Sergey Nivens - Fotolia

How to deal with the aftermath of a data breach

Considering that a data breach could happen to any company, at any time, a plan of action is the best tactic

Breaches are continuing to happen and the bad news is that their severity in terms of number of records and impact upon consumers shows no decrease.

From the major HMRC breach of 2007 to those recently suffered by TalkTalk and VTech, we have seen time and again that no matter the size of the business or vertical, anyone can suffer.

So if it could happen at any time, a plan of action is the best tactic. Brian Vecci, technology evangelist at Varonis, recommended spending more time making sure that once someone is inside, their activities will be observed and controlled instead of pouring all of your energy into building a very high, very strong fence.

Jay Abbot, managing director of Just Advanced Security Consulting, said that most companies could not detect a breach if it occurred, and the ones they do notice are the ones where the attackers go public with the outcome.

“The biggest part of preparedness is the ability to actually detect a breach,” Abbot says. “In security, we typically think defensively and layer up controls that place defences at different locations, but we rarely actually put in place a dedicated monitoring solution that can look at everything and identify anomalous activity.”

The Sans Institute recommends a six-point plan when dealing with incident response, including preparation, identification, containment, eradication, recovery and lessons learned. In a recent talk at the Dublin conference Irisscon, Paul Keane from IDT911 provided a guide for incident response steps, including:

• Assess data risks

• Manage and transfer risks

• Develop an incident response plan

• Conduct employee training

• Platform vulnerability and penetration testing

• Execute incident response plan drills

Gavin Millard, CTO at Tenable Network Security in Europe, said the recommended steps should include:  

• Identification of an incident

• Containment to ensure no further impact from the breach

• Eradication

• Recovery

 • Lessons learned

Abbot said that rather than following a set formula, plans are nearly always bespoke, but do contain a basic set of actions:

• Establish what is happening

• Bring together all required parties

• Get things under control

• Mitigate side effects

• Manage the external messaging

• Return to business as usual

• Lessons learned

• Improve

It is clear that a combination of soft and technical skills is required, because if a breach has occurred there has been some failing of the technical capabilities and now the emphasis is on creating a more secure culture.

Javvad Malik, security advocate at AlienVault, said that any good incident response plan should contain the following three key actions:

1) Prioritising your assets

2) Capturing baselines

3) Understanding the most important assets that would seriously damage your business if they fell into the wrong hands

He also recommended directing and documenting actions and delivering regular updates because the incident response team members (especially those who are outside of IT) will need ample instruction, guidance and direction on their roles and responsibilities.

Finally, communicate with executive leadership and share your analysis of the current security posture of the company, review industry trends, key areas of concern and your recommendations for improvement with the executives.

The primary priority is to stop the bleeding of sensitive data, which must be prioritised above any other business to ensure that all appropriate resources are available to stop any further information loss.

After that, the best advice on technical recovery fits within the following common themes:

• Identification

• Containment

• Eradication

Soft skills apply to:

• Employee training at all levels

• Communication

• Lessons learned


Understand what happened, how the attackers got in, or how the data got out, and make sure nothing is still leaking from your databases. Knowing what your situation and posture is, and being able to start from that position, has to be the first step.


Are the attackers out? Ensuring that nothing else is leaving the business should also be in the opening stage of incident response. Alternatively, was it a one-off breach that was easy to understand where the failings were? Has that member of staff or department been able to lock down the instance to ensure they understand what went wrong and how to prevent it happening again?


Deal with the issue and focus on removing and restoring the affected systems. The Sans Institute recommends ensuring that steps are taken to remove malicious and other illicit content from the affected systems by doing a complete reimage of a system’s hard drive, and scanning affected systems and files with anti-malware software.

Employee training

Into the soft skills, and the first line of defence is your employees and getting them up to speed on what has happened, and action them on key points. Was the breach due to a malware infection and how did it get in? Alternatively, was it due to an employee action and is this something that could be prevented next time? Dont just focus on the employees on the ground, get the board involved and ensure the whole organisation is buying into the security culture.


With the whole business buying into your concept of a secure culture, the next thing to get is everyone on the same line when it comes to external communications. Your IT policy should already include no tweeting or updates on company matters, and at the time of an IT issue you should stress the need for silence and strongly discourage any comments that could cause you further problems. Think “loose lips sink ships”.

Lessons learned

Can you pick up the pieces easily and recover from this issue? If so, then you are well on the way to getting back to business as usual. In some cases, if this has been reported by the press the mud may stick for a while, and there may be the data protection regulator to deal with also. Follow examples set by some other high-profile breach victims and appear stronger from what you have learned by understanding what went wrong and making sure you have the best tactics to prevent a reoccurrence.

Read more on Data breach incident management and recovery

Data Center
Data Management