What to do in a Security Breach
OK – so your computer / mobile device / network security has been breached. Now what do you do?
Do not panic
Isolate and contain the breach
Get professional help
Contact the appropriate authorities and any people affected
Take steps to ensure it doesn’t happen again.
1. Do not panic
Despite your best efforts (or perhaps a distinct lack of them) – your company has suffered a security breach where sensitive data has likely been accessed or stolen. Painful as it may be to admit; now you have to deal with the situation presented to minimize the damage and make amends.
Panicking does nothing to solve the problem, and neither does attempting to hide it. These things actually do happen all the time, and there are many reasons for such a situation to occur – even accidental or unintentional reasons.
No matter what the situation though, it will only get worse unless you keep your head straight and deal with the issue. Just remember that you can get help, and you can fix it.
2. Isolate and contain the breach
Don’t wait to see what happens, or ignore the problem and hope it goes away!
You should immediately disconnect or disable both Internet and network access to the affected computers / servers / devices – unplug the modem / router if you have to or want to be complete sure.
Yes this is going to be a disruption to your business, though you need to remember a couple of things:
- Attackers will often install hidden backdoors to allow them to get in more easily in future. This means you can’t just keep “doing business as normal” as long as the security threat exists.
- Even the most sophisticated virus / malware / cyber-attack will be completely disabled (or at least prevented from causing further harm) if the affected device(s) cannot access the internet or your network (for example to infect other computers or to send out data from your machine). Some exceptions do exist of course, but this tactic effectively shuts down the vast majority of attacks.
In most cases you can later restore your systems to “mostly normal” from the last backup – this is assuming you keep backups of course, and if you’re not you just found out why you should have. However before you can do this you need to get some advice and help.
3. Get professional help
Hopefully you have an internal IT security team standing by to help you, though your IT department can help with at least some of the technical issues. Get them working on the problem right away as soon as you notice the breach.
It is very important however to get someone who specializes in computer / information / network security to come in and fix any damage caused by the breach – and you certainly need this type of expertise to fix the particular flaw that caused the breach in the first place. Get an external consultant or service to come in and help you, it will save you a lot of time and aggravation in the long run.
You may also need to get legal advice to see what your responsibilities are going forward. You can see in the next section why this is so important.
4. Contact the appropriate authorities and any people affected
As an operating business in the United States of America you are bound by certain laws regarding the reporting of data breaches. For this reason it may be well worth seeking legal advice about how to best proceed – though pretty much any lawyer should tell you that you need to notify the authorities if there is ANY chance that someone’s private personal information was released unencrypted e.g. social security numbers, credit cards, addresses etc.
Nearly all States have security breach notification laws, and California was in fact the first state to institute such laws (SB 1386, California Civil Code 1798.82 and 1798.29, enacted in 2002 in you’re curious – here’s a Wikipedia link with an easier to digest summary). Some industries such as healthcare have even stricter laws governing security breaches such the HITECH Act.
So go get legal advice if you need to, and definitely be fully aware of your legal responsibilities. If the breach is serious enough to have released personal information that can be used for fraud or identity theft, then you must notify the affected people as soon as possible.
The details of what you need to tell people will be set out in the legislation that applies to your company and / or industry (healthcare and financial services are unsurprisingly the strictest).
In general, you should tell people what has happened, what personal data has been taken, and what you as a company are doing to prevent any further loss of data. You must also give people clear information on what they should do next – for example whether to notify credit agencies and keep a close watch for signs of identity theft.
In California law you need to send very specific information in your breach notification:
- The name and contact information of the reporting person or business
- The types of personal information subject to the breach
- The date or date range of the breach
- Whether notification was (or is) delayed due to law enforcement investigation
- A general description of the breach
- The toll-free telephone numbers and addresses of the three major credit bureaus
- If the breach exposed a social security number, driver’s license or California identification card number.
If more than 500 people are affected by the security breach, then you need to submit a sample copy of this breach notification to the California Attorney General. If you choose to use the state’s media services rather than send a personal notification, then you must also contact the Office of Privacy Protection and the Consumer Services Agency in your state (these links point to the Californian agencies).
4. Take steps to ensure it doesn’t happen again
Maybe you just incredibly unlucky that an attacker breached your security, or you faced a very determined hacker who just kept looking for any flaw to exploit. As much as we like to think otherwise – no IT security system is perfect, though there is a lot you can do to make it as difficult as possible for such a breach to happen again (especially via the same security vulnerability).
This is way it pays off to use a professional IT security specialist to fix these issues for you. In hindsight it is much cheaper to sort out your security before than afterwards, but once sensitive data has been stolen, failing to seriously review your security system could leave you wide open to further attacks and legal challenges.
If you don’t have the internal expertise to remove security vulnerabilities, then get someone to come in and take care of it for you.
Whatever it takes – just get it done. It is simply not worth risking your entire business to save a few bucks.