Data breaches continue to present a significant challenge to organisations in many industries.
In terms of financial and reputational impact, a data breach is one of the most serious security challenges an organisation can experience. Kroll’s 2021 Data Breach Outlook report states that the pattern of data attacks becoming broader and deeper during the pandemic has continued, even during the recovery phase. With the volume of data breaches continuing to increase, it is essential that organisations take steps to prepare their incident response before they are affected by a breach.
In this blog post, we outline the key steps companies should take in response to a data breach, from initial actions to long-term planning.
Secure physical access
When you first identify that your organisation has been hit by a data breach, you may not be aware if it was caused by an external or internal threat. It is essential to secure all areas that could be related to the attack, as well as restricting access to them until you are informed by your digital forensics team that you can start operating as normal again.
Prevent further data loss
While it is important not to shut down any systems before you are notified it is safe to do so by your forensics team, you should monitor any potential infiltration points to check whether the attackers still have access. You should also change the passwords of all legitimate users with access to your system to deny further access to attackers, if they used stolen login credentials.
Report the breach to the ICO
Notifying the right people at the right time is a critical aspect of responding to a data breach. A key finding in Kroll’s State of Incident Response 2021 report is that, despite an understanding that all organisations are now a target for data breaches, 43% of the organisations interviewed still felt they lacked the readiness required to notify in the event of a breach.
In the UK, under the General Data Protection Regulation (GDPR), the Information Commissioner’s Office (ICO) requires companies to report a notifiable breach to them “without undue delay” and no later than 72 hours after becoming aware of it. Companies taking longer than this must give a reason for the delay. This means it is important to take fast but strategic action as soon as you identify that your organisation has been hit by a data breach. Actions taken at this stage will define the success of your response.
The ICO must be provided with specific information, including the nature of the data breach, the name and details of a specific contact person and the likely consequences. This must be completed in a specific format, outlined on the ICO website, which includes a helpful self-assessment tool. If appropriate, you should also report the breach to law enforcement organisations.
Another important step in an effective data breach response is to streamline the process of data breach notification by making one specific individual in your organisation responsible for releasing notifications at the appropriate time. To ensure they do this effectively, they should be kept continually updated about the data breach and what your organisation is doing in response.
Understand the nature of the data breached
Before taking further action on the breach, it is essential to identify the ‘who’ and the ‘what’ of the situation. This can involve interviewing the employees that first identified the breach and letting all of your staff know where they can forward helpful information to. Ensure that you carefully document all information shared. As part of this, it is essential not to destroy any forensic evidence while the breach is being investigated.
In the event of a data security incident or data breach it is critical to understand whether individuals’ personal information is involved. This could be personal and sensitive information associated with clients, employees or another company. Examples include names, addresses, website login details, financial information, medical details or sexual orientation.
If it is discovered that personal or sensitive information has been impacted, notifying affected individuals should be included as part of a company’s incident response plan. It may also be required by law in certain countries. The plan should cover individual or departmental responsibilities, including where data is stored, how to extract it and who the internal decision-makers are. Regularly testing and running through this plan is just as important as creating it in the first place.
Provide notifications in writing
Data breach response may require notifying those affected via letter (in their native language) or email, as well as providing support for those who need additional information or help, which could include a call centre. Companies should consider whether they have the capability or capacity to do this and may want to look at having a data breach response provider on retainer to support them.
Consider credit or identity monitoring
The compromise of an individual’s personal or sensitive information presents a significant risk to them. If that information is traded on the dark web, they are at risk of identity theft and being targeted by fraudsters. Credit or identity monitoring provides some mitigation to the potential harm posed to individuals and reassures them that the company is taking the breach seriously. In some countries, this type of mitigation is required by law. Engaging specialist external legal support can help a company understand their requirements.
Ensure data breach notifications are clear
The notification to individuals should be clear and jargon-free. It may be worth considering using a crisis communications provider to help ensure the message is appropriate. Key areas to focus on include:
- The circumstances of the incident
- The reason for the company holding the data
- The type of personal or sensitive data impacted in the breach
- The process through which an individual can request having all their data deleted by the company
- Any mitigation services being provided
- Any compensation being provided
Keep the notification process streamlined by designating one specific person from your company to release the notifications at the appropriate time. They should be kept updated with the full overview of the breach, who is affected and what your organisation is doing in response.
Manage public perception
Unless it is very carefully managed, a data breach can have a very damaging impact on an organisation. It is important to use the support of an individual or team experienced at communicating responses to a data breach through external communications and PR. With their support on the most appropriate messaging and approach, they can help to minimise the potential harm to your brand and business.
Contain the breach
If you already have cyber breach insurance and an incident response plan in place, it’s time to enact them. If you don’t have them, the containment stage is critical. You should act fast to secure your IT infrastructure and engage an expert forensic investigation team to help identify the source and the cause of the attack. If your company has an in-house cyber security team, this is the stage at which to instruct them to begin working on the forensics side of the investigation while the evidence is still fresh.
Follow this by ensuring that your incident response team or provider (forensics experts, information security professionals or senior management team) delivers your initial response to the crisis. It can be highly beneficial to work with a data forensics expert to gain an understanding of the key aspects of the attack, such as size, scope and source. A forensics team can help greatly by gathering and analysing evidence and outlining the best remediation steps to take. The forensics team and your legal team will advise you on how to proceed with your response to and disclosure of the breach.
Establish an effective data breach response plan
Effective data breach response continues long after your organisation has successfully notified the relevant authorities and the individuals affected, and contained the breach and restored operational continuity. It is vital to look ahead to ensure you are fully prepared to prevent data breaches and to take action in the event of future attacks. This involves establishing a comprehensive incident response plan for your organisation. Incident response planning sets out a series of steps to help you to minimise the damage and disruption of attacks and, where necessary, restore operations as quickly as possible.
How Kroll can help
Kroll is a leading provider of end-to-end cybersecurity, digital forensics and breach response services – responding to over 3,000 security events every year. Kroll is well-placed to help you respond effectively to many types of security incidents and enhance your organisation’s incident response procedures, with experts on hand 24/7 to assist across the entire incident lifecycle. We can help you protect, detect and respond with confidence and can deploy remote solutions quickly and/or be onsite within hours.