Dos and don'ts following a data breach

Recently, several healthcare providers reported breaches that impacted thousands of their patients and caused untold financial damage:

• Val Verde Regional Medical Center (VVRMC) in Del Rio, Texas, reported a breach that affected 86,562 people. 
• Also, in March 2022, Allwell Behavioral Health Services discovered that a hacker gained access to a computer that stored quality assurance information, as well as clients' names, social security numbers, addresses, bank routing and account numbers, and driver’s license numbers.

Considering that the number of data compromises has been steadily rising—in 2021, 23% over the previous all-time high, says the Identity Theft Resource Center—it’s not a matter of if but when an organization gets hit with an attack. This raises an important question: What should you do in the wake of a data breach? 

Here are some post-data breach do’s and don’ts to keep in mind.

What to do after a data breach

In the moments and days after a breach, it’s essential to keep everyone in the organization calm. The key is to mitigate, not exacerbate, the damage. 

1. Immediately refer to your incident response plan

Resist the urge to “shoot from the hip,” making decisions based on gut instinct, frustration, anger, or embarrassment. Your incident response plan was created for this moment—to provide a set of logical steps that will guide the remediation process. If you don’t yet have a plan, however, as soon as the dust settles, take the time to formulate one. 

2. Get a professional to conduct root cause analysis

Even with a comprehensive observability platform monitoring your digital infrastructure 24/7, it’s best to leave root cause analysis to the professionals. They know what to look for, how different types of malware behave, the systems that are the most likely targets, and how to do a post-mortem analysis that reduces the possibility of another attack.

3. Make a chart of all impacted stakeholders

A chart outlining which stakeholders have been affected can inform both your communications strategy and mitigation efforts. At a minimum, your chart should include the following:

• The name of the person, group of people, or entity that was impacted
• What areas of their lives or businesses were affected
• The approximate timeline of the initial effect, as well as any ripple effects they could feel down the road
• How much money they are likely to lose—if this can be quantified
• Their contact information, as well as a check system indicating whether they’ve been successfully contacted, when, and what was said
• A basic outline of what should be said to each stakeholder. It may be tempting to release a single statement, and while this can work, customizing what you say according to each stakeholder's specific situation may be more effective.

4. Take notes

After the attack has been addressed, have someone take notes about:

• How the attack impacted business continuity
• How each department reacted, including successes and mistakes
• What transpired that may have made the recovery process slower or worsened the damage

These data points can then be used to create or refine and customize your incident response plan, ensuring it fits both your technical infrastructure and organizational culture.

What not to do after a data breach

The don’ts are just as important as the action steps above. Some things you absolutely should avoid doing right after a breach include the following:

1. Do not immediately go back to business as usual

The biggest mistake you can make is to resume operations right after a breach. Instead, take a step back to learn lessons and adopt strategies to better safeguard your organization. For example, you should:

• Get cyber insurance. A cyber coverage can shield your organization from much of the financial damage stemming from a breach.
• Train your employees. Employees may be the weakest link in your organization's cybersecurity chain because of human error, but when armed with knowledge, they can also be your most powerful defense against attacks. Once they know how to recognize and thwart an attack, particularly spear phishing, you have effectively shrunk your attack surface.
• Develop good cyber hygiene habits. Boosting cyber hygiene involves installing reputable anti-malware software, using network firewalls, regularly updating your software, setting strong passwords, using multi-factor authentication, and performing regular backups, among other steps.

2. Don’t wait too long to inform customers and stakeholders

The longer you wait to inform those affected by the breach, the worse the damage can get. If payment data was stolen, your customers should be informed right away so they can take steps to secure their accounts.

Letting key stakeholders know as soon as possible also insulates your reputation to some degree. For instance, if investors find out weeks after a breach that your defenses had been compromised, they may feel you're trying to hide something. It’s better to be transparent and release accurate information in a timely manner.

3. Don’t overshare information about the attack

Exercise caution when providing information about what happened. You don’t want to tip off another attacker. While you want to come across as transparent, especially when dealing with the public, there’s no harm in withholding sensitive information regarding:

• The kind of malware or hacking techniques the attacker used
• The specific steps you’re taking to track down the root cause
• The internal systems the attacker targeted
• Whether or not it was an insider attack

By keeping these details close to the chest, you minimize the chances of the hacker or their team using the information for a follow-up attack. Also, if it was an insider attack, you don’t want the criminal to know you’re on to them before authorities are able to make an arrest. In this way, you reduce the chances of them covering their tracks to avoid prison time.

Stay a step ahead of data breaches

By following the above do’s and don’ts, you can minimize the impact of a breach and make the recovery process faster and less expensive. More importantly, you can better protect your organization from the next attack. 

For questions on how to safeguard your organization against data breaches, reach out to the IronNet team today.