Every day we hear of another breach and as they continue to pop up, we become less surprised. Information travels quickly. For example, consider how many stories of breached data you've heard of in the news lately. Most will remember some of the famous companies affected by data breaches such as Yahoo, eBay, Equifax, JP Morgan Chase, Anthem, Target, Uber, and Home Depot. Still, there are countless examples of breaches in the news.
Many companies are not prepared to handle a breach once it happens, therefore, security needs to be a higher priority. Compliance regulations require companies to follow best security practices to protect people's private/personal data. Most people would not leave their personal possessions unlocked, so it only makes sense to also secure the data of their organizations. TechGuard recommends to be proactive rather than reactive, but let's consider some of the immediate actions businesses can take if they discover their company has been affected by a breach.
Respond to the Breach
Meet with a security professional to determine a comprehensive list of action items. Refer to your company's Incident Response Plan if you have one and know who the point of contact is for a security crisis within your organization. Keep in mind, these documents should be living documents that evolve with your company. To find out where the breach occurred, look at what type of system you are seeing the rogue account on. The rogue account may be on the server, the application, or the workstation. Find out if you use a centralized authentication for your systems such as active directory. See if you have any logging set up when you are creating/deleting accounts. Additionally, does your company have network monitoring or a firewall set up? Take computers and servers off-line and gather details. These determinations may help to prevent further spread of the breach.
Part of the response may need to include contacting the appropriate authorities. Know your state's law on whom to notify in the event of a data breach. For instance, if there is concern about compromised financial accounts or credit cards in a breach, then contact the credit card company or the financial institution to change accounts/card numbers. Contact your local authorities or institutions such as the IRS, FBI, or Secret Service when applicable. Change appropriate account passwords as well.
Keep in mind, that although we tend to think that many breaches are a result of a malicious actor, sometimes they are simply due to an unintentional employee error. An employee could accidentally email the wrong party, lose a company device, or misplace documents. All of these unintentional errors often result in the exposure of private information.
Time to Investigate
If you have active logging set up, determine which IP addresses are connected to the server where the account is active. Investigate to see what services/processes the rogue account is running. Note when the account was created. See if it coincides with any active system administration work with known system administrators or remote support/patching initiatives. Confirm that any associated connections linked to the rogue account/process are legitimate.
Act quickly and disable the account. Block unknown connections (inbound & outbound) linked to the impacted account/system in the firewall. Run a full Anti-Virus scan on the impacted system. Turn on any additional monitoring that could capture any other events moving forward.
Determine what business impact your company will see as a result. We know the negative impact a breach can have on a company's brand and reputation, so how a company will handle a breach is critical in preserving the company's image. Be transparent about what has happened. Investigate what has happened and how the breach occurred. Take responsibility if the company is at fault. If possible, give a special offer to those affected. Inform the public about the newly implemented security measures to ensure that a breach does not happen again. Always use multiple layers of security to protect data because the average cost of a breach is $161.00 per lost/stolen record. How many records is your organization responsible for protecting?