Sooner or later, no matter how strong your company’s defenses are, someone will manage to compromise your security. No combination of defenses is 100% immune to an assault by a skilled and determined attacker (or group of attackers). The scary thing is this: according to data cited by the U.S. Securities and Exchange Commission, “60 percent of small firms go out of business within six months of a data breach.”
However, just because you’ve suffered a security breach doesn’t mean it’s the end of the world (although it may feel that way). It is possible to recover from a security breach and return to business as usual—if you have a plan in place for recovering from the incident and have taken steps to prepare for this eventuality.
Simply put, a security breach occurs whenever any unauthorized user penetrates or circumvents cybersecurity measures to access protected areas of a system. The perpetrator could be a real person, such as a cyber hacker, or could be a self-directing program, such as a virus or other form of malware.
Security breaches can be the result of intentional actions or accidental ones. There are typically two motivations behind an intentional security breach. The attacker usually wants to gain access to secure information (resulting in a data breach), utilize computing resources for their own purposes (common in cryptojacking attacks), or crash the network itself for personal or political reasons. As frightening as these attacks can be, they’re often easier to identify and plan for than accidental breaches that occur through some combination of error or negligence.
Although the terms are often used interchangeably, a security breach and a data breach aren’t quite the same. A security breach is a failure of cybersecurity controls, but that doesn’t necessarily mean private or confidential data was compromised. The term “data breach” applies when secure information is accessed by an unauthorized user or released into an untrusted environment.
Broadly speaking, data breaches can be broken down into seven distinct categories:
This category includes a variety of techniques used by cyber criminals to access secure data, such as phishing scams, brute force access attempts, ransomware, and various forms of viruses/malware.
A particularly dangerous type of data breach, insider threat refers to any situation where an employee (or vendor) uses their knowledge of security controls to access and compromise data, usually for financial gain.
Portable storage devices, such as laptop hard drives, back-up tapes, and flash drives, are useful for physically transporting data from one location to another intact, but there is always a chance of them being lost or damaged in transit.
While most organizations keep their IT networks safely secure behind firewalls and cybersecurity software, they must also contend with the possibility of someone walking out the front door with a company laptop filled with proprietary, and potentially sensitive, information. There’s also the risk of a thief using social engineering techniques to gain access to a secure location and downloading data onto a portable drive.
Unfortunately, mistakes sometimes happen. When it comes to cybersecurity and data handling, they tend to happen quite often. According to data from the UK’s Information Commissioner’s Office (ICO), roughly 90% of the country’s data breaches in 2019 were the result of human error.
Most organizations understand that exposing data to the public internet can substantially increase risk of exposure and unauthorized access. This was less of a problem when data was stored primarily in on-premises servers and accessed over LAN connections, but the rise of cloud computing has forced companies to take much more proactive measures when it comes to protecting data being accessed over the internet. Exposing data to the public internet increases the likelihood of accidental data leakage or “man in the middle” cyberattacks.
Weak access controls, such as poorly monitored admin privileges or a lack of user segmentation, can lead to people handling and sharing data that they have no business using in the first place. Without good access policies in place, organizations make it more likely that other forms of security breaches could occur, ultimately leading to costly data breaches.
When it comes to recovering from a security breach, preparation is key. If you don’t have the right tools in place, you may not even be able to identify a security breach—let alone contain and eliminate it.
Here are some key preparations to help protect your organization from a security incident. The more prepared you are for an attack, the easier it will be to remediate it quickly. This, in turn, helps to limit the impacts of a cybersecurity breach.
How can you protect your network if you don’t know what’s on the network? Performing a complete audit of the IT assets on your network is a must if you’re going to account for all of the resources you need to protect—and possibly replicate as part of your recovery plan.
The ability to spot a breach is crucial for ensuring a rapid response that minimizes damage to make recovery and risk mitigation easier. Intrusion detection systems (IDSs) help you to identify when security breaches occur so you can respond to them sooner rather than later. Intrusion prevention systems (IPSs) take things a step further by automatically triggering network breach response measures that help contain the attack immediately. Security information and event management (SIEM) systems can help gather information about the network hacking attempt to reveal the methodology of the attack—which is useful for preventing future attacks.
An incident response plan (IRP) is the document that outlines what each person in the organization needs to do in response to a network breach. Having an IRP in place helps employees react more quickly and consistently to network hacks so the breach can be contained and eliminated faster. Part of setting up an incident response plan is distributing the plan to every employee in the organization—and then verifying that they understand and can meet the expectations laid out in the IRP document. This may require extra training sessions or meetings to go over the plan’s contents and explain how to use specific tools needed to identify, contain, and eliminate a network breach. Every employee in the organization should have a clear role in the IRP—even if that role is just to report incidents up the chain to key stakeholders in the response plan.
Before an attack occurs, it’s essential to create a remote data backup of your organization’s most important information so local files can be restored following a network breach. This helps prevent data loss from breaches that damage or encrypt locally-stored files. It’s also an important part of a disaster recovery (DR) plan. Setting up the backup, naturally, requires the organization to categorize all of its data so the most important information can be preserved in an emergency. Trying to simply copy everything leads to bloat in the backup that slows down data copying and adds unnecessary expenses (because of the extra storage needed to hold everything vs only needing to budget for mission-critical data).
Penetration tests are a crucial tool for risk mitigation, identifying vulnerabilities in your security preparations so you can fix them before a breach occurs. In a penetration test (sometimes called a “pen test”), cybersecurity experts intentionally try to break your cybersecurity architecture. This helps to identify potential exploits in the network—which you can then fix to prevent attackers from being able to use them in a “zero day” attack. These tests should be carried out frequently—especially after any major modifications to your organization’s software or IT hardware.
While having an incident response plan is useful, having people with the right skills and experience to handle your response to a security breach is just as important. An incident response team—whether pulled from internal IT staff or from a third party cybersecurity staffing provider—can help make sure your IRP is carried out as smoothly as possible. Your IRT personnel will collect, analyze, and act on the information gleaned about security incidents. Some organizations refer to this specifically as a computer security incident response team (CSIRT) because they may have to deal with incidents other than data or network breaches.
When a security breach does occur, organizations need to have a clearly defined plan of action. The incident response plan should serve as the guiding light in these situations. Ideally, the plan will have been broadly shared throughout the company to ensure that everyone knows their roles and responsibilities during a cybersecurity incident.
Identifying that there was a breach at all was the first step on the road to recovery. The faster you spot a breach after it occurs, the better off your company will be. This is because it will take time for any attackers to break out of the first system that they compromise to get at the rest of your network.
The second step is to contain the breach—cutting off the attacker’s access by isolating the system(s) they’ve compromised or revoking the access privileges of the user account they’re abusing.
After the threat is contained, the third step is to eliminate it. The means of elimination may vary depending on the type of breach that occurred. For example, a ransomware threat may require that all affected data storage media are completely formatted (or even physically removed and replaced) to remove the ransomware. Then, the destroyed data can be restored from a remote backup (assuming one exists).
If you can identify, contain, and eliminate a breach before the attacker breaks out of the system they initially compromised, you can minimize the damage the breach causes.
Only after the source of the attack is eliminated can the recovery process actually begin.
Knowing how the attack happened is a must for preventing attackers from simply repeating the same attack strategy again. Also, any affected systems should be investigated for signs of further compromise—the attacker may have left other malware on the system during the time in which they had access.
Activity logs from the time of the breach should be preserved for forensic analysis at a later date. These logs can help you identify the source of the attack so you can block future attempts.
During your investigation of the breach, you should be able to determine which systems were compromised and what data, if any, was put at risk of being compromised. As soon as you can, you should send out notifications to any and all parties that may have been affected by the security breach.
Notification laws may vary by state, as noted by the National Conference of State Legislatures. Because of this, the time limit that your business has to notify its customers, vendors, and others affected by a breach may be different. As a rule of thumb, the faster you can send out a notification, the better.
Contact methods for notifications may vary, and it is often a good idea to send out notifications through multiple methods whenever possible to ensure that those affected by a breach are notified. For example, you could send out a mass email, regular mail, or automated calls to warn customers that they may have been affected.
In the email/mail/phone message, be sure to note the date of the breach, what kinds of files may have been compromised, and what steps the message recipient should take to protect themselves based on the type of data that was compromised.
Sending out these kinds of notices is crucial for protecting your company’s reputation after a breach. Being prompt and honest, in addition to working to protect customers who may be affected by a breach, demonstrates that you take your customers’ data safety seriously. This, in turn, helps reduce the backlash that inevitably follows a major data security breach.
The authorities should also be notified as soon as possible so they can help with the investigation (and to comply with certain security breach notification laws).
Restoring the individual assets that were compromised to your network can occur in a number of ways, depending on how you’ve prepared for the security breach. In some cases, it may be possible to simply wipe or replace the data storage drives of the affected IT assets and download any lost data from a backup.
In other cases, it may be possible to activate entire cloud-based replicas of your network environment to near-instantly restore your business’ network to normal while you work to investigate the security breach.
Basically, how you restore the assets on your network will depend on the business continuity (BC) and disaster recovery (DR) plan that you have in place. A BC/DR plan is something that you should have set well in advance to create fail-safes so that if one of your assets is taken down, you have a means of keeping your business going.
For example, if you have a remote, cloud-based replica of your primary production environment ready to be spun up on a moment’s notice, you may want to activate it while your primary production environment is taken offline for more extensive fixing.
When restoring assets, be sure to catalog which assets have been taken down and what is supposed to be on your network according to your latest asset identification efforts. This way, you can be sure that you haven’t missed anything—and that no extra surprises are left on your network, either.
After you’ve recovered from the attack by following the BC/DR plan you have in place, it’s important to prepare for the next attack. If you’ve been hit once, there’s a good chance you’ll get attacked again by the same group—or by others using the same attack strategy.
This is where your investigation into the attack can prove invaluable. By studying the attack method and finding out how the attacker(s) got in, you can identify the gaps in your cybersecurity that allowed the attack to occur and close them. Doing so can help prevent future breaches.
Also, studying your BC/DR plan implementation can help you learn how to improve the plan for the future. Making these improvements can help to improve your response speed to an attack and minimize the downtime and disruption that an attack can cause.
Many organizations aren’t sure where to start when it comes to protecting their essential systems from a security breach and putting a plan in place to respond to incidents when they do occur. That’s why having an experienced managed cybersecurity service provider (MSSP) at your side can be so valuable, both before a crisis occurs and when a major security incident is unfolding. Whether it’s evaluating cybersecurity controls, conducting vulnerability assessments and penetration testing, or monitoring for threats through a co-managed SEIM solution, Compuquip Cybersecurity has the knowledge and expertise to help ensure your business continuity.
Download our free guide, Back to Cybersecurity Basics, to learn more about the steps you can take to protect your company’s network, prevent security breaches, and improve your overall cybersecurity posture. If you’re ready to seek out expert advice from an experienced cybersecurity professional, contact our team today and tell us all about your unique security needs.