accurate.
Once you know which data was breached by attackers, it’s time to figure out how much of it they accessed. If you can’t tell, you need to assume it was everything on every affected server. That’s not a fun thought, but it’s important to be realistic. And it’s always better to have to say that a breach wasn’t as bad as you originally thought, rather than saying that it was worse than you originally told everyone.
Now that you’ve plugged the leak and figured out the scope of the breach, you’ll want to figure out your strategy for hardening your security. You may also need to update security controls on your unaffected systems. If you suspect that the breach came about because someone gained access to a critical password, update your passwords. If you’re behind on security updates, now is the time to update those systems with security patches from their software vendors.
Step 3: Inform Customers
It can feel scary to communicate that you were breached out to your customers and the public. Nobody wants to be the bearer of bad news, but this step is one of the most crucial ones, and it can’t wait. With a good communication plan however, you can quickly win people’s respect and help your company move on past the breach. The sooner you communicate with customers, the better. There are legal reasons to disclose quickly (disclosing a breach of customer data is the law in all 50 states and Washington DC, and it’s an element of GDPR as well), but on top of that, one of the most common responses of outrage from customers to breaches is about how long it took a company to tell them. Once you have information about what data attackers accessed and all the ways they might have modified it, you can begin to build a communication plan with customers.
A key to remember here is that you only want to communicate the essentials. Most customers will not concern themselves with how these attackers gained access. They will want to know instead what data leaked, what their personal next steps should be, and how your team is handling the breach. A great recent example of strong post-breach communication is StackOverflow’s blog from earlier this year. Taking a page out of other company’s successful breach responses is a good way to ground and orient yourself.
A few customers will be interested in knowing how the breach started. You should see those conversations as a business opportunity. That’s your chance to show critical customers that you’ve learned from this unfortunate event.
Most customers, though, will simply want to know how they can protect themselves. If the type of data accessed is identifying information from individual consumers, it’s likely they will be concerned with protecting their identity. But if the data is related to business partners, your job is to know how critical the leaked information is to their business.
The key is that you use this opportunity to communicate clearly to your customers that you understand the severity of the situation. You want them to come away from every communication confident that you’ve learned from this incident and are capable of dealing with the fallout.
Step 4: Ensure This Never Happens Again
If you’ve followed the steps to this point, it’s likely that you can regain the trust of your customers. A breach is certainly a negative event, but by understanding the scope of the problem and clearly communicating that to your customers, you will show that you have things under control and can prevent it from damaging your business.
The same is not necessarily true if a breach like this happens again.
You were caught unprepared this time, but that’s not going to be an excuse the second time around. Formulate a plan for preventing breaches like this. Make sure that plan includes systems to help you identify breaches as early as possible, and limit their scope when you do find them. The SANS Institute created security guidelines for preventing breaches like this. Those are broad recommendations, but they form a solid foundation for any IT security policy. Sqreen also discussed this in a recent post on security best practices for CTOs. Work with your team to determine how you can implement all this advice in your business.
The aftermath of a breach is a natural time to re-evaluate your security. It’s clear that there are improvements you can make, and stakeholders in your company are often now willing to invest in security. As you build a policy, it’s a good idea to begin investigating technologies that can help bridge gaps you’ve identified in your security protection and your team’s skills. Software like Sqreen helps not only in preventing breaches but also in identifying them when they happen. Plus, they’ll help you clarify what data attackers accessed.
The key thing to remember about this step is that it’s just a beginning. Quality security practices are ongoing. A day will come when you consider this specific incident finished. But that doesn’t mean that you’re done securing your systems.
Insufficient time and effort spent on information security is one of the most common causes for breaches in the first place. Use this breach as a launching pad to improve your organization’s security across the board.
Take a Deep Breath
You’re in the middle of a scary moment, and your team is going to be looking to you for leadership. But with proper planning and open communication, you can come through a breach to the other side and strengthen your security into the future. It will take hard work, quality insight, and level heads to make it through this, but you can do it!.
Instead of panicking, show leadership by laying out a data breach plan early. If necessary, work with experts to bring your team to where they need to be. When a breach happens, make sure that it has stopped. Figure out exactly what happened. Communicate with your customers—a lot—to repair any damage to your relationship and assuage their concerns. Then, begin the daily work of making sure this never happens again.
This post was written by Eric Boersma. Eric is a software developer and development manager who’s done everything from IT security in pharmaceuticals to writing intelligence software for the US government to building international development teams for non-profits. He loves to talk about the things he’s learned along the way, and he enjoys listening to and learning from others as well.