What Should a Company do After a Data Breach? Key Steps you Need to Know About

No business expects to suffer a data breach, but sooner or later, the chances are it will happen. According to the UK government’s annual Cyber Security Breaches Survey for 2023, one in three firms had experienced a cyberattack in the previous 12 months, rising to 69 percent for large enterprises.

Therefore, while companies may not plan to be attacked, it is imperative that they plan for what to do if they are attacked. An effective response to a cyberattack can be the difference between a minor inconvenience and potentially devastating disruption.

The consequences of a security incident, whether intentional or accidental, can be wide ranging, from direct financial costs to ongoing recovery expenses and reputational damage that can last for years.

A data breach can come in a wide range of forms, from errors by employees to deliberate attacks targeted at your most valuable digital assets. Step one in any incident must be to determine what type of incident has occurred and how serious the damage is. Some of the most common causes of breaches include the following:

• Lost or stolen devices: The physical loss of hardware containing sensitive data. With more business activity taking place on mobile or personally-owned devices, this becomes an even greater risk.
• Accidental disclosure: Errors such as database misconfigurations or even emailing sensitive information to the wrong recipient can end up exposing information to unauthorized personnel and breaching data privacy laws.
• Phishing attacks: Cybercriminals that trick unsuspecting users into handing over information is another common cause of breaches. Often this involves access credentials to larger databases, but it can also include users sending large amounts of files directly to criminals. Some criminals have even adopted tools like AI to impersonate a colleague or business partner.
• Insider threats: Employees looking to steal data, perhaps to sell on the dark web or to take directly to a new job, can be especially hard to detect, as disgruntled personnel may well have legitimate reasons for accessing data. As they will know exactly where information is stored and what will be of most value.
• Data exfiltration: Deliberate attempts to remove data from a network by external hackers have quickly become one of the most serious types of data breach. Often, the goal is to hold the data for ransom, demanding payment in exchange for not releasing it publicly – and many firms will choose to pay up in the hope of avoiding further negative publicity.

Regardless of the type of breach a company experiences, the financial consequences can be severe. Direct costs that can result from an incident include ransom payments, regulatory fines, class action lawsuits from affected customers and lost business. What’s more, in the immediate aftermath of a breach, the expenses related to investigation, remediation and hardening to prevent future incidents can also all quickly add up.

According to IBM, the average data breach in 2023 cost was $4.45 million. This marked a 15 percent increase over the last three years from $3.86 million in 2020, illustrating how this is a growing problem.

Regulations surrounding data loss have toughened significantly in recent years, with the EU’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) leading the way. These have stringent reporting requirements, with GDPR typically requiring notification within 72 hours of discovering a data breach to both the regulator and any affected individuals. 

Companies that fail to meet this mandate are likely to find themselves liable for large penalties, so while it may not be at the forefront of a business’ mind if a situation is still ongoing, it must not be overlooked.

The longer a data breach is allowed to continue, the more damage it can do, which is why it is crucial that firms have effective solutions in place to detect incidents as early as possible. While technology solutions such as intrusion detection and prevention are designed to spot attacks at the point of entry, firms that focus too heavily on perimeter defense may find it almost impossible to respond to any threats that do slip through the net.

In some cases, hackers have been able to move through businesses’ systems undetected for months, quietly stealing huge amounts of data. Failure to notice this can add millions to a company’s final bill. Technologies such as anti data exfiltration (ADX) that have been designed specifically to look for these activities are hugely beneficial.

A major challenge for any business following a data breach will be convincing future customers and partners that they can be trusted with their personal information. According to one 2023 survey, three-quarters of consumers (75 percent) say they would be willing to cut ties with a company that falls victim to a data breach, with 66 percent of those in the US stating they would not trust a company following a data breach.

This is a major reason why prevention is better than cure when it comes to data loss. If firms are to regain trust following an incident, this will require both time and money. For instance, paying for credit monitoring and fraud alert services if consumer financial details like credit card numbers are compromised can be a significant but necessary expense.

These serious consequences all illustrate the importance of having a comprehensive data breach incident response plan to refer to in the event of an incident. This should make clear what steps must be followed and what everyone’s responsibility is within these procedures.

It’s vital that this is completed and tested ahead of time. If firms have to go into a data breach situation without one, this greatly increases the likelihood that mistakes will be made that delay recovery, leading to higher costs.

Step one must be to ascertain exactly what data has been compromised and how it was achieved. This is critical in shutting down any potentially infected systems before any further data exfiltration can take place.

If the source of the security breach is not identified and systems aren’t isolated, the threat can easily spread to other parts of the network, compounding the problem and allowing hackers more opportunities to exfiltrate data to disrupt operations.

Once the breach has been contained, attention can turn to determining what was lost and how it can be recovered. Having a comprehensive backup and disaster recovery plan is vital if mission critical data has been stolen or deleted.

At this point, if a company has received a ransom demand – for instance, threatening to publish any exfiltrated data unless they are paid – firms will also need to decide what to do regarding this. Paying up may seem like the easier – and cheaper – option in order to minimize reputational damage and get back up and running quicker, but law enforcement generally advises against this as it will likely only make them a more attractive target for future attacks.

Proper notification is another critical step in the process. This may cause concern to businesses, who will worry about the reputational damage of going public – especially if personal customer information was lost – but it must not be overlooked.

Data breach notification needs to be taken seriously, as the consequences for attempting to cover up an incident are severe. This can even rise to the level of criminal charges for senior personnel – as was the case in 2022 with Uber’s chief information security officer, who was convicted of attempting to cover up a previous data breach at the company.

It’s important to have a clear idea of who needs to be informed. All directly affected parties, such as stakeholders, employees and customers who may be vulnerable to issues like identity theft should be at the top of the list, along with regulators, but law enforcement and data breach insurance providers also need to be told as soon as possible.

Once the fires have been put out, it’s time to look to the future. Businesses that have already fallen victim to a breach are highly likely to be targeted again, so it’s important that systems are improved and defenses hardened so that any future breach can be avoided. 

This can be an expensive process, involving both hardware and software upgrades and expenses such as hiring professional consultants. While dedicated cybersecurity or more general business insurance may provide some help with this, there are no guarantees. 

A key part of a data breach response plan is reviewing what went wrong and what needs to be done to ensure the same mistakes do not occur again.

Central to this should be looking at a firm’s employees. A large number of data breaches are the result of human error. This covers everything from IT staff misconfiguring databases to allow unauthorized access, members of staff falling for phishing scams and handing over login details to fraudsters, or even someone leaving a company laptop on a train. Asking what training systems were in place and if more follow-ups are needed to prevent these types of errors is also important.

Companies also need to understand exactly how data was exfiltrated from the business. Was it carried out on a USB stick or laptop, or did it leak via a cloud connection or a user’s unsecured personal smartphone? Once this has been identified, firms can put in place the right tools, such as on-device anti data exfiltration software, to prevent it happening again.