• United States



5 steps to take when a data breach hits

Oct 07, 20144 mins
Data Breach

No one wants to be the victim of a data breach. As hackers get increasingly sophisticated, though, companies must prepare for the inevitability of such an event. Here security experts share the steps that CIOs and CISOs should take in the hours and days after a breach.

The IT industry has an answer to almost every security problem. Need to lock down an app server to ward off hackers? There’s likely a product available for that. Same goes for making sure a stolen Android phone uses strong authentication to keep a hacker from stealing data.

[ Breach blanket: To contain the damage, plan ahead — way ahead ]

However, if the worst does happen – say, the hackers manage to break into a server and steal credit card numbers from a database – it can be hard to know what to do next (other than panic). spoke to several security and legal experts to find out what to do after a leak occurs. Here are their five steps for how to survive a data breach, in chronological order.

Address the Breach Immediately

Experts agree on the first step: Solve the problem and fix the data leak. Marc Malizia, the CTO of the IT consulting firm RKON Technologies, says it’s important to address the security flaw. Determine what server, or servers have been compromised. “Once located, a disk image of those servers should be made in order to preserve their state,” he says.” To protect chain of custody in the event of a lawsuit, these images should be read-only and secured.” Finally, he adds, put in place a containment strategy “to ensure the compromised server cannot infect other servers or devices.

Form a Task Force

Almost every expert says another critical early step is forming a team to deal with the breach. You can’t report a breach to the authorities and the legal department until you have a task force to lead the charge and communicate about progress.

Pat Calhoun, the senior vice president and general manager of network security at McAfee, says a “Seal Team” needs to be assembled immediately to carry out any additional steps. Attorney Tatiana Melnik adds that a company has to speak with one voice after a data breach; this team is response for making sure all information about the issue is reported in a concentrated effort.

Test the Security Fix

Once the problems have been resolved and a team is ready to lead a counter-offensive – and even before moving on to the stage of communicating about the breach outside of the organization – it’s important to make sure the flaw is fully resolved. This may require having the security team look through server logs again or running penetration tests. It may require investigating whether other servers, or a cloud infrastructure, are also susceptible.

“Companies should undergo a rigorous penetration test by an external team of experts,” says Chris Pogue, senior vice president for cyber threat analysis at Nuix, a company that analyzes unstructured data. “This is really the only way of ensuring that the fixes that have put in place are fulfilling their intended purpose. The penetration test will also help to identify potentially unknown attack vectors that could be used by future attackers.”

Contact Outside Parties

Once the problem is under control, Calhoun says the task force should start notifying the local authorities, the internal legal department (and any outside legal experts), and the public relations department. It’s important to communicate about the breach after the problems have been resolved – meaning, all resources should be used to stop the breach first.

In some industries, such as healthcare and financial services companies, there are requirements for reporting the data breach within a set period of time. Data breach notification laws vary on state and federal levels, but they could require disclosure in as little as 24 hours. However, Calhoun says not all data breaches come with that requirement: “Disclosure comes as a part of what happened – if credit cards were stolen vs. a breach of internal intellectual property.”

Resolve Any Related Issues

It might seem obvious, but companies must address the long-term implications of the breach by resolving any other related problems throughout the organization. The security flaw that led to a breach must be fixed immediately, but “remediation” is a thorough process that can take much longer and involves looking for other potential flaws, Calhoun says. Without remediation, another strike could occur, as the firm has become now a target for attack.

“Companies should make a remediation plan that’s tailored to the incident. This means that the company must undertake a true and honest assessment of what happened and the cause or causes for the incident,” Melnik says. “The remediation plan should include addressing any security issues, but also employee training and monitoring programs.”

After this remediation stage, there are additional steps to take – continued analysis of the security infrastructure, for example, as well as more penetration testing and additional remediation. But Calhoun says the first steps of fixing the breach and reporting it to authorities are the most critical.


John Brandon is a technologist, product tester, car enthusiast and professional writer. Before becoming a writer, he worked in the corporate sector for 10 years. He has published over 8,500 articles, many of them for Computerworld, TechHive, Macworld and other IDG entities.

The opinions expressed in this blog are those of John Brandon and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author