My Business Has Experienced A Security Breach: What Should I Do Now?


Is your business prepared for a security breach? 

It should be; breaches have increased exponentially over the last 15 years.

From 2005 to 2020, data breaches increased tenfold, and the amount of records exposed more than doubled. 

In our experience, it’s only a matter of time before your business is breached—it’s a question of when, not if. 

When your business experiences a security breach, a number of steps must be enacted immediately to mitigate its effect. 


Consult Your Incident Response Plan

The most important thing you can do when a breach happens is to consult your incident response plan.

This means that an incident response plan must be drafted and reviewed prior to any breach in order to mitigate its effects. 

The incident response plan assesses risks your organization faces, potential security issues you may have, and provides the steps you need to take when your business is breached. 

The plan should also include the following steps in this article. 


Isolate and Stop The Event

The next step you should take is isolating and stopping the event so it doesn’t spread to other workstations and servers on your network. 

Depending on the nature of the event, your team or your managed security services provider should be able to detect where the event is and prevent its spread. 

One of the ways this can be done is with an endpoint detection & response solution

EDR is the next generation of antivirus protection that collects information from workstations and servers, using artificial intelligence to detect any anomalies. In other words, EDR doesn’t require that a workstation goes down before it enacts protective measures. 

By implementing EDR, we create a secure barrier around non-infected parts of the network and bring other workstations back online incrementally, which helps us detect where the issue is located. 

Exact recommendations for isolating and stopping the event will depend on how your system has been breached. 


Communicate That An Incident Has Occurred

Once an event has occurred, it must be communicated to both internal and external audiences. 

Internally, your employees should know about the incident. Explain what has happened and what they can do right away to prevent its spread. 

Externally, your business may need to communicate to a group of stakeholders, a board of directors, or even investors. 

Regulated entities also must report this to their appropriate regulatory body. 

For instance, healthcare and financial institutions are the two most-breached businesses today. Healthcare organizations must report to the Department of Health & Human Services, while a bank or credit union may need to report to their chartering organization—the FDIC, the Federal Reserve, the OCC, or the state. 


Contact Your Insurance Provider 

If your business has a cybersecurity insurance policy, call your provider. They should be able to provide you with resources to start cleaning up a breach. 

We’ve found that IT teams have been quick to wipe servers in order to mitigate a breach’s effect. 

While it may be tempting, we plead with you to avoid this strategy. 

By deleting information from your system, you eliminate evidence that can be provided to authorities, and your insurance provider may be less likely to cover damages. 


Contact Authorities

Speaking of authorities, they also must be contacted in the event of a security breach. 

The Internet Crime Complaint Center (IC3) is a division of the FBI and allows you to file a complaint, as well as stay up to date with consumer and industry alerts. 

Local authorities should also be involved. More often than not, we’re finding that law enforcement agencies have a detective assigned to cybercrime and can provide resources not otherwise available to civilians. 


Begin Data Recovery Procedures

Finally, we can enable disaster recovery procedures. 

This involves running internal vulnerability scans and assessing patch reports to identify any security updates that need to be applied to servers or workstations. 

Detecting and responding to a security breach is a challenging situation for everyone involved. 

The most important action you can take is to draft an incident response plan before an incident happens—and, it’s a good idea to review it every 6-12 months to ensure it is current as cybersecurity issues evolve over time. 

At least, your business should be conducting an annual cybersecurity assessment by reviewing your data security posture.

If your business has been breached, please contact us at Integrity to help with remediation.

Take this 5-question quiz to find out how prepared your business is for a cybersecurity incident

Read On