Data Breach Response and Investigation: 8 Steps for Efficient Remediation

From financial losses to legal issues to a damaged reputation, the consequences of a data breach can severely impair organizations. Therefore, having robust data breach incident response and investigation procedures is critical for organizations to mitigate the impact of such incidents.

In this article, we review what a data breach is and how it can influence your organization as well as provide eight simple steps to efficiently respond to and investigate data breaches.

What is a data breach?

A data breach is an event that results in exposing confidential, sensitive, or other protected information to unauthorized individuals. Perpetrators often target organizations to get access to the personal data of their employees and clients (Social Security numbers, bank account information, healthcare information) or corporate data (intellectual property, financial data).

Data breaches may result from various cybersecurity events, such as malicious insider activity, social engineering attacks, and exploiting software vulnerabilities. At the same time, the impact of a data breach itself can include severe and far-reaching consequences.

The impact of a data breach

In this section, we review the most significant consequences of a data breach for your organization.

First of all, breaches of confidential information can lead to financial losses. The average global cost of a data breach was $4.45 million in 2023, according to IBM’s Cost of a Data Breach Report 2023, which is 2.3% higher than in 2022 and 15.3% higher than in 2020. Moreover, the indirect cost of a data breach may be much higher, depending on the time, effort, and resources required to cover losses.

A data breach may also result in legal ramifications. Parties affected by a data breach and regulatory bodies can file lawsuits leading to settlements, fines, and penalties for non-compliance. According to Richard Sheinis and Lisa Jaffee of the New York Law Journal, the number of class action lawsuits filed in the wake of a data breach is on the rise.

Data breaches can cause interruptions in business processes and activities, potentially leading to operational downtime. Thus, when a breach occurs, data can be stolen, corrupted, or encrypted until a ransom is paid. If some of that data is critical for your business operations, it can lead to disruptions in business productivity, communication, and service delivery.

Further, data breaches can cause reputational damage. After your organization experiences a data breach, your current and potential customers may develop doubts about your organization’s security and ability to protect data. This is especially true when the data breach exposes sensitive or confidential information. In turn, it can lead to low conversion rates, customer churn, and loss of business opportunities.

What is data breach response and investigation?

Data breach incident response is a systematic way of dealing with and managing the consequences of a data breach. The goal is to address the problem in a way that minimizes harm and reduces recovery time and expenses.

A data breach investigation is an integral part of data breach response. Its goal is to clarify the circumstances surrounding the breach, assess the damage caused by it, and develop a further plan of action depending on the results of the investigation.

How do you handle a data breach?

So, what should a company do after a data breach? If a data breach has occurred, it’s necessary to detect and respond to the incident as soon as possible.

There are a number of cyber incident response guides that provide detailed recommendations on handling security incidents:

• Computer Security Incident Handling Guide [PDF] from the National Institute of Standards and Technology (NIST)
• Incident Handler’s Handbook from the Escal Institute of Advanced Technologies, also known as SANS
• Microsoft Incident Response Guide [PDF]

NIST outlines four main steps for handling an incident:

To minimize the damage of a potential breach, your organization needs to define steps for response and investigation before a data breach even occurs. That’s why building an actionable plan is the first step to enacting an efficient data breach incident response.

How to create a data breach response plan

A data breach response plan (or a data breach response guide) is a framework that defines the roles of people in your organization who would be involved in handling a data breach and the steps they’d need to take if a data breach were to occur.

Before we proceed with how to create a data breach response plan and what it should include, let’s see why having one for your organization is crucial.

The importance of developing a data breach response plan

Having a data breach response checklist or plan enables your organization to mitigate a data breach swiftly and effectively, minimizing its impact. In particular, a well-thought-out data breach response plan can help you:

What should you include in a data breach response plan?

When building a data breach response plan for your organization, ensure that it has the following information:

• A clear definition of a data breach and indicators that may help your employees detect it
• A list of members of your incident response team (IRT) with clearly identified roles and responsibilities
• The steps of your process for handling a data breach, such as containment, eradication, and recovery, and the actions your IRT needs to take during each step
• Descriptions of any technological means you use for data breach prevention and detection and instructions for their use
• Emergency contacts of senior management, regulatory authorities, and forensic investigators, and when they need to be contacted
• Instructions on how to relate the data breach to regulatory bodies, affected parties, customers, and media
• A guide on documenting the data breach for further analysis and evaluation

Try to engage people from different departments of your organization in the data breach response planning process. Taking a variety of perspectives into account can help you make the plan more comprehensive and effective.

Now that we know about the importance and essential elements of a data breach response plan let’s take a look at data breach response best practices. We’ll outline these practices in a series of key steps for clarity and ease of understanding.

8 key steps for data breach response and investigation

Although the reasons behind a data breach may vary, there are strict steps you need to take when responding to and investigating any cybersecurity incident.

How you respond to a data breach depends on the industry you operate in and the requirements you need to comply with. You can reorder, add, or omit any of the following steps to better suit your specific needs.

1. Prepare for a data breach before it happens

Your organization should be ready to handle a data breach before it happens.

Good preparation can significantly reduce the risk of business damage and simplify your response and recovery processes.

Preparation involves assessing the risks, assembling an incident response team, and deploying reliable cybersecurity software. Only after you’ve done that can you start creating an incident response plan for a data breach.

An essential part of the preparation process is obtaining all necessary technological resources for ensuring data security and responding to data breaches: threat detection and monitoring tools, data loss prevention systems, access management solutions, user and entity behavior analytics (UEBA) software, etc.

To prevent a data breach from happening in the first place, treat your employees as your main line of defense. You can do so by conducting regular cybersecurity training. In training sessions, explain the risks associated with a data breach, the various attack techniques cybercriminals use, and what your employees should do to ensure reliable data security.

2. Detect the data breach

All tips for investigating a data breach begin with data breach detection. During this step, you must determine that a breach has indeed occurred.

Not sure how to detect data breaches? Look for the signs. In their Computer Security Incident Handling Guide [PDF], NIST distinguishes between two types of data breach signs: precursors and indicators.

The MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) knowledge base can also be of great help. It is a framework in which known attacker behaviors are represented by matrices divided into tactics and techniques. The MITRE ATT&CK model for threat mitigation provides a comprehensive view of attacker behavior and is extremely useful for data protection, monitoring, and employee training.

3. Perform urgent incident response actions

You should take several urgent steps when a data breach is detected. Firstly, record the date and time of detection as well as all information known about the incident at that moment.

At this time, the person who discovered the breach must immediately notify the appropriate parties within the organization. Security officers should also restrict access to compromised information to prevent the further spread of leaked data.

You can use this checklist as a cheat sheet:

Next, it’ll be crucial to launch a thorough investigation as soon as possible so you can find the root causes of the data breach.

4. Gather evidence

Act quickly and gather as much information about the data breach as you can. Make sure to gather data from all your cybersecurity tools, servers, and network devices and to collect information from your employees during interviews. The better your understanding of the situation, the better your chances of minimizing the consequences.

The information you collect should include the following:

• Date and time when the data breach was detected
• Date and time when a response to the data breach began
• Who discovered the breach, who reported it, and who else knows about it
• What information was compromised, and how
• Description of all events related to the incident
• Information about all parties involved in the breach
• Systems affected by the incident
• Information on the extent and type of damage caused by the incident

Security Incident Investigation with Ekran System

5. Analyze the data breach

Once you’ve gathered information about the incident, you need to analyze it. This step aims to determine the circumstances of the incident.

You may have to answer a series of questions that will further assist in the investigation:

Having carefully analyzed the information you’ve gathered about the data breach, you can start to draw some conclusions about the source of the breach so ultimately, you can stop it.

6. Carry out containment, eradication, and recovery measures

It’s essential to prevent the data breach from spreading and resume your organization’s operations. You can accomplish this with three сountermeasures: containment, eradication, and recovery.

Containment. The goal of this measure is not only to isolate compromised computers and servers but also to prevent the destruction of evidence that can help in your investigation. Conduct a comprehensive data breach containment operation and preserve all evidence. If possible, you should also monitor the attacker’s activity and determine whether any data leaks occur during the investigation.

Eradication. Eliminating all sources of the data breach is essential. For example, if the breach occurred because of an insider threat, security specialists should disable all accounts that leaked information. If the threat was external, such as malware, it may be necessary to clean up the affected system and patch exploited vulnerabilities.

Recovery. After successful eradication, the organization must resume normal operations. This includes returning the affected systems to a fully operational state, installing patches, changing passwords, etc.

Security specialists should carefully monitor the network, recovered computers, and servers to ensure that the threat no longer exists.

7. Notify affected parties

Regardless of whether you’re legally obliged to do so, consider notifying all affected organizations, individuals, and law enforcement.

Timely notification is vital, as it will enable individuals to take protective measures —such as changing passwords —or at least to remain vigilant in case scammers try to take advantage of the data breach.

The list of those to be notified will vary depending on the type of data compromised and may include:

Pay particular attention to notice periods, which vary depending on the laws and regulations you need to comply with and the type of data affected (personal data, financial data, etc.). Failure to notify regulators in a timely manner could result in liability and extensive fines:

• Organizations that need to comply with the Health Insurance Portability and Accountability Act (HIPAA) must notify each affected individual within 60 days of discovering a breach. Fines for a HIPAA violation may be up to $25,000 per incident. The minimum fine is $100.
• The General Data Protection Regulation (GDPR) requires European data supervisors to notify the appropriate supervisory authorities no later than 72 hours after discovering a data breach. The GDPR sets a maximum fine of €20 million or 4 percent of annual worldwide turnover (whichever is greater) for a data breach.
• According to the Notifiable Data Breaches (NDB) scheme, Australian organizations have 30 days to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) about data breaches that are “likely to cause serious harm.”
• Brazil passed its own legislation that’s similar to the GDPR, called the Brazilian General Data Protection Law [PDF], which includes breach notification requirements.
• The Breach of Security Safeguards Regulations include notification requirements for data breaches in Canada.

Many other countries also have laws and regulations regarding the use and unauthorized disclosure of personal data. If your organization operates in more than one country, you must consider all local data breach requirements.

8. Conduct post-incident activities

Once you’ve taken action to counter the data breach, it’s time to analyze the incident and its consequences and take measures to prevent similar issues in the future. Every data breach should be thoroughly audited afterward. The specifics of each audit depend on the data breach itself and its causes.

By thoroughly implementing these steps, you can better understand the data breach that occurred, discover its true causes, and determine the best path for mitigating its consequences.

Auditing and Reporting with Ekran System

How to respond to a data breach with Ekran System

It’s difficult to investigate a data breach and get the full picture of what happened without detailed context.

Ekran System is an insider risk management platform that helps you handle human-caused data breaches and other cybersecurity incidents by providing the most detailed evidence trail.

Ekran System can also help you comply with the requirements of cybersecurity laws, standards, and regulations such as NIST 800-53, HIPAA, PCI DSS, the GDPR, and FISMA.

European Healthcare Provider AGEL Protecting Sensitive Data from Insider Threats with Ekran System

Conclusion

We’ve shown you how preparing to respond to and investigate data breaches in a timely manner can strengthen business continuity and enhance your overall cybersecurity. Ekran System can help you with incident response and data breach investigation procedures.

Coordinated actions and a consistent approach can reduce the negative consequences of data breaches and significantly speed up the recovery process. Consider implementing the measures discussed in this article in your own organization.