In-depth

How to react to a data breach

Anonymous security execs outline steps to respond to a successful cyber attack

A padlock on a motherboard surrounded by keys

Organisations should have plans in place to deal with any security breach and its aftermath, delegates were told at this year's Infosecurity Europe conference. 

In a panel discussion held under Chatham House rules, security experts from high profile organisations were granted anonymity to tackle the task of dealing with a fictitious security breach.

The panellists were told they work at an imaginary telecoms operator, reacting to an incident in which a hacker had stolen a database of millions of customers and a ransom demand sent. 

Keep communication lines clear

The panel said there was a need to have clear lines of communication between different departments. The legal advice was to not contact the hacker with the ransom demand, but to call in law enforcement to let them be aware that a situation had occurred.

Also, it was important to inform the Information Commissioner's Office (ICO) of any breach within 24 hours, even if any information about the incident is scant. Panellists warned that while the ICO would be helpful, it would ask questions of the organisation in order to get as much information about the breach as possible. Among the questions would be how the breach occurred, who was affected, what steps were taken to mitigate the attack, as well as questions over broader security policy.

One panel member said that law enforcement should only be brought in where an organisation is serious about a crime being investigated and suspects prosecuted, otherwise, it would be a waste of police resources when there were plenty of other investigations to be carried out elsewhere. He pointed out that the police are there to "help businesses get back to business as usual".

Don't pay the hackers

Panellists were quick to agree that any ransom demand should not be paid, as criminals cannot be trusted to make good on any promise they make about the data they have accessed.

Another panel member said that in terms of public relations, organisations have to be careful with what they share about an incident externally.  

One panel member acting in the role of head of the fictitious telco's security operations centre said that it may be a good idea to take any affected system offline temporarily to ensure criminals cannot access further data and to allow security professionals to carry out investigations. Potential insider threats should also be investigated.

During the exercise, panellists were told that news of the fictitious breach had got out to the wider world. It was important, delegates were told, that this would mean the organisation would have to know exactly what had been breached to counter false claims that would inevitably spring up around the incident.

After such an event, it was important then to brief the press, be honest and open about the incident and say sorry for the inconvenience caused by the breach rather than the incident itself. 

Anticipate a breach

Panellists advised any organisation to not only plan for when a breach would inevitably happen but to also practise dealing with a breach throughout the organisation. This would better prepare businesses should a breach happen to them. It would be important not only to plan for a breach response with senior people within an organisation but also their deputies, as a breach may occur when senior staff are not around.

After the session, PwC partner and panel chair Richard Horne, said the most important thing companies need to be prepared for is how to handle a breach and limit the impact on customers, the company, and its value.

"Badly handled breaches can have a significant impact on companies and their value," he said.

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

Hackers breach a San Francisco water treatment plant
Security

Hackers breach a San Francisco water treatment plant

18 Jun 2021
NSA releases guidance on voice and video communications security
Voice over Internet Protocol (VoIP)

NSA releases guidance on voice and video communications security

18 Jun 2021
Ransomware criminals look to other hackers to provide them with network access
ransomware

Ransomware criminals look to other hackers to provide them with network access

17 Jun 2021
CVS Health data breach leaves a billion records exposed
data protection

CVS Health data breach leaves a billion records exposed

16 Jun 2021

Most Popular

Q&A: Enabling transformation
Sponsored

Q&A: Enabling transformation

10 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
OnePlus 9 Pro review: An instant cult classic
Hardware

OnePlus 9 Pro review: An instant cult classic

7 Jun 2021