How to respond to a security breach

Major security incidents seem to be a weekly occurrence and government research says that it's not just the banks and large enterprises that are the targets. A majority of all businesses have suffered a security breach, including SMEs – which account for 99 percent of all businesses operating in Britain.

Although the UK has for the last few years been investing considerably in security, and high-profile breaches are also driving awareness, that’s no reason to rest on your laurels.

The best defence is preparation. But if the worst-case scenario has happened, here are some tips on how to respond, and how to mitigate the threat in the future.

Read next: The biggest fines issued by the ICO

Additional reporting by Thomas Macaulay

Preparedness
iStock

Preparedness

Being prepared is the best line of defence against cyber attacks and data breaches. This is not a small project, but there are basic steps you can put in place today. The Information Commissioner's Office (ICO) has advice available for free that will guide an organisation’s journey to becoming data compliant from top to bottom.

One of the most important things to understand is that it’s really a case of when, not if. A CIO, IT department or organisation that claims their business has never been the victim to a cyber attack is very likely either an outlier or unaware.

And Britain’s National Cyber Security Centre is an excellent resource for ensuring your business has basic preparedness in place. A good start is this plain-English guide for small businesses to improve your organisation’s security. And the Cyber Essentials programme goes further, offering certification but also self-help for technical controls to adopt.

OK, I think there’s been a breach – what now?
iStock

OK, I think there’s been a breach – what now?

Keep a cool head! It might sound contrary, but discovering a security incident is a win in its own right: now that you know a threat has been detected, you can act against it. Many attacks rely on remaining hidden, and the quiet exfiltration of data from an organisation.

It’s critical to ensure that other systems have not been compromised, and the attack is isolated to stop anything from spreading. So map out your network and try to get the best visibility you can into what’s going on.

Depending on the size of your organisation this might be a good time to start gathering various departments together at all levels – HR, legal, technical, and leadership, to work together to assess the impact and educate staff about what’s happening.

Contain and respond
iStock

Contain and respond

If there is malicious code on your network your technical team should immediately work to contain it. In the worst case scenario this could mean shutting down all of your systems, but more likely is that you’ll need to get backups running while you close the worst-affected areas.

You should identify critical systems and figure out what you need to keep running to keep your business running, something Red Hat’s lead for security architecture recently described as ‘managed degradation’.

If you’re being hammered by a DDOS attack there’s a few things you can do, as the NCSC’s minimal denial of service response plan notes. This includes identifying the IP addresses or domain that’s being targeted – to restrict access – and understanding what the purpose of the DDOS it is: is it to exhaust your compute resource, or to exhaust your bandwidth?

Impact assessment
Getty Images/iStockphoto

Impact assessment

Hopefully you now know what the problem is, have your backups running, and your employees know the score. Depending on the severity of the attack or breach you need to understand what the consequences are.

This might include bringing legal, technical, operations, leadership and data teams together. Was any customer data compromised? What about employee data, or your organisation’s intellectual property? And what about the customers of your customers?

An outside forensic team might need to be brought in if your in-house staff are not able to properly assess the cause of the damage and the impact of it.

Recover
iStock

Recover

Again, depending on the severity of the attack you might need to spend considerable resources on getting back up and running. Prioritise what needs fixing and then allocate resources to fix it: most businesses will be painfully aware that downtime is deadly for the 24 hour, always-on nature of online trading. A third party might be crucial to consult with if your security expertise is not up to scratch with the latest threats in house, or of course, if you don’t have a security team at all – which is often the case.

The NCSC offers resources on disaster recovery here.

Report

Report

Depending on the nature of the breach, you might need to report it to the relevant data protection authorities, which in the UK is the ICO.

Under GDPR, data controllers must notify the ICO of any breach that's likely to pose a risk to a person's rights and freedoms within 72 hours of their becoming aware of it.

To help organisations understand whether an individual breach should be reported, the ICO has created a telephone reporting service.

Communication - and PR
Getty Images/iStockphoto

Communication - and PR

You will also need to inform your partners or customers that were potentially compromised.

The thought of it is unnerving: telling your close business partners that a threat event in your organisation put them at risk.

But the consequences for nondisclosure are potentially far more severe, particularly now that GDPR is in force.

The financial and reputational risk from nondisclosure will very likely far outweigh the financial and reputational risk from owning the problem and being upfront about it.

After a high-risk breach, any affected individuals must be informed as soon as possible.

For a large breach that has hit your consumer base, clear, calm, and sober communication will go a long way to containing the risk of bad public relations. You’ll need to honestly describe what happened, why it happened, how customers might have been affected, and what steps they’ll need to take next. Often this will include, at a very basic level, advising affected customers passwords.

Learn
iStock

Learn

It’s something of a cliché, but consider a breach an opportunity to be better: to create more robust security protections, to take the adoption of standards seriously, and make your business one that’s conscious of security and data by design.

Getting budget for security can prove tricky – if you are one of the lucky few that hasn’t been hit by an attack recently, it is hard to prove the tangible benefits of leadership security buy-in. We don’t want to sound too mercenary about it, but if you have suffered an attack, hopefully it can be used as a springboard for improvement.

Take it as an opportunity to conduct data and security audits across your company – again, at all levels. Think about what kind of software might help mitigate threats in the future. Are you keeping up to date with your patching? Consider hiring penetration testing red teams that will do their best to reach you, in a safe, contained way, so that you can see where your weaknesses still lie.

If necessary, outside consultants can help you improve your security processes and protections, and also help boost employee understanding of the most critical issues through education at all levels. And good luck!

Copyright © 2018 IDG Communications, Inc.