Data breaches are something that in most recent years seems inevitable. Of the 39% of businesses that reported a cyber attack in 2022, 31% estimate being attacked at least once a week. Data compromises also come in all shapes and sizes from full data risks to minor vulnerability disclosures. Once a breach occurs, it is the organisations responsibility to put it right and ensure it is well protected against future cyber attacks and data breaches.
Businesses that either lack knowledge of cyber security and how to manage risk, have limited budgets and resources or those who are taking a reactionary approach to cyber security will be most at risk. There’s a lot of advice on how to best defend against opportunistic and targeted attacks . By following simple security best practices, you can greatly reduce your risk of a significant compromise.
This blog is a simple guide to what your business should do in the event of a data breach, how to recover from a breach, and who to notify once a breach has been discovered. By following our 7-step guide on post-breach remediation, your business can manage security incidents more effectively and plan appropriately to prevent future data breaches from occurring.
First 24 hours post-breach response checklist
During the first 24 hours after a data breach has been discovered, you should do the following:
- Document the date and time of breach
- Assess the scale and severity of the breach and whether it was caused by a cyber attack or employee error. Investigate what data has been accessed and is potentially at risk of exposure
- Establish which areas of the business have been affected
- Ensure the incident response team have been notified
- Understand whether a risk assessment has been conducted by identifying the associated risks of the breach and assessing whether your company followed due diligence following the discovery of the breach.
Every situation varies in levels of risk and severity. Businesses and consumers need to realise that not every breach should be considered equal and that there are scenarios where it would not be possible for a business to mitigate the risk. An example of this is zero-day vulnerabilities. The average business’s expertise and size of budget will make it very difficult, even impossible, to find these types of vulnerabilities given that until the vendor is made aware of a breach, there is no way to tell if you are vulnerable. SIEM tools can help detect abnormalities that are indicative of zero-day attacks, however businesses can improve their chances against zero-day attacks by using firewalls, keeping operating systems and software up to date and implementing staff training as zero-day attacks can capitalise on human error.
From the moment an organisation suffers a data breach, they need to follow a process that is consistent and repeatable. The focus needs to be on documenting insight into the attack and following a procedure to triage. It’s vital to assess how the data breach may have occurred, what type of attack it is, what systems have been affected and what data has been stolen, leaked or shared.
Who to notify after a data breach?
When a data breach occurs, it’s pivotal for organisations to ascertain what type of breach it is. In many cases, it will be necessary to notify key governing bodies such as the Information Commissioner’s Office (ICO) on the type of data breach that has happened, no matter its risk level. There are certain instances, for example, when reporting a personal data breach, that the ICO must be informed about within 72 hours of your business becoming aware of the incident. This should be the case even if you have limited information about the cyber attack in its immediate aftermath.
When to inform the ICO of a data breach
There is not a requirement to report every breach to the ICO. organisations need to inform the ICO if they believe they have experienced one of the following data breaches:
- A personal data breach under the GDPR or the DPA Act 2018
- A PECR security breach – a breach of any telecom or internet service provider