Building Your Cybersecurity Emergency Response Plan


Breach Detection Methods

The first step is to build your system of breach detection methods. Because hackers and their malware aim to be invisible until they strike, it’ important to have a wide range of detection measures to identify when a breach – or the infection before the breach – occurs.

Network Monitoring

Network monitoring tracks all behavior across multiple systems ranging from CPU core temperature to network activity. Network monitoring allows you to track when hidden processes are using resources and unauthorized network access. Network monitoring is the channel through which all access data flows, and with expert interpretation, can reveal a breach as it happens.

Access and Control Management

Access and control management is the new method by which everyone with access is given minimum access. Each employee and customer can only open the files they specifically need. By tightly controlling access, you can then go on full-alert when unauthorized access occurs.

Virus Scanning

Naturally, your virus scanning software plays a role. Should a program try to download, install, or run with the clear traits of a computer virus, your traditional protective software should alert to the malware presence.

Human Suspicion

Sometimes, a staff member will bring a suspected hack to light. They may report an unusual computer activity or something unexpected in the data logs. Because humans work with the system every day, they can notice signs of an otherwise well-hidden hack . Make sure to have an available and encouraged channel for staff to send in cybersecurity suspicion reports for everything from phishing emails to unusual keystroke responses.


Who Should Be Alerted

Who should be told when one of your detection systems alerts on a possible data breach?


Your C-suite chief of information and/or technology in the company is likely high on the list of people who should be notified. They will rally the troops and decide the right course of action for a breach response.

Network Administrator

Your lead administrator who handles the network and security of your business systems is often the first person flagged by automated breach detection methods. They are also in the best position to take immediate action for damage control and recovery.

Cybersecurity Specialist

If your team has a cybersecurity specialist, they may be first on the list of people alerted when  breach is detected or suspected.

IT & Security Agency

Many companies have an IT agency that supplies their network and cybersecurity support. If a breach is detected, they are likely already responding or will need to be the first called to take defensive action on behalf of the company.


Damage Minimization Measures

Make plans to swiftly minimize the damage of a data breach as soon as possible. The goal is to isolate the malware or hacker’s access to your system before eradicating the invasion, closing the breach, and recovering to an uncompromised state. This starts by protecting the rest of your network, endpoints, servers, and cloud assets from exposure.

Isolate Infected Systems or Files

Identify which files, data systems, or servers are infected and isolate them. With physical systems (and before the cloud) this might mean pulling the network cable so no other systems are infected. Isolation is more complex in modern business information systems, which will require a unique approach based on how your company handles data storage and networking.

Breach History Tracking

Look back through your logs to determine exactly when and where the breach occurred. This will allow you to choose a clean backup to restore from and to properly close the breach.

Network-Wide Cybersecurity Check

Assume that there are other undetected breaches in your system and use this alert as a reason to do a full check and sweep of every endpoint, platform, and network asset in the business data system.


Purge and Recovery Methods

Once you have fully assessed the situation, it’s time to take action. Businesses have found that the best way to recover from a cybersecurity breach is a complete purge and recovery. If necessary, you can wipe endpoints to factory-settings and reload from a full backup made before the breach. Otherwise, you can wipe and restore specific compromised files and network assets.

Remove Detected Viruses

Use your virus detection software to remove any viruses it identifies, then do a full systems diagnostic to ensure there are no remaining hidden processes.

Block Identified Bad Actors

If you identified IP addresses or domains associated with the hack, block and report them so that your brand and others are safer in the future.

Wipe and Recover Infected Systems

If necessary, completely wipe infected systems to factory settings. Then reinstall your chosen operating system and programs and reload your active files from a recent recovery. Keeping a full-system image backup of your typical workstation and network installation is a great way to ensure speedy and efficient company-wide recovery after a breach.

Rebuild Secure Connections

Once you have cleared everything that could have been infected or led to a breach, rebuild your system to complete functionality through backups and reconnection of isolated assets.


Backup Recovery Plan

Now is an important time to make sure your backup recovery plan is in place and ready at any moment. 

Check the Fidelity of Backups

Check all of your recent backups to make sure they compressed well and can be used in a recovery plan. Not all compression and storage processes work perfectly and, sometimes, backups get corrupted. A routine backup program can start missing elements of an updated system or the calendar can miss landmark backup dates. Give your backup recording system and recent records a full once-over to make sure the system is ready when you need it.

Take Infrastructure Backups

Consider taking infrastructure backups – like a full image of your typical workstation install or your network configuration. This will provide significant shortcuts when recovering from a widespread malware infection or a deep wipe-and-reinstall recovery process.

Test and Enact Recovery Plan

Finally, make sure your recovery plan works. The recovery plan is your method of taking a backup file and restoring your business network to full functionality. Your resistance to damage from hacks is only as reliable as your recovery plan.


Reporting, Responsibility, and Damage Control

After a cybersecurity breach, a certain amount of reporting and after-effect damage control is necessary.

Reporting a Cybersecurity Breach to Regulatory Bodies

Your business is likely required to report all or most data breaches to certain regulatory bodies, like the PCI (payment card industry) and the ICO (Information Commissioner’s Office). Know how to make this report and who is responsible for filing the report after the breach occurs.

Reporting Personal Security Risk to Affected Parties

If personal data was exposed, you may need to alert affected parties about risk to their identity and information. Clients and customers alike have a right to know if hackers might have their data. Have a plan on how to release this information through private or public means.

Identity Tracking and Damage Control

If necessary, you may need to provide those affected with identity tracking and protection services to ensure their identities are not stolen in the year or so after your breach occurs.


Cybersecurity Insurance

Last but certainly not least, make sure you have the correct cybersecurity insurance policy. This covers liability for breached personal data, loss of revenue during company downtime, and can even cover the ransom if you absolutely must pay ransomware to avoid a greater business disaster. Cybersecurity insurance has become a must-have for any company with virtual assets and information handling.


Building Your Cybersecurity Emergency Response Plan

Having an emergency response plan for a cybersecurity breach is essential for any modern business. To build that emergency response plan with the support of an expert data security and network team, contact us today.

Related Posts