What to Do when You Suspect a Security Breach

 

What are the signs of a breach?

The first indications that your network’s security is compromised may come in several different ways. These are the most common:

  • Unusual network activity. If you have network monitoring in place, it will alert you if there’s a sudden change in the quantity or kind of data transfers. The alert could mean that your data is being sent to an unauthorized system.

  • Changes in accounts. If employees are locked out of their accounts or see unexplained changes in their account status, it’s often a sign of trouble. If the account in question has administrative powers, that’s especially concerning and needs to be investigated immediately.

  • Suddenly slower performance. An abrupt drop in performance could indicate unauthorized access, malware, and data transfers to an outside system.

  • Anomalies in system logs. Log analysis tools will let you know if suspicious activity, such as logins from unexpected places, has been happening.

  • Data integrity problems. Application error messages may tell you something is wrong with your data. Whether it’s a breach or some other kind of system issue, it needs investigation.

  • Notifications from outside. You may get a message from law enforcement, from customers, or even from the perpetrators telling you your data has been compromised.

How to be prepared

It’s easier to deal with these signs if your people know their responsibilities and have a plan of action. Many small businesses find the best approach is to outsource data protection to a managed system provider or managed security provider. It’s difficult for a small company to justify a full-time security specialist, and giving the job to an experienced outside team is often more cost-effective.

Either way, the important thing is to have someone who’s familiar with the network and knows how to deal with security issues. The people with this task should know the network architecture and the software that runs on it. If something looks wrong, they’ll investigate it quickly and decide whether it represents a danger to the business’s data. They’ll know what steps to take and whom to notify.

Your business needs a breach response plan. It will specify who needs to be notified and what steps have to be taken. This means less panic and a more coordinated response.

How to act on a suspected breach

Whether you’ve laid out a plan in advance or not, you need to take a step-by-step approach when something looks wrong.

  1. Identify and analyze the signs of trouble. Do they indicate a significant chance of a breach, or is some other explanation more likely? Sometimes a slow system is just an overloaded system. But a breach that isn’t stopped will be expensive, so be sure there isn’t one before closing the investigation.

  2. Document and report the signs of the problem. If the breach looks real, the security team needs to let management know what’s happening and what they plan to do. They won’t have all the answers at this point, and their report should say that more details will follow.

  3. Take immediate damage control measures. There should be some quick ways to limit the damage. Dubious IP addresses can be blocked. Infected machines can be quarantined from the network. Nonessential accounts can be disabled.

  4. Identify the kind and extent of the compromised data. Subsequent actions will depend on how serious the data loss is. If only anonymized or encrypted data was compromised, the problem may not be too serious. (However, even hashed password data can help would-be intruders.) The loss of personal financial information, HIPAA-protected data, or account access information is very serious.

  5. Issue any required notifications. The breach preparedness policy should say who has to be notified, based on company policy and applicable laws and regulations. Notifications have to be issued within a specified number of days. The message will tell people what actions they need to take, if any, and what their options are.

  6. Find and eliminate the source of the problem. It can take a lot of investigation to locate the cause of a breach and correct it. It may be malware installed on the network, an account that thieves have broken into, or a software vulnerability which allows ongoing exploitation. The first problem discovered may not be the only one.

  7. Perform remediation. This step can include restoring damaged data, changing access codes, and tightening security policies. It may also require offering assistance or compensation to affected parties. Remediation includes monitoring the systems to make sure there is no recurrence. Keeping customers’ and partners’ confidence high is as important as the technical work.

Mistakes to avoid

The worst mistake is to ignore the problem and hope it isn’t real or won’t be noticed. An uncaught data breach can do major damage to a business and its reputation. It’s better to spend some time following uncertain clues than to let a breach continue for weeks.

Covering up a breach is almost as bad. If you try to keep affected parties from knowing, your liability will increase, and it will be worse for your business’s reputation when it’s discovered. A data breach is never a good thing, but if you handle it professionally and keep the affected people informed, they won’t stay upset as long.

In brief, these are the keys to dealing with a possible data breach:

  • Have qualified people on board with a plan of action.

  • Let them investigate any signs of a breach quickly.

  • Follow through responsibly, notifying affected parties.

  • Find and eliminate the breach’s cause.

  • Fix the damage.

  • Prevent a recurrence.

Follow these steps, and you will reduce the harm that a breach can do. Contact us to find out how we can help you to be prepared and reduce the chance of trouble.

Related Posts