Professional Documents
Culture Documents
INTRODUCTION
“A data breach itself is the second worst possible event that can occur in an organization; the mismanagement
of the communication about the response is the worst.” This observation comes from Exabeam chief security
strategist Steve Moore, who has tracked criminal and nation-state adversaries and led the largest healthcare
breach response in history. Moore added that the time spent on a breach, including audit, regulatory, and
litigation support, can last not months but years.
I previously covered 5 ways you can prepare for a breach, which can help reduce risks. If a breach still occurs
despite those precautions, however, here are eight things you should do within 48 hours to manage and contain
the situation as best as you can.
Regardless of the type of breach, these steps should apply—whether it involves a single device, a series of
systems, or a company-wide intrusion.
1. FREEZE EVERYTHING
Take affected devices offline but do not shut them down or make any changes just yet. The goal here is to stop
any ongoing activity by limiting communication to and from the impacted systems but not commit any action
that might erase clues, contaminate evidence, or otherwise inadvertently aid the attacker.
In the case of virtual machines or other systems you can snapshot, I recommend doing so now so that you will
have a recorded version of the system at the time the breach was occurring. You can analyze the snapshot later
in an offline state.
2
COPYRIGHT ©2018 CBS INTERACTIVE INC. ALL RIGHTS RESERVED.
YOU’VE BEEN BREACHED: EIGHT STEPS TO TAKE WITHIN THE NEXT 48 HOURS
Moore said, “One thing that often gets missed: if your organization is being targeted it’s not uncommon for
multiple adversary groups to attack without awareness of one another. This could include attacking directly, via
supply chain, partners, subsidiaries, or contracted help.”
3
COPYRIGHT ©2018 CBS INTERACTIVE INC. ALL RIGHTS RESERVED.
YOU’VE BEEN BREACHED: EIGHT STEPS TO TAKE WITHIN THE NEXT 48 HOURS
Describe what the organization has done to remedy the breach, what it intends to do in the future, and what (if
any) steps customers should take to protect themselves, such as by changing passwords, contacting credit card
companies, or placing fraud alerts.
If possible, establish a hotline or name a specific group/contact information to address customer concerns
regarding this breach so they can answer questions and provide guidance.
• Identify areas for improvement. Every data breach occurs through some sort of gap—a gap in training,
awareness, security measures, technological capabilities, or some other point of entry. Figure out where the
gaps occurred so you can fill them in, likely with increased education and heightened compliance require-
ments, then apply them as needed.
• Work on preventing the next breach. Focus on efforts to help reduce the risk of a reoccurrence. Improve
patching mechanisms if exploited vulnerabilities were the source of the breach. Mandate encryption if
company information was stolen from a micro-SD card in an Android tablet. Implement improved authenti-
cation methods (two-factor authentication is highly recommended) where required. Consider other elements
that can help your company’s chances in the future and apply them as necessary.
4
COPYRIGHT ©2018 CBS INTERACTIVE INC. ALL RIGHTS RESERVED.
CREDITS
Global Editor in Chief ABOUT TECHREPUBLIC
Jason Hiner
TechRepublic is a digital publication and online community
Editor in Chief, UK that empowers the people of business and technology. It
Steve Ranger
provides analysis, tips, best practices, and case studies
Managing Editor aimed at helping leaders make better decisions about
Bill Detwiler technology.
Staff Writer
Alison DeNisco Rayome
Associate Editor Copyright ©2018 by CBS Interactive Inc. All rights reserved. TechRepublic
and its logo are trademarks of CBS Interactive Inc. ZDNet and its logo are
Amy Talbott trademarks of CBS Interactive Inc. All other product names or services
identified throughout this article are trademarks or registered trademarks of
Multimedia Producer their respective companies.
Derek Poore