Evocative Data Centers Logo

How To Recover from a Data Breach, an IT Professional’s Guide

Our guide provides IT Professionals with everything you need to recover from a data breach.
January 14, 2023
Data breaches can wreak havoc on your organization. According to IBM, the average cost of a data breach in the United States is $9.44M. On top of that, organizations may also be subjected to damaged reputation and fines and legal implications from data and privacy regulations, such as the California Consumer Privacy Act (CCPA).

The best way to mitigate a data breach is to maintain an effective security posture, with compliant infrastructure, policy-based security, remote monitoring, and a comprehensive data backup and disaster recovery plan. However, no company is completely safe.

The following is an IT Professional’s guide to helping your enterprise recover from a data breach.
Business Continuity

1. Control the Attack

As soon as you discover that your network has been breached or your company has been a victim of a cyber-attack you should determine how the attack occurred and if the treatment is still active or if it has ended.

Was the attack initiated through the internet? Did someone gain access to a database with an inadequate password or no password at all? Did an employee open an email attachment causing malware to spread across the company? Taking a calm, methodical approach to uncovering how the threat was implemented will help reduce fears among employees and ensure that business can continue while the threat is being contained and the steps are put in place to eliminate it.

2. Evaluate the Danger and Data Affected

As soon as the threat has been identified and controlled, evaluate the amount and scope of the damage. This will help you gauge the next steps which should be put in place and the key personnel you will need to assemble to mitigate additional risks to your business. Here is a sampling of some of the answers you should uncover:

  • Who or what was behind this breach?
  • What types of data have been affected?
  • Where was the data stored?
  • What groups of people have been affected – employees, customers, others?
  • How many people have been affected (what was the scope of the attack)?
  • What kind of information was included – email address, health information, financial records, credit card numbers, social security numbers, etc.?
  • When did the attack occur and for how long did it last?
  • Was the data backed up and in a safe location?
  • Was the data encrypted?

3. Assemble Key Personnel

Before any breach takes place, you should have already selected a diverse group of staff members who will be your go-to team in the event of a data breach. They should be able to take control of the incident from every angle and be responsible for all aspects of the remediation plan.

When an attack has been discovered, the team should be informed and assembled immediately in a conference room or via a video conferencing tool to learn the details of the threat and execute on their individual pieces of the plan. This group might include the CIO, VP of Sales, Director of Customer Care, the CMO and anyone else you feel is appropriate.

They will work with each of their teams and across departments to reduce the impact on the company and customers. They will also be responsible for communicating updates internally and externally on how the remediation process is going and providing information on how a similar breach will be prevented in the future.

Implementation of an Incident Response Strategy is Critical

Communication

4. Communicate

Your communication plan should include formal communications to employees, customers, the media, and, if applicable, to vendors/partners, regulators or law enforcement, and your insurance company In this section, we’ll focus on a few of these key components.

Communication to Employees Following a Data Attack or Breach

You will have a number of technical and non-technical personnel working on the aftermath of this attack, assessing the situation and uncovering what has happened. Assumptions, rumors and inaccurate information can spread like wildfire across the company.

Your internal employee communications plan may be directed by your company’s CEO or CMO and should strive to put employees at ease by keeping them up to date on:
  1. Exactly what has happened,
  2. What you are doing to correct the situation,
  3. If any of their information has been affected, and
  4. What policies and procedures are being put in place to prevent the attack from happening again.
It is also important to inform your employees that they may receive calls or emails from customers asking about the situation. Educate your employees on what they can say and what they should not say. You may want to provide your team with a brief statement that they can use and direct any additional questions to a more senior member of the staff such as the CEO, CMO, Vice President of Sales, etc.

In addition, reporters, bloggers, and journalists often bypass the media wall which companies put up as soon as an attack has taken place and reach out to inexperienced salespeople or technical support representatives who unwittingly answer reporters’ questions. They then find their comments spread across the internet.

Be sure to inform all employees that if they receive a phone call or email from any member of the media, they should immediately turn that request for information over to the CMO, PR agency or other assigned spokesperson. This key contact will provide a company approved answer which is appropriate for public distribution.

Communication to Customers Following a Data Attack or Breach

It is critical to implement an incident response strategy that will address how you will communicate with your customers. You will absolutely need to reach out to them if you discover that their personal information has been compromised.

But, what responsibility do you have to keep them informed even if their sensitive data has not been affected? As soon as word gets out that your company has been impacted by an attack, customers will call, asking for the details and wondering if their information is included. Will your company get out ahead of those calls, pro-actively letting them know what has occurred and that no sensitive information has been threatened? Other questions to consider are:

  • How quickly will you send the first communication to customers and how will it be done – via email, an online landing page, a secure customer portal?
  • In addition to the standard communication, will you call your largest or most important customers to personally discuss what has happened?
  • Will you communicate to all customers or only those you believe to be affected?
  • How frequently will additional updates be made available?
  • What procedures have you put in place to keep their data secure and to mitigate any future the risk to your customers?

Communication to the Media Following a Data Attack or Breach

As we mentioned above, any hint that your company has suffered an attack will prompt members of the press to inquire about what has happened. You should be prepared for this and be ready with a vetted and approved answer which can be provided to them by your company’s spokesperson.

Reporters know that they will most likely receive a “canned” statement so they may attempt to receive additional information by reaching out to other departments who are not experienced at speaking to the media. As previously stated, be sure to inform your employees that they should turn all press questions over to your spokesperson who has been approved to speak on your company’s behalf.

5. Prepare for a Breach Before It Occurs

In the case of a fire or natural disaster, we often wonder how first responders remain so calm and focused and can take control of the situation. Their answer is always, “We prepare for it. We train over and over again so that when an incident does happen, our training takes over and we immediately spring into action.”

Although a data breach does not have the same life or death implications, your company should train regularly to spot potential threats to critical infrastructure, react appropriately to it, and execute your plan to eliminate it. This could include:

  1. Ensuring that all equipment is secure,
  2. Regularly implementing software updates and patches,
  3. Educating employees on new cyber threats,
  4. Confirming that key members of your management team understand their roles and can immediately come together to execute on their responsibilities,
  5. Backing up files regularly to a secondary site, such as a colocation facility.
  6. Incorporating recovery plans into your annual training program,
  7. Establishing RPOs (the amount of updated or created data that will be lost or need to be reentered after an outage) and RTOs (the amount of downtime a business can tolerate) in the event of a data breach, and
  8. Testing your recovery plans periodically, ideally on a quarterly basis.

Conclusion

All companies, whether small businesses or large enterprises are at risk for a data breach or cyber-attack. It is critical to remember that is it not just the responsibility of your IT department to implement preventative measures and remediation procedures. It is a company-wide responsibility with everyone doing their part.

For businesses seeking to improve their business continuity and disaster recovery plans, colocation facilities can be critical to enhancing these strategies. With colocation, you’ll have access to facilities that are compliant by design and managed and secured by experts.

Depending on your size and requirements, colocation providers can become your company's primary data center or provide a secondary site as an off-site disaster recovery facility. As a secure disaster recovery resource, colocation enables you to perform efficient backups to data center assets housed in these facilities for added redundancy.

At Evocative, we provide a full suite of best-of-breed colocation, cloud, bare metal, network, security, and managed services to help you accelerate your digital success while keeping your data safe. Learn more and contact us today.
Evocative Data Centers

The Evocative Team

Evocative is a global leader in Internet infrastructure, providing enterprise-class data center, network, and bare metal solutions that enable exceptional digital experiences. Evocative’s global footprint includes interconnected data centers and Points of Presence across strategically located metros in North America, Europe, and Asia regions. Through organic growth and strategic acquisition, the company continues to expand its presence to power enterprise workloads at the edge. Evocative is dedicated to helping drive digital businesses forward, now and in the decades to come.