Thousands of words have been written about how to prevent cyberattacks and what to do if you've been targeted. You're probably already familiar with terms such as endpoint protection and data backup and recovery. These solutions and services are great for protecting you and helping you get back up and running once an attack has been resolved. Unfortunately, there's no standard playbook for a data breach and your actions during a disaster could be as harmful as they are helpful.
In this article, I will discuss what companies should avoid doing once they realize their systems have been breached. I spoke to several experts from security companies and industry analysis firms to better understand the potential pitfalls and disaster scenarios that develop in the wake of cyberattacks.
1. Do Not Improvise
In the event of an attack, your first instinct will tell you to begin the process of rectifying the situation. This may include protecting the endpoints that have been targeted or reverting to previous backups to close up the entry point used by your attackers. Unfortunately, if you hadn't previous developed a strategy, then whatever hasty decisions you make after an attack could worsen the situation.
"The first thing you should not do after a breach is create your response on the fly," said Mark Nunnikhoven, Vice President of Cloud Research at cyber security solution provider Trend Micro. "A critical part of your incident response plan is preparation. Key contacts should be mapped out ahead of time and stored digitally. It should also be available in hard copy in case of a catastrophic breach. When responding to a breach, the last thing you need to be doing is trying to figure out who is responsible for what actions and who can authorize various responses."
Ermis Sfakiyanudis, President and CEO of data protection services company Trivalent, agrees with this approach. He said it's critical that companies "do not freak out" after they've been hit by a breach. "While unpreparedness in the face of a data breach can cause irreparable damage to a company, panic and disorganization can also be extremely detrimental," he explained. "It is critical that a breached company not stray from its incident response plan, which should include identifying the suspected cause of the incident as a first step. For example, was the breach caused by a successful ransomware attack, malware on the system, a firewall with an open port, outdated software, or unintentional insider threat? Next, isolate the effected system and eradicate the cause of the breach to ensure your system is out of danger."
Sfakiyanudis said it's vital that companies ask for help when they're in over their heads. "If you determine that a breach has indeed occurred following your internal investigation, bring in third-party expertise to help handle and mitigate the fallout," he said. "This includes legal counsel, outside investigators who can conduct a thorough forensic investigation, and public relations and communication experts who can create strategy and communicate to the media on your behalf.
"With this combined expert guidance, organizations can remain calm through the chaos, identifying what vulnerabilities caused the data breach, remediating so the issue doesn't happen again in the future, and ensuring their response to affected customers is appropriate and timely. They can also work with their legal counsel to determine if and when law enforcement should be notified."
2. Do Not Go Silent
Once you've been attacked, it's comforting to think that no one outside of your inner circle knows what just happened. Unfortunately, the risk here isn't worth the reward. You'll want to communicate with staffers, vendors, and customers to let everyone know what has been accessed, what you did to remedy the situation, and what plans you intend to take to ensure no similar attacks occur in the future. "Don't ignore your own employees," advised Heidi Shey, Senior Analyst of Security & Risk at Forrester Research. "You need to communicate with your employees about the event, and provide guidance for your employees about what to do or say if they asked about the breach."
Shey, like Sfakiyanudis, said you may want to look into hiring a public relations team to help control the messaging behind your response. This is especially true for large and expensive consumer-facing data breaches. "Ideally, you'd want such a provider identified in advance as a part of your incident response planning so you can be ready to kick off your response," she explained.
Just because you're being proactive about notifying the public that you've been breached, it doesn't mean that you can start issuing wild statements and proclamations. For example, when toymaker VTech was breached, photos of children and chat logs were accessed by a hacker. After the situation had died down, the toymaker changed its Terms of Service to relinquish its responsibility in the event of a breach. Needless to say, customers were not happy. "You don't want to look like you're resorting to hiding behind legal means, whether that's in avoiding liability or controlling the narrative," said Shey. "Better to have a breach response and crisis management plan in place to help with breach-related communications."
3. Do Not Make False or Misleading Statements
This is an obvious one but you'll want to be as accurate and honest as possible when addressing the public. This is beneficial to your brand, but it's also beneficial to how much money you'll recoup from your cyber-insurance policy should you have one. "Don't issue public statements without consideration for the implications of what you're saying and how you sound," said Nunnikoven.
"Was it really a 'sophisticated' attack? Labeling it as such doesn't necessarily make it true," he continued. "Does your CEO really need to call this an 'act of terrorism'? Have you read the fine print of your cyber-insurance policy to understand exclusions?"
Nunnikhoven recommends crafting messages that are "no-bull, frequent, and which clearly state actions that are being taken and those that need to be taken." Trying to spin the situation, he said, tends to make things worse. "When users hear about a breach from a third party, it immediately erodes hard-won trust," he explained. "Get out in front of the situation and stay in front, with a steady stream of concise communications in all channels where you're already active."
4. Do Not Close Incidents Too Soon
You've closed your corrupted endpoints. You've contacted your employees and customers. You've recovered all of your data. The clouds have parted and a ray of sunshine has cascaded onto your desk. Not so fast. Although it may seem as if your crisis has ended, you'll want to continue to aggressively and proactively monitor your network to ensure there are no follow-up attacks.
"There is a huge amount of pressure to restore services and recover after a breach," said Nunnikhoven. "Attackers move quickly through networks once they gain a foothold, so it's hard to make a concrete determination that you've addressed the entire issue. Staying diligent and monitoring more aggressively is an important step until you're sure the organization is in the clear."
Sfakiyanudis agrees with this assessment. "After a data breach is resolved and regular business operations resume, do not assume the same technology and plans you had in place pre-breach will be sufficient," he said. "There are gaps in your security strategy that were exploited and, even after these gaps are addressed, it doesn't mean there won't be more in the future. In order to take a more proactive approach to data protection moving forward, treat your data breach response plan as a living document. As individuals change roles and the organization evolves via mergers, acquisitions, etc., the plan needs to change as well."
5. Do Not Forget to Investigate
"When investigating a breach, document everything," said Sfakiyanudis. "Gathering information on an incident is critical in validating that a breach occurred, what systems and data were impacted, and how mitigation or remediation was addressed. Log results of investigations through data capture and analysis so they are available for review post-mortem.
"Be sure to also interview anyone involved and carefully document their responses," he continued. "Creating detailed reports with disk images, as well as details on who, what, where, and when the incident occurred, will help you implement any new or missing risk mitigation or data protection measures."
If your company is too analog to conduct this analysis on its own, you'll probably want to hire an external team to conduct this investigation for you (as Sfakiyanudis mentioned earlier). Take notes on the search process as well. Note what services you were offered, which vendors you spoke to, and whether or not you were happy with the investigation process. This information will help you determine whether or not to stick with your vendor, choose a new vendor, or hire in-house staff who's capable of conducting these processes should your company be unlucky enough to suffer a second breach.