• United States



Contributing Writer

Minimizing damage from a data breach: A checklist

May 12, 20214 mins
Data BreachIncident Response

How you respond to a data breach and the amount of damage it causes depends on how well prepared you are. Have you done everything on this list?

8 getting breached is bad for business
Credit: stevanovicigor / Getty Images

Once a breach occurs, you’ll want to identify what the attackers accessed and how they accessed the data. This information helps you identify if you need to notify users that their data has been breached and learn how to protect yourself from the next attack.

First, make sure you have the necessary resources and preparations in place to investigate. The process of identifying how an attacker entered the network is often based on the evidence and timeline analysis. Knowing how best to handle the evidence and having a plan in place before an intrusion occurs are key to properly handling the investigation. The Cybersecurity Unit for the US Department of Justice has several resources to help with planning ahead.

This task checklist will make it easier to respond to a data breach or limit its damage:

Create a communications plan

Have plans in place to communicate to management about potential threats and risks to the organization—and plans and tools to counter threats. Meet regularly to discuss risks and reactions. Identify the key assets of the company and identify what protection processes you are doing to protect these key assets.

Next, have plan of action of what to follow should a breach occur. Identify alternative communication means with backup phone numbers and email addresses that are not part of the corporate email or infrastructure as your firm email may be impacted or hacked during the intrusion.

Establish a point of contact with local law enforcement ahead of time. Depending on the size of your firm, this may be easy to do or you might need to seek guidance from your cyber insurance provider.

Keep external backups of access and security log files

How an attacker gains access to a network is often found by digging through log files, so store backups of security and access log files externally as they tend to be written over quickly.

Have proper access controls in place

Document processes for onboarding and offboarding employees to and from your network resources, ensuring that permissions and access are set or removed properly. Educate employees of the proper procedures for handling passwords both for access to the network as well as passwords needed for various applications. Ensure that no one leaves behind passwords in plaintext in file repositories.

Limit remote access

Many of the methodologies that attackers use to gain network access rely on your own remote access techniques. Because you‘ve used them for years, the passwords used for access have likely been harvested and shared in forums or sold online. It was recently reported that the usernames and passwords of over “1.3 million current and historically compromised Windows Remote Desktop servers have been leaked by UAS, the largest hacker marketplace for stolen RDP credentials.”

Once attackers gain access via Remote Desktop Protocol (RDP), they can perform lateral movement across the network especially if they gain an administrative password. The UAS database showed that many servers used insecure, easy-to-guess credentials, and third-party software often installed default remote access credentials and passwords that could be used by attackers.

You have several ways to counter the risk of remote access compromise. First, you can limit remote desktop to specific IP addresses as an initial measure of protection. Then you can set up Remote Desktop to go through Remote Desktop Gateway as additional authentication as well as using tools such as to provide two-factor authentication. Bottom line, there should be no reason to expose remote desktop to anything external.

Keep your VPN patched

Another means that attackers use to gain remote access is to use vulnerabilities in external access software such as virtual private networks (VPNs). Vulnerabilities in the Pulse Secure VPN server were recently used in attacks. Webshells were placed on Pulse Connect Secure appliance for further access and persistence. In January 2020, Citrix VPN software also was subject to vulnerabilities.

Review the patching level of any VPN software connected to your network. If patching is not up to date on your VPNs, you are putting your network at risk.

Patching VPN software, especially when it’s installed on remote machines, can be problematic. Many firms are pivoting to cloud tools such as Intune to better control and update machines. If you use third-party VPN software, review your patching and deployment options with the vendor. Always make sure your patching staff has signed up for software update notifications from the vendor.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author