What to do after a data breach | Dump Trucks Charlotte NC

First published on

At some point, every organization will have to deal with some sort of cyber incident. 

In a perfect world, the post-attack reaction is well choreographed, with everyone taking their positions and flawlessly executing their often-rehearsed roles in the data breach response plan. 

More often, incident response resembles a group of young children on a soccer field. It's pure chaos, with everyone surrounding the goal and trying to kick the ball at the same time — no one has any success. 

It might look cute on a schoolyard, but that type of reaction by the security team will lead to large fines, loss of business and reputation, and in some cases, employees being fired. 

The attack itself is inevitable; 62% of companies dealt with a cyber incident or data breach in 2021, according to a KPMG survey. So it isn’t the incident itself that will be the biggest problem.

How an organization reacts in the aftermath and how they come out on the other end will make all the difference.

It starts with communication

Long before a data breach, well-prepared companies will have their incident response team in place, including representatives from the security and IT teams, legal, marketing and public relations, maybe human resources. 

Hopefully, this group will conduct tabletop exercises with enough frequency that all the players know exactly what to do so the reactions are instinctive, not panicked. 

The technical response to a breach is important, of course, but perhaps the most vital action from the response team is its communication, according to Siobhan Gorman, partner with the Brunswick Group, speaking on a panel at RSA Conference 2023. How a crisis team works together depends on how well it communicates.

“There will be a lot of legal issues around what you can and cannot say,” said Gorman in April.

What happens too often is people will overshare information about the breach. Oversharing too early in the mitigation process leads to speculation because the details of the incident aren’t complete. Putting out incorrect or misleading information creates new layers of damage.

The communication strategy is layered. It begins internally, among the incident response team and then through the entire company, and moves externally, to customers, third-party columbus oh dump truck company and the media. 

Agility, flexibility, scalability

Putting the data breach response into action requires agility, flexibility and scalability, said Chandra McMahon, SVP and CISO with CVS Health, speaking during a panel at RSA. 

The incident playbook will provide the guardrails, but there has to be a willingness to react and scale up to the realities of what could happen in the next hour, next day and next month following a breach. 

There is a lot of uncertainty around a data breach about the best way to keep the business running or whether to pay a ransom. Those decisions can’t be made until the impact of the incident is fully known. 

Many companies do have beautiful incident response plans—well written, lots of details, 100 pages long with flow charts so it appears to cover everything, said RSA panelist Brad Maiorino, CISO with Raytheon Technologies. But when the incident happens, does the plan get used? Too often, the answer is no. 

“It sits on a shelf because it's too rigid; it's not flexible,” said Maiorino. 

Doing it well or fumbling the response

Uncertainty makes itself known in the response team’s communication style. The team’s first decision is two-fold:

• Who should a business notify first: the board of directors, customers or the media?  
• And at what point in the remediation process does the notification occur? 

If you go out too soon and provide only vague details, that’s not going to inspire a lot of confidence, said Gorman. At the same time, you won’t ever have full details to report. 

Once the incident is announced, the questions will come flooding in from all directions, and the way the organization responds to this will seal the perception.

“Managing the incoming is the thing that I think most makes or breaks the response to a cyber incident, because if you do it well, people say, ‘okay, you're on top of it, I trust you,’” Gorman said. “If you don't do it well, they say, ‘oh well, they're fumbling. They can't answer my question, so they probably don't know what they're doing.’”

Follow a checklist

In the aftermath of one of the more infamous cyber incidents, the cyberattack on SolarWinds, the columbus oh dump truck company didn’t trust their email system for a period of time during the aftermath.