Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Strategy: Planning and Recovering From a Data Breach

2014 was a terrible, horrible, no good, very bad year for cyber attacks.

2014 was a terrible, horrible, no good, very bad year for cyber attacks. Target’s point-of-sale attack in late 2013 proved to be a common breach theme in 2014, targeting retailers such as Michaels, Kmart, Home Depot, and Neiman Marcus. Attackers also began targeting cloud applications, from Apple iCloud to Salesforce (Zeus variant and Dyreza) to Office 365. The recent Sony Pictures breach also demonstrated attackers’ turn for the malicious, from sending threatening employee emails and demanding ransom to creating malware focused not just on exfiltration but on destroying data.

The costs of a data breach—lost business, damaged reputation or the risk of regulatory action—have never been higher. Yet, while successful breaches occur within minutes and 88% are exfiltrating within those minutes, the discovery of a breach can take weeks or months. Mandiant’s 2014 threat report cites an average of 243 days to discover a breach. 

Given the near-certainty that some form an attack or data breach will happen in your organization, it makes sense to consider scenarios and plan for them when it happens. A data breach plan lays out the key steps and the key personnel to involve when a data breach happens, and needs to incorporate the following three elements:

Data Protection

Forensics and evidence collection 

 The earliest stage of any investigation is forensics. Having third-party forensics assistance on hand, or having those skillsets internally within the company is essential. Similar to trauma response, or crime scene investigations, this stage is the most critical. Preparedness, training and a well thought-of plan can contain the damage and determine the scope of the breach. The work by forensics teams can limit the damage before evidence is lost or compromised, and collect essential data required for the hard work of analysis. As information about the breach is collected, law enforcement agencies may need to be notified within a specific timeframe. 

Forensics teams no longer serve just in post-incident response. As part of a continuous monitoring security framework, forensics teams can proactively look for possible risks in the network.

Identifying regulatory mandates impacted

In conjunction with step 1 above, it is critical to understand the regulatory compliance mandates that are impacted by the data breach. Almost every state in the US, and EU government entity has data privacy and regulatory compliance mandates, which typically requires appropriate disclosure when consumer information or corporate information is exposed.

This is where the legal teams within the organization become an essential part of the data breach plan. They are a required partner to the security team to navigate the myriad of laws, responsible disclosure requirements and any monetary compensation or fines due to the data breach. The laws differ greatly from state to state, country to country. In the United States, considerations are being made for a national data breach law to ensure consistency in disclosure of attacks. 

Lawsuits relating to cyberattacks can drag on for years, and have already been filed for high profile breaches like in the case of Target.

Managing notification of breach

Any data breach leaves a bad taste in the mouth for all customers whether or not they are impacted. Part of the data breach plan must include the specific steps to notify anyone who may be impacted, but doing it in a way that adequately addresses their concern. This includes training call center personnel, creating a specific call center line to address calls related to the breach, and offering credit monitoring services. 

Cybersecurity insurance may help not only to offset costs and liabilities from data breach incidents but also provide contracting services that address forensics, data breach notification, credit monitoring. A robust cybersecurity insurance provider may help promote the adoption of preventative cybersecurity measures that can reduce the number of cyberattacks. Of course, the key to preventing these data breaches is via continuous monitoring.

As Gartner advocates in their “adaptive protection process”, IT organizations should shift their mentality to a continuous response mentality where systems are assumed to already be compromised. If that’s the case, the creation of a robust data breach plan will become an even more critical arsenal for any IT organization.

Related: Preparing for the Inevitable Data Breach: Discussion

RelatedAll Data Is Not Valued Equally

RelatedUnderstanding IT Risk from the Business Perspective

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.