What To Do When You’ve Had A Breach

You were sure that you did everything you could. You had a proper firewall. It was configured with best practices. You had independent Security Assessments. You put proper security procedures in place to combat social hacks. You thought you did it all correctly. But you were still hacked. And now you need to know what to do next. What steps do you take? Let’s begin.

It’s vital to understand that this doesn’t mean you’re alone. According to PWC in a study conducted last year, not only did 74% of small businesses have a breach, but 90% of large businesses did as well. Both of those numbers, by the way, are up from the previous year. At this point, it’s not a question of if you’re going to get hacked, but when. 

Percentages of Businesses with Breaches

Remember, this data is only taken from reported breaches. Many more can go unreported. So really, these are lagging. Yahoo waited several years before even reporting theirs. Those numbers are scary, don’t get me wrong, but it’s important to remember here that many people have gone through this exact thing before. So there are steps you can, and should, take.
First, find the hole. You can’t save a sinking ship if water is still pouring in. Think about your network map. The information that got out, how could it? There are a number of methods attackers will use(we’ll go into that in another post), but there’s also only so many paths in and out of a network. Trace backwards. This is a big, complicated step, and it can take a while to get through this, but understanding where the breach occurred is the most important step of this process.
You need to get outside help for this. That’s fine. Don’t be afraid to get in touch with someone who knows this intimately. We’ve helped clients with this kind of event before. Remember that the people you reach out to should treat your situation with respect. Don’t trust someone who doesn’t promise to keep your data confidential. Check for recommendations and get a signed NDA first. Remember, we’re going fast here, but we’re not sloppy.  Make sure you are protected legally.

Now that we know where the breach occurred, we can start narrowing down how. You’ve got passwords in place, encrypted internal traffic, and data policies. So which one was the weak link? Maybe there was something you missed entirely. This could also be a multi-step process. Maybe the password policies are great, but enforcement isn’t. Take a hard look at your policies and procedures. This will narrow it down.

Once you’ve traced and determined the point of the breach, now is the time to plug it up. Were your passwords too weak? They need to be strengthened. Did the attacker get in through an open port? Lock it down. Was the breach from inside the organization? Improved policies and procedures for data access is needed. Again, you might need outside assistance for this one. That’s okay, too. Whatever gets it done.

Finally, and this is the single most important step. You need to have an outside source check your work. Hire someone to come in and review what you’ve done. Not only does it just make sense, but there could be serious legal repercussions if you fail to do so. If you get breached again and it’s found you didn’t use an outside firm, depending on your industry, you could be hit with some serious penalties, even be forced to shut down. This is the last thing anyone wants.

A breach isn’t the end of the world. By most measures, it’s going to happen to you. It’s now more important how you deal with a breach. It’s important to not panic, but move with purpose. Be swift, be precise, but don’t lose your cool. Get outside help, if you need it, determining the how’s of the breach, but absolutely get another set of eyes on the outcome. With some hard work and a few long nights, you’ll get through this, and be better protected as a result.