What do you Need to Know When Creating a Data Breach Investigation and Mitigation Checklist?
It’s clear that when it comes to tackling data breaches, prevention is far better than cure. A comprehensive defense in depth solution that covers everything from initial firewall and antivirus protection through to internal monitoring and anti data exfiltration (ADX) is vital in keeping your risk as low as possible.
However, cybersecurity is a constant arms race between hackers and security pros, and 100 percent protection can never be guaranteed. Whether it’s taking advantage of human error, a malicious insider or a new vulnerability that has not yet been patched, cybercriminals are always looking for ways to bypass even the best defenses.
That’s why – even if you are confident in your solutions – it pays to have a backup plan. A good data security strategy needs to assume you’ll get breached and include details on what to do if this happens.
What is Data Breach Investigation and Response?
A data breach investigation and response plan sets out what you need to do in the aftermath of discovering a cybersecurity incident. This starts with immediate reactions, such as using ADX technologies to prevent data leaving the business and isolating affected systems. But it should also detail longer-term steps such as digital forensics to determine how the breach occurred, and mitigation strategies to harden systems for the future.
Key Steps for Data Breach Response and Investigation
Broadly speaking, a data breach checklist can be broken down into three key parts; immediate response, in-depth investigation, and long-term remediation, with key activities as follows:
- Response – The goal here is to identify the issue, stop the bleeding by halting any data exfiltration and isolating any infected systems and accounts.
- Investigation – This will aim to gather evidence to determine the root cause of the incident, where any weaknesses lie and reporting the details to the relevant authorities.
- Remediation – This covers all activities to close vulnerabilities, harden systems and improve processes to reduce the risk of being targeted again in the future.
However, there are also some parts of a data breach investigation and mitigation checklist that need to be completed before any incident is detected. Primarily, this involves ensuring that everyone within your information security and incident response team knows what their specific role is, so there are no delays or confusion about responsibilities when time is of the essence.
Key Questions you Need to Answer Immediately
Upon first discovering a breach, there are several steps that need to be taken immediately, including containing the incident, assessing the extent of the damage and identifying what data has been compromised.
Many firms will already be on the back foot at this time, as most data breaches go unnoticed for weeks, or even months, before discovery. According to IBM, the average incident takes 220 days to spot, though with the right technologies, such as AI-powered monitoring tools, this can be reduced by more than a third. Therefore, an incident response plan needs to emphasize speed to shut down a breach as soon as possible after discovery.
Was the Data Breach Intentional and Were Outside Attackers Involved?
It’s easy to assume a data breach means an external hacker, but this isn’t always the case. Identifying the root cause of the breach and how it happened is vital in determining how to proceed. An unintentional breach, such as the loss of a device or a mis-sent email, for example, may still be serious if it contained sensitive information, but should be easier to mitigate.
A malicious attack, on the other hand, usually has a much higher severity level and can cause a wide range of problems. Step one should be finding out whether it originated within the organization. If you do identify a malicious insider, you need to act quickly to remove access. If outside hackers were the cause, it’s important to understand how they got in and how far within the network they’ve spread.
Has any Malware Been Quarantined From the Rest of the Environment?
If there is malware involved in the incident, it’s vital that any affected system is isolated from the rest of the network in order to prevent further spread of the threat. This can be particularly important when dealing with issues such as ransomware attacks, as the more time hackers have to compromise or exfiltrate data, the greater the damage they can do. This may make it more likely that victims will feel forced to give in to extortion – and in turn increase their chances of being targeted again in the future.
A strong plan for identifying and isolating malware should therefore be the cornerstone of any data breach response plan. As part of this, it’s also important to check your backups to make sure these haven’t also been compromised, as this is often a tactic used by ransomware authors in order to increase the chances of victims being forced to pay.
Was Any Personally Identifiable Information or Intellectual Property Exposed?
Once a breach has been contained, you’ll need to quickly find out what data has been compromised. Some of the most important types of information to hackers include personally identifiable information (PII) such as names and addresses, financial details, and Social Security numbers. This information is all covered by key data protection regulations such as GDPR, which come with specific reporting requirements. Failure to meet these can result in serious penalties.
Stolen intellectual property or trade secrets can also cause great harm to businesses. According to cyber insurance provider AON, these intangible assets often account for at least 50 percent of a company’s value – and this can rise to 85 percent for tech or innovation-led services businesses. Therefore, firms need to act especially quickly to shut down any unauthorized access to these resources.
Do you Know Whether the Breach Incident is Reportable?
Knowing if you are required to report a data breach to the relevant privacy regulator in your jurisdiction is vital, as any delays can be costly. In the UK, for example, the Information Commissioner’s office requires incidents to be reported within 72 hours of discovery. In the US, reporting requirements are determined at the state level, so it’s critical firms are familiar with local laws.
It’s also important to know when a breach notification will need to be sent to affected employees, customers or other parties who have had sensitive data compromised.
Not every cybersecurity incident will need to be reported to regulators or law enforcement. While different regulations have their own requirements, a general guide is that if a breach does not include personal information that poses a significant risk to an individual’s rights, freedoms, or privacy, it is not necessary to report it. However, if you determine this is the case, you should still keep a full record of the investigation and the reasoning behind this decision to ensure compliance with data protection rules.
Longer Term Steps to Mitigate Future Incidents
The task of recovering from a data breach is not over once the issue is contained and operations have returned to normal. A crucial part of any investigation is evaluating the process itself in order to learn lessons. This does not only reduce the risk of falling victim to a further attack in future, but helps you identify any issues within your plan that might have slowed down your response.
By thoroughly analyzing the event and answering questions about what went wrong and what was done to correct the problem, firms will be in a much better position to guard against any future incident.
How Quickly did Data Security Teams Identify and Contain the Breach?
A good first step is to look at the incident management response. A key question to answer is whether the correct steps were taken on discovery of a breach, and if any aspects of the security policy were not followed, potentially causing a delayed containment of the cybersecurity threat. A swift reaction can often be the difference between a positive outcome and one where the company faces lengthy downtime and a large bill.
This may be a particular consideration for businesses that lack the resources for extensive, dedicated security professionals. In these cases, advanced technology such as a virtual CISO can make a major difference in response times for the future.
Could Employees be Trained to Prevent Similar Data Breaches in The Future?
Human error remains a factor in the vast majority of data breaches, so if this is the case, it’s important to ask what happened. Was it the result of carelessness or negligence that should have been prevented? Or were previous training processes inadequate?
This can often highlight deficiencies in areas such as email or cloud security – for example, responding to phishing attempts or using unapproved, consumer-grade storage services. Learnings gained from these investigations should channel directly back into revised and updated training resources that can better educate employees on areas that may have been previously overlooked.
What Corrective Actions can you Implement to Prevent Reoccurrence of This Incident?
As well as strengthening user training, you should also look at what technical capabilities you may have been lacking that could have prevented the security breach. The right tools can not only block any data breaches before they occur, but can also alert you more quickly on any suspicious behavior within your business that can be indicative of a network security breach.
For example, adding effective access management and monitoring solutions can alert you to unusual incidents within your systems that may have slipped through your firewalls, while ADX tools can be a critical last line of defense that can prevent data being stolen, even if hackers have been able to infiltrate the enterprise. Advanced tools that use machine learning and automation to step in without human intervention at the first sign of anything strange occurring may be especially valuable.
What Steps Were Taken to Measure the Success of Eradication Efforts?
A final point is to ensure that your analysis of the incident is as comprehensive as possible and that you’re looking at the right metrics to measure your success. For example, key factors to review include Recovery Point Objective (RPO) and Recovery Time Objective (RTO), which are related but distinct parameters that detail how long it takes to get back up and running from a data loss or downtime incident caused by a cyberattack.
Understanding what constitutes good performance will be the key to refining your data breach response strategy for any future security threats. With the pace of cyberattacks showing no sign of slowing down any time soon, taking the time now to build your knowledge and develop a strategy will be the most important thing you can do to prepare in case the worst happens.