Maybe it’s the moment you’ve been dreading for years, or perhaps it’s a threat that you’ve been relatively oblivious to. Either way, your business has suffered a significant breach, and you’re not quite sure how to handle it.
It’s important to act quickly and carefully – making the right moves now can dramatically reduce the effects your organisation faces. The right decisions can help to limit the extent of the attack, minimise any disruptions to your business or clients, and control any potential legal ramifications.
The moments after a breach are stressful and confusing, so Gridware is here to help. We’ve come up with a rough guide for your organisation to follow so that it gets out of this mess with the least damage possible.
Point 0. Data Breach Response Plan
Ideally, your organisation will already have a data breach response plan that dictates how it should respond and recover from a breach. Having a plan in place makes the process much smoother and easier. If your organisation hasn’t already been breached yet, it should develop a comprehensive plan as soon as possible.
Let’s assume a worst-case scenario, that your organisation doesn’t have a response plan when a breach strikes. What should it do?
1. Contain the breach (0-3 Hours)
As soon as a breach is detected, the first step is to contain it. This will limit the damage, prevent things from getting worse, and ensure that your business can get back to normal as soon as possible.
How your organisation contains a breach will depend on the nature of the breach. Before you can properly contain it, you will need to find out how it occurred, whether data is still being accessed in an unauthorised manner, who is normally able to access the data and in what manner.
Once you have this preliminary information, you can begin to take steps to stop the unauthorised data access. This can range from simple measures like taking away access privileges from malicious insiders, or it may necessitate completely shutting down the system. It’s important that you don’t take any actions which may destroy evidence – this could be critical in the later stages.
If you organisation has cyber cover under an appropriate insurance policy, you should consider immediately notifying your Insurer in order to comply with the terms of your policy. Your Insurer will also help you assess the claim and appoint a cyber security vendor to assist you with containing the breach. Your policy may also cover you for legal advice as a result of a security incident.
2. Get Expert Assistance (3-12 Hours)
If your organisation has been breached, it may not have the right expertise to handle the situation appropriately. If this is the case, it’s generally best to engage outside security specialists such as Gridware.
We can use our experience to act swiftly and make sure the breach is handled properly. Our approach can help to limit the extent of the breach, speed up the recovery and minimise any disruptions to your business.
3. Assess the Data Breach (12-72 Hours)
Once you have contained the breached, your organisation can begin assessing it in more depth. This involves finding out as much information as you can about the breach, such as:
- What logs are available in our systems, firewalls and emails?
- What type of personal information was accessed?
- What caused the breach and how extensive was it?
- How could the breach harm the affected individuals?
- How can this harm be mitigated?
Once your organisation has further insight into the breach, it will have a greater understanding of the risks and how these can be addressed in an ideal manner.
4. Review the Breach (72 hours – 1 Week)
Once these steps have been conducted, organisations should complete a thorough review of the breach. This can enhance your organisation’s understanding of the problems, lead to plans for preventing similar breaches in the future, and also result in new ideas for ways to improve its response.
It might be worth asking:
- What controls are we implementing immediately to prevent the issue from reoccurring?
- What are the long term initiatives that we will undertake to improve our security for the future?
Gridware recommends preparing a post incident review that can be used by management, or provided to financial institutions, legal counsel, authorities or regulators if requested.
5. Notify If Necessary (Up to 30 Days)
In certain situations, organisations covered by the Privacy Act (this includes government agencies, businesses and charities with annual turnovers of more than $3 million, among others) will be required to notify both the affected individuals and the Australian Information Commissioner.
Some regulations, such as those under the Notifiable Data Breach Scheme under the Privacy Act require reporting certain data breaches to the Privacy Commissioner within 30 days of being aware of the incident. In these cases, you may require the advice of a law firm that specialises in cyber security matters such as privacy and data breach notification legislation. More information on where to report can be found here at https://www.oaic.gov.au/privacy/notifiable-data-breaches/report-a-data-breach/
It is also worth mentioning that you may have reporting obligations under the EU General Data Protection Regulations (GDPR).
If your organisation has suffered a misdirection of funds, or fraud that resulted in financial loss, you should also consider notifying your State Police and reporting the Cyber Crime to ACRON (Australian Cybercrime Online Reporting Network) at https://www.cyber.gov.au/report
Each breach should be considered on a case-by-case basis to determine whether there is a serious risk of personal harm to the affected individuals. If there is, they must be notified. Notifications should inform the individuals about what has happened, as well as how they may be affected. They should also include possible mitigation strategies, such as changing passwords or raising awareness of potential scams that may come as a result.
In cases where there is limited risk, such as if the data was encrypted, your organisation may not need to notify the individuals. These kinds of notification may cause unnecessary stress to those that receive them, or cause them to become desensitised to the risk. This is why an appropriate evaluation of the risks is so critical.
Work with us early
If your organisation has yet to suffer a breach, you’re in a good position to seek advice early about your capabilities response to a breach, security gaps and strength of processes before a cyber event.