From small businesses to large corporations, no organisation is immune to the threat of a…
Steps To Manage A Data Breach
In today’s world of increasing reliance on digital technology, data breaches are a reality. Organisations of all sizes are at risk of data breaches either by malicious attack or internal errors. Every day in the UK, small to medium businesses are targeted every 19 seconds and 88% of UK companies have suffered breaches in the last 12 months.
In 2020, EasyJet suffered a cybersecurity attack that affected nine million of their customers. Nearly all of the customer data compromised was email and travel itinerary information, as well as the details of 2000 credit cards.
The damage of a data breach can be devastating to a company, no matter the size. It is imperative organisations know what steps to take to manage a data breach.
What is a data breach?
A data breach is a security incident where unauthorised individuals gain access to private and sensitive data. Most commonly, this is when hackers find a way into a database and access data, then copy or use it in some way.
Data breaches end up exposing sensitive information such as personal data, financial information (e.g. credit card information), intellectual property, software codes, customer details, corporate or government data.
After a data breach, attackers may impersonate someone from a targeted organisation and gain access to secure networks. Regulatory compliance can be violated, resulting in the organisation facing legal fines.
Why do data breaches happen?
Data breaches can be a serious issue and can happen for all sorts of reasons, including accidental leaks, targeted attacks, or even insider misuse. Data breaches can cause a lot of damage – for example, sensitive information leaks could jeopardise the organization’s reputation and enable hackers to steal from the company or use that sensitive information against them. They can also happen accidentally, or due to neglect of critical security systems.
The most common scenario is cybercriminals gaining access to private networks with the intention of stealing data for financial reasons or with the intent to harm an organisation. The problem with these types of breaches is they can go undetected for a long time. This makes the attack and infiltration much worse because it could be happening right now, and we don’t even know about it.
How do data breaches happen?
Several fairly common factors allow for data breaches to happen, such as:
- Human error is the number one cause of data breaches. They can happen due to lost or stolen documents, unencrypted hardware being lost, shared account information being given out, or emailing the wrong person.
- Weak passwords are a no-fail entry point for hackers who try to access your network. Brute force attacks are one of the five leading causes of data breaches.
- Legacy system vulnerabilities such as out of date software or unpatched security systems are an open door for attackers to leverage
- Malware is downloaded after users are victims of phishing attacks, where they’re sent emails purporting to be from known or reputable contacts. Or, users have connected to public wireless networks and credentials are captured.
- Supply chain attacks occur when another organisation is attacked to gain access or disrupt a larger target business. Smaller enterprises don’t always have the same security level as larger businesses and can be easier to infiltrate. This often happens when partners don’t have the same level of security and don’t enforce policies with third-party suppliers.
What are the key steps to manage a data breach?
It’s an unfortunate reality that cyberattacks are on the rise and are predicted to increase in the future. One of the most important things organisations can do in order to protect their business from a data breach is to be prepared. This means having an incident response plan in place, so all employees know what to do and what not to do.
This plan should specify what all employees are obliged to do when there is a data breach, whether they are internal or external staff. It should also include contact information for internal bodies that deal with these cases.
Here’s some steps that should be included in an incident response plan to manage a data breach:
Stop and contain the breach
Once a company has been notified of a potential or actual breach, the first step is to contain it as quickly as possible. Time is of the essence and there should be no delay in initiating the incident response plan.
Data breach prevention and management is the responsibility of the security incident team, and their role will be to decide the best way to contain the breach depending on the type of attack and the systems affected.
Usually this is to isolate the affected areas of the system, so the rest of the organisation isn’t affected. Things that can be done to contain a breach include:
- Disconnect from the internet
- Disable breached user accounts
- Disable remote access capability
- Change access control credentials
- Safeguard firewall settings and logs, systems and security logs
It’s tempting to want to delete and fix immediately after a data breach, but the important thing is to begin implementing the incident response plan and containing the breach.
Gather and preserve evidence of the breach
While it can be tempting to try and fix a breach as soon as it’s occurred, it’s important not to delete or erase data that will be needed for forensic investigators. The security team will need to document all the details of what’s happened and their actions to contain the breach. All this information is used to determine what led to the breach, who was responsible, and recommendations for future security needed.
It’s vital to know how the attack happened in order to prevent future attacks. It’s also important to investigate any affected systems so any malware the attacker may have left behind can be removed.
It also informs companies about the actions to take regarding informing other potentially affected businesses.
So, remember when dealing with a breach:
- Don’t panic and make hasty decisions
- Follow your incident response plan
- Do not wipe and reinstall any systems until evidence is collated.
Communication about the breach
The information gathered about the breach will inform legal and compliance teams about the best way to notify the public, customers and relevant supervisory authorities. Legislated mandatory timeframes for reporting a breach may be required, so it is important businesses are aware of this to avoid fines.
For example, the UK’s Data Protection Act of 2018 requires data breach notification to be made to the ICO within 72 hours of the breach being noticed.
Ensure employees don’t announce any information about breaches before an official statement is made by management. Customers and the public should also be informed of the date of the breach, what data has been compromised, and any protective actions that can be taken against further damage. This helps organisations maintain their integrity and credibility despite the aftermath that will go with a data breach.
Perform a security systems audit
After a security breach, it’s recommended to do an audit of the business systems to check on the state of current cybersecurity and plan for future disasters. A security audit might involve penetration testing, which is a simulated attack against systems to check for exploitable vulnerabilities.
Security audits are important to do regularly, not just post-data breach. Post-breach audits are different from routine audits, as they’re risk assessment checks as well as checking for current potential threats. Security teams can take the information gathered from the investigation of the data breach and perform a thorough audit to map out any vulnerabilities and plan more robust security prevention and management.
The managed IT services team at INTELLIWORX knows how to help businesses close security gaps and avoid data breaches. Get in touch with the experts today.
This Post Has One Comment
From our first – and hopefully last security breach – we’ve learned that ideally the identified malware should be quarantined instead of deleted so it can be properly analyzed at a later date.