Containment, Communication, and Remediation: The 3 Keys to a Breach Response

Image

The number of U.S. data breaches reported in 2021 increased dramatically over the preceding year. As reported by the Identity Theft Resource Center (ITRC), there were 1,291 data breaches between January 1, 2021 and September 30, 2021. The volume beat out the 1,108 breaches detected over the course of Full Year (FY) 2020. It’s therefore not surprising that data compromises year-to-date (YTD) was up 27% last year compared to FY 2020.

The Myth of “Too Small to Fall”

Looking at the above statistics, small- to mid-sized (SMB) businesses might think they aren’t big enough to become caught in attackers’ crosshairs. But that’s not the case. SMBs suffer data breaches all the time. In its Data Breach Investigations Report (DBIR) 2021, for instance, Verizon Enterprise revealed that SMBs had suffered 263 data breaches in 2021. That was just slightly fewer than the 307 data breaches experienced by large organizations.

These findings raise an important question. What are some steps that small businesses should take in the event they suffer a data breach?

Understanding Breach Response

Breach responses typically focus around three main categories: containment, communication, and remediation. 

Containment

The first thing to do is to take a deep breath and understand the scope of the breach. Was it an external party that notified you, or was it something you identified internally? Getting hit with ransomware is a little more of an abrupt notification than a third party reaching out and letting you know that your systems were compromised. 
 
Either way, the next thing to do, often in tandem with the first, is to notify your local law enforcement agency. Depending on the country and jurisdiction of your business, there are various data breach reporting laws that must be adhered to. As part of this, law enforcement agencies can often help to investigate the scope of the breach and to try to track the criminals behind the attack.
 
If your local law enforcement agency does not provide this service, you would need to look at hiring an expert consultancy to help with the identification and containment. This is often a costly but necessary service in the event of a severe breach, so having something like cyber insurance or an amount set aside can help to prepare for this.

Communication

The next thing to do is to communicate to your customer base that there was a breach. Many times, businesses are worried they will lose customers if they think they have been breached. But a data breach does not need to sink an organization’s stock price—especially not over the long-term. Organizations can work to repair consumer confidence following a security incident. Per Harvard Business Publishing, one of the ways they can do that is by being upfront with what they did to prepare for this type of incident and explaining how they’re making further security improvements for the future. You will not know all the details immediately, but early communication is key. Let them know that there was a breach, that it is being investigated, and that more details are forthcoming. Then further communication can be sent once it is contained, the amount of data loss is known, and the plans for remediation and compensation are put in place.

Remediation

Finally, steps need to be put in place to remediate the breach. This includes fixing whatever caused the breach and looking at what processes and procedures are in place to detect and reduce the likelihood of this occurring again. The business needs to weigh the cost of the breach against the cost of implementing mitigating controls. The containment process described above can be costly and time consuming, and it can move the focus of the business away from its primary function for a period, resulting in lost revenue for the organization. So, this might even be something to consider prior to going through a breach. 

Shift to Prevention

SMBs can use the three steps discussed above to respond to a data breach. Before that, however, they can work to prevent a data breach from occurring in the first place. The prevention steps can include things like having an up-to-date asset inventory as well as ensuring that the systems are up to date on security patches and configured securely. Users should have multi-factor authentication (MFA) set up as well as be trained on things like phishing attacks to look out for to help keep the organization secure against potential security incidents. These simple things will help to reduce the likelihood of a breach re-occurring, or if done early, it will help to reduce the likelihood of a breach occurring in the first place.