Steps to Follow After a Data Breach

As network breaches continue to occur, organizations should have a response plan in place.  Features of an Incident Response (IR) plan and a network security checklist can vary depending on the type of organization; however, every checklist can have a basic structure that includes internal and external objectives. A recent article about creating a network security checklist suggests breaking the incident response plan and checklist into manageable sub-plans, “where each lower-level plan focuses on a different aspect of the breach.” This could allow an organization to respond more quickly if a cyber incident were to occur.

Below is a suggested four-step network security process to follow in the event of a breach.

  1. Tactical Response: You will need to determine how to stop the breach from causing more damage. Discuss possible breach scenarios before an attack occurs to help develop a tactical response.  The network security team should identify actions that can be taken immediately without approval.
  2. Forensic Response: If a breach is in progress, you need to generate evidence, and if a breach has occurred and ended, you need to preserve evidence for law enforcement and insurance reasons. Key system audit logs should be checked and reviewed.  A forensic analyst should also be engaged to determine the extent of and damage caused by the breach.
  3. Legal and Government Notification: Create a plan about how to notify various authorities of the incident. In most scenarios, the legal department is involved and then interacts with law enforcement to explain the scenario.
  4. Utilize External Resources: There are many resources available publicly on how to respond to a breach. Use these available resources to help you compile and complete your network security checklist.

A best practice would be to walk-through your incident response plan, discuss possible breach scenarios and brainstorm appropriate response levels.  If you have a cyber insurance policy in place, it will provide significant value in the event of an attack and can help you recover from the resulting financial loss.  However, it is important to understand policy requirements in the event of an incident so that this can be considered and incorporated into your incident response plan and network security checklist as well.

By taking a proactive approach in creating an incident response plan and network security checklist before a breach, you can significantly limit the impact. Talk to a trusted advisor to create the network security checklist best suited for your organization.