Many organisations may experience a security breach at some point. A security breach poses a significant risk to your organisation, so you must handle a breach seriously and immediately to minimise organisational damage. Further, each security breach response needs to be tailored to the circumstances and organisational environment of the incident.
The following steps can be followed with assistance from a cybersecurity expert to respond to the breach effectively and establish stronger controls for the future.
Contain the breach to minimise the damage
Containing a security breach will minimise its impact and subsequent organisational damage. The most effective measures to minimise organisational damage will depend on the security incident and your specific circumstances. Some examples of possible actions include:
- temporarily blocking breached accounts to prevent further access to mailboxes and internal systems.
- resetting account passwords
- disconnecting systems from the corporate environment to prevent the spread of a virus or ransomware
- temporarily stopping payments where the receiving party has not confirmed invoice and bank account details
- remotely disabling or wiping devices.
As you undertake action to contain the breach, you need to consider the impact these actions may have on your operations and existing evidence related to the breach.
Ensuring your organisation maintains business continuity is critical for its survival and will minimise reputational damage and loss of clients and revenue. Executing an earlier defined and tested business continuity plan can help an organisation recover quickly.
Assess the breach to understand the impact and risk
The next step your organisation needs to take is to assess the breach by collecting and reviewing the available evidence of the breach. The suitability of evidence will differ based on the situation, but typical evidence that you may consider collecting includes:
- logs related to log-in/log-off and user activity on impacted systems
- logs from other systems where a breached account had access to the network
- logs related to internet access points such as web and mail filters
- laptops, workstations, tablets and mobile devices involved in the breach
- logs regarding patch and antivirus management on the organisational environment.
Depending on the type of security breach, the collected evidence can be reviewed to fully understand the impact on the organisation and other impacted stakeholders. Evaluate the impact on the organisation and if possible, start remediating the security breach through actions such as:
- rebuilding systems from scratch after ensuring no critical business data will be lost in the process
- restoring data from backups after verifying the backups are not impacted by the security breach
- implementing new business processes.
Communicate with impacted stakeholders
Organisations covered by the Privacy Act must consider their reporting obligations under the Notifiable Data Breaches Scheme.
If the impacted information includes private identifiable information (PII), evaluate the potential physical, psychological, emotional, financial, or reputational harm to affected individuals and, where possible, take action to remediate any risk of harm. If serious harm is still likely after remediation, the breach must be reported to the Privacy Commissioner and affected individuals within 30 days.
Even if your organisation is not legally required to disclose the security breach it may be wise to do so as a precaution. Consider informing affected individuals as a measure to minimise organisational damage and increase trust with these parties.
Moving forward: Review the breach and establish stronger security measures
Organisations should always review the lessons learned from a security breach and understand how it’s managing its security risk. Improvements to the organisational and IT environment, security awareness training, strengthening existing business processes, and reviewing outsourcing and governance arrangements can ensure the organisation isn’t exposed to a similar breach in the future.
If you’re concerned about your organisation’s data security or you’re unsure how to respond in the event of a security breach, contact a Pitcher Partners specialist for further information and assistance.