Skip to content

Data Breaches: How to React and Respond

In our last article, we looked at the significant questions that needed to be addressed when considering data migration to the cloud, whether that be public or private cloud services, and what you need to consider when preparing your data for cloud migration. With the best will in the world, and even the best laid plan, things can go wrong. A data breach can have serious consequences for your business, your customers, your reputation and even your viability as business. If a data breach does occur, you need to have a plan to assess, mitigate and respond.

Assess the type of breach

Under GDPR regulations a data breach has occurred if one of the following criteria apply:

Damage to data: Personal data has been altered, corrupted or is no longer correct. This is known as an integrity breach.

Unlawful processing: Personal data has been accessed by, or leaked to recipients who are not authorised to receive or access that information. This is also classified as a confidentiality breach.

Destruction of data: When data has inadvertently or unintentionally been destroyed or deleted. This is known as an availability breach.

Initial response

If there has been a breach in terms of personal data, the last thing you should do is ever try and hide it or hope it will not be uncovered. That will only lead to further trouble down the line, you need to take steps to address it. All breaches must be reported within 72 hours under GDPR.

The first thing you need to do is notify the Data Protection Officer (DPO) within your organisation, this is a legal requirement. Then, working with your cloud provider, you need to mitigate against any widening of the breach and ensure that the situation is stabilised. You need to fully account for how the breach occurred, which fulfils the GDPR principle of accountability, including assessing what the possible implications might be for your customers. You will then need to communicate the reality of the breach to your business, your customers, and clearly address the concerns of those whose data has been compromised, either in whole or in part. You need to use clear, concise and consistent language when communicating this information, avoid any technical jargon or confusing language. Your DPO needs to be the point of contact for any public recourse, so their contact details need to be shared as this may just be the start of a consultative process.

Containment and management

If the breach has been reported and communicated to the proper channels, you now need to now ensure that the affected data systems are back under control and that no further leakage of data is occurring. If the breach is still ongoing, you may need to take short-term measures such as disconnecting affected systems from the network and blocking any further access, to ensure that evidence of what has occurred cannot be tampered with. Your IT security team need to closely monitor network access and exit points and update all user credentials where necessary. If the breach has resulted in data being published on the web, endeavour to remove it as soon as is possible. If it is a ransomware attack, law enforcement needs to be consulted on the best next steps.

However, like any breach, ransomware needs to be addressed transparently and affected customers communicated to swiftly and clearly.

Investigation and future proofing

When the breach has been secured, and the scope of the damage has been ascertained, you now need to gather the evidence of what has occurred and how any security systems you had in place, such as encryption for example, were breached. You may need forensic cyber security experts for this part of the process, which you may well not have as part of your staff, but hiring trusted professionals to manage this phase is crucial, both in terms of protecting trust in your business and trust that the strongest possible steps are being taken to protect against any future breaches. If the breach is cloud-based, then your services provider will obviously have many questions to answer, as they are the custodian of your data. This will inform you on their reliability as a continuing, or future, services provider.

Trust versus verification

The most recent IBM Cost of a Data Breach report surveyed 550 organisations that were affected by a data breach over a 12-month period. The breaches that were investigated occurred across 17 countries and regions and across 17 different industries. Some headline figures from the research make for stark statistics. 83% of the organisations affected have had more than one data breach. 60% of those affected had to pass on price increases to customers, 45% of the breaches were cloud based and almost 20% of the breaches occurred because of a data failure with a partner. In the US context, a data breach has been costed at $4.35 million in IBM’s research, a punishing price to pay for any organisation. Ransomware attacks were costed at $4.54 million, which doesn’t include the cost of any ransom paid. The new world of remote and hybrid working also comes with a price, with an extra $1 million attributed to breaches that occurred in a remote working environment as opposed to those that occurred on site.

Interestingly, 79% of the breaches happened at organisations that didn’t deploy zero-trust architecture, or ZTA. This is based on the premise that when it comes to data and cyber security, implicit trust is eliminated and replaced with continuous verification. This means robust authentication methods with a view to eliminating, as much as is possible, the likelihood of a user gaining access to a network and then being free to wreak havoc without having their credentials challenged. Zero trust architecture is one of the most important steps your organisation can take to safeguard against any possible data breach.

For expertise and information on the best cyber and data protection practices for your business, get in touch with us at IT Experts Europe.