"We've been hacked!" These dreaded words are scarier than any haunted house you may visit this Halloween season. As we observe Cybersecurity Awareness Month, it's important to reflect on the growing risks of cyberattacks and emphasize the importance of being prepared. With over $1 Billion in records stolen so far this year, the threat of a breach is more real than ever. The growing involvement of artificial intelligence ("AI") in cyberattacks further escalates the risks for businesses.
Quick and effective action is critical with the average cost of a data breach hovering at $4.88 Million. Below, we outline the key steps businesses should take when a breach occurs; however, it's important to note that these steps may not always happen in the exact order listed. Often, several actions will need to occur simultaneously, or in a different sequence based on business needs and legal requirements.
Step 1: Identifying a Breach
The first and often most critical step is recognizing that a breach has occurred. Some breaches are obvious—such as ransomware notes and locked systems—while others may involve subtle signs like slow system performance or unauthorized access lurking in the shadows.
Training employees to spot these warning signs early and report them immediately is essential to containing damage. In the spirit of Cybersecurity Awareness Month, businesses should prioritize refresher training for staff to reinforce these skills.
Step 2: Alerting Key Stakeholders
As soon as a breach is detected, it's vital to alert internal and external stakeholders, such as executives, IT teams, legal counsel, and public relations teams. Organizations should include a call tree in their incident response plans with key stakeholder names, titles, and/or positions, office and cell phone numbers, and other applicable contact information. Companies should also contact their cyber insurance providers to ensure they have coverage for breach-related expenses.
Legal counsel must be notified immediately to ensure compliance with state and industry data breach notification requirements. Outside legal counsel should be engaged and responsible for hiring and managing consultants to preserve attorney/client privileged communications during the investigation. Remember, these steps often overlap—your IT team may be containing the breach while your legal team manages the investigation and reviews your reporting obligations in real time.
Step 3: Isolating the Affected Systems
Containing the breach by isolating affected systems from the network is a critical task. Disconnecting infected systems prevents the spread of malware, such as ransomware, to other areas of the business.
This action should happen quickly and concurrently with other steps. Be cautious when powering off systems too abruptly, as this can erase critical forensic data needed for later investigations.
Step 4: Identify Applicable Insurance Coverages
If your business has cybersecurity insurance, notifying your provider as soon as possible is key to securing coverage. Cyber insurance policies typically cover costs such as data recovery, system repair, and liability. Cybersecurity Awareness Month is an excellent opportunity to review insurance policies and ensure that your business understands what is covered and how to proceed if a breach occurs.
Step 5: Engaging Forensic and IT Vendors
Coordinate with outside legal counsel to engage cybersecurity experts and forensic vendors to assess the full scope of the breach. These specialists can help remove malware, restore systems, and guide your company through the recovery process.
Since timing is crucial, this step may occur alongside your IT team isolating systems or legal counsel managing communications. During Cybersecurity Awareness Month, businesses should preemptively identify legal counsel and vendors to speed up response times in the event of a breach.
Step 6: Identifying the Nature of the Breach
Understanding the root cause of the breach—whether it's phishing, weak security protocols, or an insider threat—is key to preventing future incidents. Forensic teams will work to investigate how the breach occurred and report findings to outside counsel. Outside counsel will evaluate the findings and advise businesses on notice and reporting requirements under governing laws and contractual obligations.
Step 7: Remediating the Cyber Incident
While remediation may happen in parallel with other steps, it's critical to address vulnerabilities that allowed the breach to occur. Whether it's patching software, updating security protocols, or restoring systems, businesses need to act swiftly to minimize damage and return to normal operations.
Step 8: Notifying Affected Parties
In most cases, if personal data is compromised, businesses are required by law to notify affected individuals. The specific reporting timelines will depend on where your business operates and the residence of the affected individuals. Use Cybersecurity Awareness Month as an opportunity to audit your notification processes to ensure compliance with state, federal, and international regulations.
Step 9: Defending Against Potential Lawsuits
After a breach, businesses may face lawsuits, especially if personally identifiable information ("PII") is compromised. Legal teams will need to work closely with forensic experts to protect privileged information and defend the company against potential claims.
Step 10: Learning and Improving
Finally, post-breach analysis is critical for strengthening your defenses. Performing an after-action review will highlight vulnerabilities and help improve your incident response plan. Cybersecurity Awareness Month is a great time to reflect on these lessons and make improvements to your overall security posture.
It's important to remember that cyber incident response isn't always a linear process. Depending on the nature of the breach, multiple steps may occur at once. For example, you may be isolating systems while simultaneously notifying legal counsel and key stakeholders. Likewise, a legal team may be drafting regulatory notifications while forensic teams are still investigating the scope of the breach.
Flexibility is key. Legal requirements and business priorities will often dictate the sequence of actions, making it necessary for organizations to remain agile during the response. This highlights the importance of having a well-rehearsed incident response plan that accommodates rapid, coordinated action across departments.
As Cybersecurity Awareness Month reminds us, preparation is the best defense against the inevitable reality of cyberattacks. By knowing these key steps and developing and practicing your action plans and policies, businesses can better protect themselves and respond effectively when faced with a breach. Take the time to assess your current plans, educate employees, and ensure your business is ready to act swiftly and strategically in the event of a cybersecurity incident.
Originally published Oct 7, 2024.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.