Skip to main content

Request SaaS Deployment

Contact Sales

Data Protection

Data Breach Response and Investigation: 8 Steps for Efficient Remediation


A single data breach may lead to lawsuits, reputational damage, and financial losses. Preventing and investigating data breaches in a timely manner is critical for your organization’s cybersecurity.

In this article, we provide eight simple steps for efficiently responding to and investigating a data breach in your organization.

What is a data breach?

A data breach is an event that results in exposing confidential, sensitive, or other protected information to an unauthorized person.

Breaches of confidential information can lead to financial losses, legal liability, and reputational damage through media coverage and word of mouth. The average cost of a data breach was $4.35 million in 2022 according to IBM’s Cost of a Data Breach Report 2022, which is 12% higher than what IBM reported for 2020. Moreover, the indirect cost of data breach may be much higher considering the time, effort, and resources required to cover losses.

Average global cost of a data breach

How do you handle a data breach?

If a data breach has occurred, it’s necessary to respond immediately and investigate the incident as soon as possible.

Quote form IBM’s Cost of a Data Breach 2022 Report: In an evolving threat landscape, time is money. For 83% of companies, it’s not if a data breach will happen, but when. Usually more than once. When detecting, responding to and recovering from threats, faster is better.

What is data breach investigation and response?

Data breach response is a systematic way to deal with and manage the consequences of a data breach. The goal is to address the problem in a way that minimizes harm and reduces recovery time and expenses.

Data breach investigation is an integral part of data breach response. Its goal is to clarify the circumstances of the breach, assess the damage caused by it, and develop a further plan of action depending on the results of the investigation.

There are a number of cyber incident response guides that provide detailed recommendations on handling security incidents:

NIST outlines four main steps of handling an incident:

Key steps of handling cybersecurity incidents by NIST

Below, we explain these and other important steps based on recommendations in the guides mentioned above.

10 Must-Have Information Security Policies for Every Organization

8 key steps for data breach response and investigation

Although the reasons behind a data breach may vary, there are strict steps you need to take when responding to and investigating any such cybersecurity incident.

8-step checklist for data breach response and investigation

Depending on the industry you operate in and the requirements you need to comply with, the order of the steps may vary, and some steps may be omitted or added.

1. Prepare for a data breach before it happens

Your organization should be ready to handle a data breach before it happens.

Good preparation can significantly reduce the risk of business damage and simplify your response and recovery processes.

Top measures to prepare for a data breach

Preparation involves assessing the risks, establishing an incident response team, and, eventually, creating an incident response plan (IRP). An IRP can coordinate your organization if a data breach happens and take proper first steps to investigate and remediate it.

An essential part of the preparation process is obtaining all necessary technological resources to ensure data security and respond to data breaches: threat detection and monitoring tools, data loss prevention systems, access management solutions, user and entity behavior analytics (UEBA) software, etc.

To prevent a data breach from happening in the first place, consider treating your employees as your main line of defense. You can do so by conducting regular cybersecurity training. In training sessions, explain what data breach risks there are, what attack techniques cybercriminals use, and what your employees should do to ensure reliable data security.

2. Detect the data breach

All tips for investigating a data breach begin with data breach detection measures. This step is aimed at determining the fact that a data breach has occurred.

Not sure how to detect data breaches? Look for their signs. In the Computer Security Incident Handling Guide [PDF], NIST distinguishes two types of data breach signs: precursors and indicators.

Types of data breach signs by NIST

The structured MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) knowledge base can also be of great help. It describes known attacker behaviors, divided into tactics and techniques and expressed in tables (matrices). The MITRE ATT&CK model for threat mitigation provides a comprehensive view of attackers’ behavior and is extremely useful for data protection, monitoring, and employee training.

5 Reasons to Start Pseudonymizing Personal Data in Your Organization

3. Take urgent incident response actions

You should take several urgent steps when a data breach is detected. The first is to record the date and time of detection as well as all information known about the incident at the moment.

Then, the person who discovered the breach must immediately report to those responsible within the organization. Security officers should also restrict access to breached information to prevent the further spreading of leaked data.

You may keep this checklist as your cheat sheet:

First 24 hours response checklist

It’s also crucial to launch a thorough investigation as soon as possible so you can find the root causes of the data breach.

4. Gather evidence

Make sure to gather data from all your cybersecurity tools, servers, and network devices and to collect information from your employees during interviews.

Act quickly and gather as much information about the data breach as you can. The better your understanding of the situation, the better your chances of minimizing the consequences.

The list of data you should collect includes the following:

  • Date and time when the data breach was detected
  • Date and time when a response to the data breach began
  • Who discovered the breach, who reported it, and who else knows about it
  • What information was breached and how
  • Description of all events related to the incident
  • Information about all parties involved in the breach
  • Systems affected by the incident
  • Information on the extent and type of damage caused by the incident

Portrait of Malicious Insiders: Types, Characteristics, and Indicators

5. Analyze the data breach

Once you’ve gathered information about the incident, you need to analyze it. This step aims to determine the circumstances of the incident.

You may have to answer a series of questions that will further assist in the investigation:

Questions to ask while investigating a data breach

Having carefully analyzed information on the data breach, you can draw some conclusions about the source of the breach to effectively stop it.

How to Calculate the Cost of a Data Breach

6. Take containment, eradication, and recovery measures

It’s essential to prevent the data breach from spreading and be able to restore your organization’s operations. You can accomplish this with three сountermeasures: containment, eradication, and recovery.

Containment. The goal of this measure is not only to isolate compromised computers and servers but also to prevent the destruction of evidence that can help investigate the incident. Conduct a comprehensive data breach containment operation and preserve all evidence. Also, monitor the attacker’s activities and determine whether any data is leaking during the investigation.

Eradication. Eliminating all causes of the data breach is essential. For example, if the breach occurred because of an insider threat, security specialists should disable all accounts that leaked information. If the threat was external, such as malware, it may be necessary to clean up the affected system and patch exploited vulnerabilities.

Recovery. After successful eradication, the organization must restore normal operations. This includes returning the affected systems to a fully operational state, installing patches, changing passwords, etc.

Security specialists should carefully monitor the network, recovered computers, and servers to ensure that the threat no longer exists.

7. Notify affected parties

Regardless of whether you’re legally obliged to do so, consider notifying all affected organizations, individuals, and law enforcement.

Timely notification is vital, as it will enable individuals to take protective measures, such as changing passwords, or at least to be careful in case scammers take advantage of the data breach.

The list of those to be notified will vary depending on the type of data compromised and may include:

Entities to notify about a data breach

Pay particular attention to notice periods, which depend on the laws and regulations you need to comply with and the type of data affected (personal data, financial data, etc.). Failure to notify regulators in a timely manner could result in liability and extensive fines:

Many other countries also have laws and regulations regarding the use and unauthorized disclosure of personal data. If your organization operates in more than one country, you should consider all local data breach requirements.

10-Step Checklist for GDPR Compliance

8. Conduct post-incident activities

Once you’ve taken actions to counter the data breach, it’s time to analyze the incident and its consequences and take measures to prevent similar issues in the future. Every data breach should be thoroughly audited afterward. The specifics of each audit depend on the data breach itself and its causes.

Measures for a post data breach audit

By thoroughly implementing these steps, you can better understand the data breach that occurred, discover its true causes, and determine the best path for mitigating its consequences.

How to detect, respond to, and investigate data breaches with Ekran System

It’s difficult to investigate a data breach and get the full picture of what happened without detailed context.

Ekran System is an insider risk management platform that can help you handle human-caused data breaches and other cybersecurity incidents by providing the most detailed evidence trail.

Using Ekran System to handle data breaches
Collect cybersecurity evidenceMonitor and record user activity of your employees and any external users connecting to your infrastructure.
Detect and respond to data breachesGet alerts about suspicious user activity and respond to cyber events manually or automatically.
Investigate data breachesInvestigate cybersecurity incidents by viewing indexed video records of user sessions, generating reports, and exporting evidence for data breach investigations.
Prevent data breaches by securing accessManage users’ access to sensitive data, streamline your password management, and verify user identities with two-factor authentication (2FA).

Ekran System can also help you comply with the requirements of cybersecurity laws, standards, and regulations such as NIST 800-53, HIPAA, PCI DSS, the GDPR, and FISMA.

European Healthcare Provider AGEL Protects Sensitive Data from Insider Threats Using Ekran System [PDF]


Preparing to respond to and investigate data breaches in a timely manner will strengthen your business continuity and enhance your cybersecurity in general.

Consider implementing the measures from our data breach investigation template. Coordinated actions and a consistent approach can reduce the negative consequences of data breaches and significantly speed up the recovery process. Also, Ekran System can help you with incident response and data breach investigation procedures.

Request a free trial of Ekran System to enhance your data protection measures.



See how Ekran System can enhance your data protection from insider risks.