A single data breach may lead to lawsuits, reputational damage, and financial losses. Preventing and investigating data breaches in a timely manner is critical for your organization’s cybersecurity.
In this article, we provide eight simple steps for efficiently responding to and investigating a data breach in your organization.
What is a data breach?
A data breach is an event that results in exposing confidential, sensitive, or other protected information to an unauthorized person.
Breaches of confidential information can lead to financial losses, legal liability, and reputational damage through media coverage and word of mouth. The average cost of a data breach was $4.35 million in 2022 according to IBM’s Cost of a Data Breach Report 2022. That’s 12% higher than what IBM reported for 2020.
How do you handle a data breach?
If a data breach has occurred, it’s necessary to respond immediately and investigate the incident as soon as possible.
What is data breach investigation and response?
Data breach response is a systematic way to deal with and manage the consequences of a data breach. The goal is to address the problem in a way that minimizes harm and reduces recovery time and expenses.
Data breach investigation is an integral part of data breach response. Its goal is to clarify the circumstances of the breach, assess the damage caused by it, and develop a further plan of action depending on the results of the investigation.
There are a number of cyber incident response guides that provide detailed recommendations on handling security incidents:
- Computer Security Incident Handling Guide [PDF] from the National Institute of Standards and Technology (NIST)
- Incident Handler’s Handbook from the Escal Institute of Advanced Technologies, also known as SANS
- Microsoft Incident Response Guide [PDF]
NIST outlines four main steps of handling an incident:
Below, we explain these and other important steps based on recommendations in the guides mentioned above.
10 Must-Have Information Security Policies for Every Organization
8 key steps for data breach response and investigation
Although the reasons behind a data breach may vary, there are strict steps you need to take when responding to and investigating any such cybersecurity incident.
Depending on the industry you operate in and the requirements you need to comply with, the order of the steps may vary, and some steps may be omitted or added.
1. Prepare for a data breach before it happens
Your organization should be ready to handle a data breach before it happens.
Good preparation can significantly reduce the risk of business damage and simplify your response and recovery processes.
Preparation involves assessing the risks, establishing an incident response team, and, eventually, creating an incident response plan (IRP). An IRP can coordinate your organization if a data breach happens and take proper first steps to investigate and remediate it.
An essential part of the preparation process is obtaining all necessary technological resources to ensure data security and respond to data breaches: threat detection and monitoring tools, data loss prevention systems, access management solutions, user and entity behavior analytics (UEBA) software, etc.
To prevent a data breach from happening in the first place, consider treating your employees as your main line of defense. You can do so by conducting regular cybersecurity training. In training sessions, explain what data breach risks there are, what attack techniques cybercriminals use, and what your employees should do to ensure reliable data security.
2. Detect the data breach
All tips for investigating a data breach begin with data breach detection measures. This step is aimed at determining the fact that a data breach has occurred.
Not sure how to detect data breaches? Look for their signs. In the Computer Security Incident Handling Guide [PDF], NIST distinguishes two types of data breach signs: precursors and indicators.
The structured MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) knowledge base can also be of great help. It describes known attacker behaviors, divided into tactics and techniques and expressed in tables (matrices). The MITRE ATT&CK model for threat mitigation provides a comprehensive view of attackers’ behavior and is extremely useful for data protection, monitoring, and employee training.
5 Reasons to Start Pseudonymizing Personal Data in Your Organization
3. Take urgent incident response actions
You should take several urgent steps when a data breach is detected. The first is to record the date and time of detection as well as all information known about the incident at the moment.
Then, the person who discovered the breach must immediately report to those responsible within the organization. Security officers should also restrict access to breached information to prevent the further spreading of leaked data.
You may keep this checklist as your cheat sheet:
It’s also crucial to launch a thorough investigation as soon as possible so you can find the root causes of the data breach.
4. Gather evidence
Make sure to gather data from all your cybersecurity tools, servers, and network devices and to collect information from your employees during interviews.
Act quickly and gather as much information about the data breach as you can. The better your understanding of the situation, the better your chances of minimizing the consequences.
The list of data you should collect includes the following:
- Date and time when the data breach was detected
- Date and time when a response to the data breach began
- Who discovered the breach, who reported it, and who else knows about it
- What information was breached and how
- Description of all events related to the incident
- Information about all parties involved in the breach
- Systems affected by the incident
- Information on the extent and type of damage caused by the incident
Portrait of Malicious Insiders: Types, Characteristics, and Indicators
5. Analyze the data breach
Once you’ve gathered information about the incident, you need to analyze it. This step aims to determine the circumstances of the incident.
You may have to answer a series of questions that will further assist in the investigation:
Having carefully analyzed information on the data breach, you can draw some conclusions about the source of the breach to effectively stop it.
How to Calculate the Cost of a Data Breach
6. Take containment, eradication, and recovery measures
It’s essential to prevent the data breach from spreading and be able to restore your organization’s operations. You can accomplish this with three сountermeasures: containment, eradication, and recovery.
Containment. The goal of this measure is not only to isolate compromised computers and servers but also to prevent the destruction of evidence that can help investigate the incident. Conduct a comprehensive data breach containment operation and preserve all evidence. Also, monitor the attacker’s activities and determine whether any data is leaking during the investigation.
Eradication. Eliminating all causes of the data breach is essential. For example, if the breach occurred because of an insider threat, security specialists should disable all accounts that leaked information. If the threat was external, such as malware, it may be necessary to clean up the affected system and patch exploited vulnerabilities.
Recovery. After successful eradication, the organization must restore normal operations. This includes returning the affected systems to a fully operational state, installing patches, changing passwords, etc.
Security specialists should carefully monitor the network, recovered computers, and servers to ensure that the threat no longer exists.
7. Notify affected parties
Regardless of whether you’re legally obliged to do so, consider notifying all affected organizations, individuals, and law enforcement.
Timely notification is vital, as it will enable individuals to take protective measures, such as changing passwords, or at least to be careful in case scammers take advantage of the data breach.
The list of those to be notified will vary depending on the type of data compromised and may include:
Pay particular attention to notice periods, which depend on the laws and regulations you need to comply with and the type of data affected (personal data, financial data, etc.). Failure to notify regulators in a timely manner could result in liability and extensive fines:
- Organizations that need to comply with the Health Insurance Portability and Accountability Act (HIPAA) must notify each affected individual within 60 days of discovering a breach. Fines for a HIPAA violation may be up to $25,000 per incident. The minimum fine is $100.
- The General Data Protection Regulation (GDPR) requires European data supervisors to notify the appropriate supervisory authorities no later than 72 hours after discovering a data breach. The GDPR sets a maximum fine of €20 million or 4 percent of annual worldwide turnover (whichever is greater) for a data breach.
- According to the Notifiable Data Breaches (NDB) scheme, Australian organizations have 30 days to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) about data breaches that are “likely to cause serious harm.”
- Brazil passed its own legislation that’s similar to the GDPR, called the Brazilian General Data Protection Law [PDF], which includes breach notification requirements.
- The Breach of Security Safeguards Regulations includes notification requirements for data breaches in Canada.
Many other countries also have laws and regulations regarding the use and unauthorized disclosure of personal data. If your organization operates in more than one country, you should consider all local data breach requirements.
10-Step Checklist for GDPR Compliance
8. Conduct post-incident activities
Once you’ve taken actions to counter the data breach, it’s time to analyze the incident and its consequences and take measures to prevent similar issues in the future. Every data breach should be thoroughly audited afterward. The specifics of each audit depend on the data breach itself and its causes.
By thoroughly implementing these steps, you can better understand the data breach that occurred, discover its true causes, and determine the best path for mitigating its consequences.
How to detect, respond to, and investigate data breaches with Ekran System
It’s difficult to investigate a data breach and get the full picture of what happened without detailed context.
Ekran System is an insider risk management platform that can help you handle human-caused data breaches and other cybersecurity incidents by providing the most detailed evidence trail.
| Using Ekran System to handle data breaches | |
| Collect cybersecurity evidence | Monitor and record user activity of your employees and any external users connecting to your infrastructure. |
| Detect and respond to data breaches | Get alerts about suspicious user activity and respond to cyber events manually or automatically. |
| Investigate data breaches | Investigate cybersecurity incidents by viewing indexed video records of user sessions, generating reports, and exporting evidence for data breach investigations. |
| Prevent data breaches by securing access | Manage users’ access to sensitive data, streamline your password management, and verify user identities with two-factor authentication (2FA). |
Ekran System can also help you comply with the requirements of cybersecurity laws, standards, and regulations such as NIST 800-53, HIPAA, PCI DSS, the GDPR, and FISMA.
Conclusion
Preparing to respond to and investigate data breaches in a timely manner will strengthen your business continuity and enhance your cybersecurity in general.
Consider implementing the measures from our data breach investigation template. Coordinated actions and a consistent approach can reduce the negative consequences of data breaches and significantly speed up the recovery process. Also, Ekran System can help you with incident response and data breach investigation procedures.
Request a free trial of Ekran System to enhance your data protection measures.
Share:
