Recovering from a Data Breach: A Step-by-Step Guide

By Malwarebytes Labs With a cyber-attack an inevitable part of running any business, companies that do not have a policy in place for a post-attack recovery could face...

By Malwarebytes Labs

With a cyber-attack an inevitable part of running any business, companies that do not have a policy in place for a post-attack recovery could face serious consequences; 60% of SMEs that suffer a cyberattack go out of business in the six months following the event.

The nature and source of cyber-attacks varies and your recovery procedure should cover each eventuality from scams to ransomware, data breaches to social engineering schemes. The ability to identify and contain the threat as well as to recover control over your data is essential and can help you learn how to boost your defences to prevent a recurrence.

Step One: First Response

Most companies do not find out about a breach of their security or a cyber-attack until long after the breach has occurred. In fact, the average time from an attack to full recognition is 200 days. Of course, there are exceptions to this, most notably with ransomware which has an immediate impact with critical files being encrypted whilst money is extorted for their ‘release’.

Whilst the first response might be a combination of shock and panic, it is essential that your first response is a controlled, measured and analytical one; identifying the problem.

By establishing the facts of the attack, you will be able to respond accordingly and stand a better chance of being able to both inform those affected as well as to mitigate any damage.

If you are a small business or lack sufficient expertise in your own IT department then you will need to ensure that you call upon the services of a cybersecurity specialist. Having one lined up in advance for this eventuality is key. Together you should first report on:

  • The nature of the attack.
  • The extent of the attack.
  • Details of what assets are affected.
  • Details of what information has been affected.
  • Details of what partners have been affected including customers, suppliers and any other networks that you connect with.
  • The implications of the attack on your business.

Step Two: Containment

As soon as you have identified a breach your IT department should have the necessary skills (or access to specialists) to trigger a containment response. Your Recovery Policy should include steps to:

  • Immediately disconnect affected communications. As soon as you have identified the access point, disable all lines of network connection to prevent any further access.
  • Cleanse the system of unwanted files. Identify any programs or files that have been installed as a result of the attack and safely remove these. Make a detailed report of exactly what is being removed so that your cyber security analysts can better understand the nature and source of the attack. Understanding how the breach occurred can help guard against similar attacks in the future.
  • Run security patches and software updates. Take this opportunity to install all updates for your network including security patches, software updates for your operating system and any apps.
  • Isolate critical data. Remove and quarantine all commercially sensitive data from your network and, if it is not already, encrypt all banking information.
  • Initiate new login procedure. All affected parties should be required to immediately change their passwords. The usual procedures should be followed to bulk up security and passwords should always include uppercase letters, lowercase letters, numbers and symbols as well as making use of any two-step authentication procedures that are available.
  • Uninstall and Reinstall affected files and programs. All files and programs that have been affected by the attack should be removed and reinstalled from clean backups to prevent further contamination.

Step Three: Reporting the Incident

Though any breach of your security will have a negative impact, you are duty bound to inform any party that may be affected. In some countries, you are bound by legislation to inform customers but you should also ensure that you report the breach to all stakeholders that could have been impacted. This includes (but is not limited to) suppliers, distributors, franchisees, customers and the general public.

There are many high-profile cases of large companies who failed to report breaches of customer information in a timely manner; the implications of this delay were more significant than the breach itself. In 2015, UK mobile operator, Talk Talk, failed to report a data breach and lost over 100k customers as a result. It was largely considered that the companies failure to be open about the attack was to blame for this as opposed to the breach itself.

Customers, whilst not forgiving of security breaches of this nature, respond better to being kept informed than if they are kept in the dark about the matter.

Acting quickly to report the incident in an appropriate manner will help mitigate and lessen the inevitable damage that can follow a security breach. If you have a marketing and/or PR company or department then your Recovery Policy should also include procedures for how a breach is reported and communicated to your customers and other stakeholders.

In 2014, American home improvement company, Home Depo, suffered a breach which risked exposing the banking details of tens of thousands of its customers. Acting swiftly to report the incident over social media, the company informed its staff and customers at every stage of the recovery offering reassurance that everything possible was being done to contain the breach, limit any losses and prevent a recurrence.

As a result of their transparency and visible endeavours with law enforcement to deal with the issue, Home Depot actually saw an increase in sales during the following quarter – a marked contrast to the usual losses experienced by victims of data breaches.

By being open about breaches and informing your customers about the process of any relevant compensation available is essential to limit the damage to your reputation.

Step Four: Prevention

Recovery from a single incident is just the first step in what is an ongoing process to maintain adequate defences against cyber-attacks. Once the immediate threat has been isolated and removed, it is important that the event is analysed by security professionals and that lessons are learnt. From the breach itself to how the incident was handled should inform a revised Recovery Policy that can only grow more robust with every breach.

Companies that can afford to employ dedicated information security personnel should consider how to bulk up their staff. Having an in-house taskforce to deal with cyberattacks can help reduce the response time and ultimately limit the financial and logistical impact of any future breach.

Though costly to employ and retain, it is estimated that skilled professionals can save up to $16 per customer record in the event of a data breach making them a financial necessity for large organisations.

  • Business Community Manager: Responsible for handling your online brand image and communicating a breach to your customers and stakeholders, it is estimated that the crucial role played by this member of staff could save businesses $9 per record.
  • Chief Information Security Officer: At the helm to develop, create and implement a suitable Recovery Policy, this key role can save businesses $7 per record.
  • Incident Response Team: A combination of the above as well as representatives from legal departments, human resources and IT could help save $16 per record in this event of a breach of customer data.

It is widely acknowledged that the cost of a data breach can be limited by enlisting the services of cybersecurity professionals either in-house or via outsourcing. Research by the Ponemon Institute suggests that this combination has helped save businesses over $4.1 million each year.

Step Five: Brace for Backlash

Post recovery, many companies will be breathing a sigh of relief that the incident is over and that (hopefully) the damage was contained and losses mitigated as a result of a successful Recovery Policy. However, the fallout after a data breach can rumble on for many months and years depending on how Step Three was handled and the extent of the initial breach prior to containment.

It is common for customers to take up lawsuits against companies that have suffered from a data breach and a good Recovery Policy should always include handling complaints, legal action and dealing with any relevant law enforcement teams as may be dictated by the industry in which your company operates.

Being proactive as part of Step Three can help mitigate this risk as can taking positive action to offer customers recompense for any potential damage caused as a result of the breach.

Step Six: Remain Vigilant

A breach of your security is most likely to have occurred as a result of human error with almost seven in ten cyberattacks being due to employee negligence. Maintaining high standards of security is essential as is staff education and raising awareness. Regular training and updates on risk mitigation should be made mandatory for all staff.

In this article

Join the Conversation