How to Respond to a Security Breach
Every business is at risk of a data breach. If the likes of eBay, Yahoo, Ticketmaster and Typeform can suffer from valuable data being leaked, it can happen to any business.
Data breaches can be caused by a social hack, theft, staff losing company devices, a physical intrusion or a whole host of other reasons that can be difficult to completely prepare for. If it does happen, however, there are a number of steps you can take pre-loss in order to limit the initial damage and additionally a number of steps you can take post-loss in order to prevent the issue from spreading. Here, we’ll cover a range of steps that will prove useful in preparation for an attack or breach and offer food for thought on what is an ever-important issue.
To kick things off, Sean Dorian, Operations & Legal Director at Cloudhelix, provides practical tips on keeping your business safe in a changing world…
"Data is the lifeblood of any company and a data breach is akin to a wound allowing that lifeblood to spill out into the public domain. Data security is paramount and will continue to push its way to the top of every organisation’s priority list as automated business processes become ever more prevalent and we as individuals become ever more connected with the world around us via the ‘internet of things’. As such, I would suggest that organisations on-board now with high standards of data security and seek to build on those year on year."
"Organisations should also partner with trusted (and certified) service providers to ensure they remain at the forefront of this incredibly important area. An area that now carries significant potential sanctions on the back of the recent implementation of GDPR via the coming into force of the Data Protection Act 2018."
All businesses are different, so are their IT departments, and a data breach can mean many things, so in the interest of keeping this information useful, we’ve aimed to keep the situation itself out of this post and provide general advice that can be applied to the majority of cases. If you’re looking for a specific, step-by-step approach, it’s likely you’ll want to get in touch with your cloud provider to undertake a security audit.
It might not sound like the greatest advice given the circumstance, but when it comes to making decisions, you have to be rational, considered and measured. There’s often a massive pressure from outside the IT department to get things back up and running. This pressure comes from a lack of understanding of the technicalities of the situation, how it works and what is employed to assist in the face of adversity.
There may be pressure to get things back to normal and move forward, but unless you’re totally sure of the situation and that it’s completely under control, rushing to get systems back up and running could prove far riskier than taking things slow. How you handle the breach may be covered in the press, may be debated online and may be subject to discussion at a tribunal or court of law, so acting on the word of your superiors and only when absolutely sure is essential.
What tools do you have at your disposal?
In a pre-loss scenario, it’s important that your team have alerting configured across your infrastructure so that when a serious issue arises, it’s easy for your team to spot and escalate. James Leavers, Chief Technology Officer at Cloudhelix, offered the following advice on the issue…
“Organisations often have a sea of syslogs, huge amounts of application and infrastructure logging, which nowadays could be coming from a variety of different private and public cloud platforms. What’s important is well-designed alerting on all these logs, using properly configured SIEM and/ or IDS systems. There’s nothing worse than ‘alert fatigue’: when an organisation gets so many alerts that the most important ones get lost or ignored.”
Where a data breach occurs, there should be a set of basic policies in the form of run books that are maintained to allow your IT team to take some immediate actions. If this isn’t the case, ramp up monitoring and any other tools you use which can extract data such as syslogs. These can prove useful for any investigative work that needs to be carried out.
Engineers, whether yours or via a third party, and during or after the event, can use data to work out the root cause of the issue, which helps the business move forward and learn from the issues they faced.
Don’t be the hero
While this is most certainly an IT issue, it’s also an issue for the whole business, and it’s important that you don’t feel like the whole business is on your shoulders. Now isn’t the time to be the hero, the damage has already been done. You might want to fix it, or you might even have a solid idea of how to go about fixing it, but this is a business-wide issue, not just yours.
Make suggestions, consider the steps that can be taken and document your thinking so that it can be used to prevent future breaches. It’s more than likely that you and your team were already following best practice, so don’t feel the need to cover your back or make excuses for the work you were carrying out.
The damage needs to be assessed properly and then a plan should be put in place as to how the whole business will begin to tackle the issues involved.
Stay open, stay honest
In the event of a breach, whether its realistic or not, people immediately want answers, action and explanations. This is a pretty daunting prospect when you’re:
- Responsible for part or all of your businesses infrastructure
- Yet to fully figure out the source of the issue
- Worried it might be due to a decision you’ve made or a project you’ve worked on
The important thing to remember is that all lines of communication need to be open, honest, unbiased and regular. The reason for this, other than being generally useful for all involved, is that the final decisions on this issue won’t be made by you or the IT team, they will be made by the board of directors or senior management.
Give your honest understanding of the facts; any potential oversights or mistakes by the IT team must be understood by the chief information security officer and this will not be the time for recriminations. Let the board make a decision based on all of the information you and others will provide. Don’t try and take the situation on yourself as there could well be reasons why the breach may be more important to specific stakeholders, who are privy to information that you aren’t.
And finally, when the day begins to come to a close and the root cause has been discovered; affected systems have been isolated; and all customers and employees are aware of what to do while things are in flux, it’s time to start analysing and monitoring. It’s tempting to let your foot off the gas, but there’s a chance that secondary attacks could be on the way. Monitor everything closely for any unusual or suspicious activity and ensure your team remains diligent too.
Cloudhelix holds the globally-recognised ISO 27001 accreditation, the leading standard in information security, and the UK-government backed Cyber Essentials Plus, which provides further assurance of our IT security standards. Each of our accreditations are audited annually and our data center partners are also compliant to the highest of standards. We also provide GDPR-compliant support to any clients who are unfortunate enough to suffer a data breach.
Our specialists have the answer