Data breach response: How to react when your business gets hit

Open padlock on circuit board
(Image credit: Bigstock)

As businesses settle into a new post-pandemic normal, cyber criminals have been busier than ever. Check Point Research reports that cyber attacks on corporate networks increased by 50% in 2021, compared to the previous year; by December, businesses were experiencing an average of 925 attacks per week.

Of course, not every attack is successful, and even when criminals do manage to get into your systems, that doesn’t always result in a data breach. But you need to plan for that possibility.

“We know that data breaches like ransomware are pernicious, effective, and on the rise,” Ed Williams, director of Trustwave SpiderLabs (EMEA) says. “No matter what the size of the business is, they should be planning for the worst – while ensuring, through good cyber hygiene, that it doesn’t happen.”

We’ve spoken to incident responders and cyber security experts to determine just what your business should do once a breach has been detected.

Data breach response plan: Where to begin

Any kind of security response requires a methodical investigation. As Dave MacKinnon, chief security officer with N-able says, this means addressing the five Ws – “who, what, when, where and why?” – and you can also add an H for “how”.

The first step is identifying what has been targeted, what data or resources have been exposed and how the breach happened. Was an external malicious actor at play, or could a non-malicious insider have been involved? Because mistakes and accidents do happen.

“Based upon your analysis of the Ws, you can then determine what level of response is required,” MacKinnon says. At this early point you should also be asking yourself whether you are actually capable of completing the investigation without external assistance. “It’s okay to ask for help,” he says: “The largest organisations in the world do it all the time.”

Data breach response plan: Confirmation and validation

While considering the Ws, you should also get moving on the three Cs as quickly as is feasible – those being “confirm, contain and communicate” the breach.


The financial services survival guide

How uncertainty and disruption is forcing financial services to innovate


The first step might sound like the easy one, but it’s not always as straightforward as it sounds. Kris Mitchell, security operations centre team lead at UK data breach detection and response business Socura warns that “confirmation and validation is the hardest part of data-breach detection and response. If a business detects a distributed denial of service (DDoS) attack it needs to understand if this is the full extent of the attack, or whether it is a smokescreen for something more sinister. It’s often a precursor to an attacker exfiltrating data, but only a cyber security professional will know to look for data exfiltration during DDoS and not fall for the distraction.”

You can also argue that “keep calm” should be a fourth C on the list. Panicking won’t help your breach response, but it’s understandable if you’ve been wrong-footed. “There’s nothing worse than suffering a cyber security incident and then trying to work out what needs to be done,” comments Cliff Martin, cyber incident responder of GRC International Group. The secret is to have an incident response plan already in place that you can turn to. “Having a plan up front will significantly reduce the impact and time taken to recover,” Martin notes – and it can also assist greatly with the next C, containment.

Data breach response plan: Containing the threat

Naturally, in the event of a data breach it’s an urgent priority to stop the bleeding and limit the threat actor’s ability to do more harm. “If you suspect the attacker is still present on your systems,” advises Alistair Thompson, product management lead at Adarma, “take steps to deny them access to things that they can use against you.” The specifics will, of course, be different for different attack scenarios and business operations, but you might consider temporary measures such as:

  • Restricting access between company devices and external networks
  • Suspending access between cloud and externally facing services
  • Disabling vulnerable and compromised domain and email accounts
  • Isolating infected endpoint devices

Martin adds that containment can also include “disabling or changing user credentials, blocking specific IP addresses, taking backups or digital images for further analysis and running antimalware scans.”

All of this might sound like a big project, and again this type of scenario is something you should plan for in advance, so you can take action quickly when needed. The smallest of businesses may well have to implement their containment plan themselves, but if you can it’s often worth engaging an external expert to help with your incident-response planning: “Trust the professionals, not Google,” advises Mitchell.

Data breach response plan: Communication is key

Admitting your company has been hacked can be a difficult step. A breach in security may shake customer and investor confidence, harm your reputation, and lead some to question the effectiveness of the leadership team.

However, hiding the incident is not an option. In fact, if the hack led to data being destroyed, lost, or accessed by unauthorised parties, UK and EU companies are legally required to disclose the incident to the Information Commissioner's Office (ICO) or their relevant local data authority. In the US, similar requirements apply, although these will vary from state to state.

When reporting the breach, you will need to confirm both the type of data at risk and those individuals likely to be affected. Although many businesses choose to bring in third-party support to establish these facts, ultimately it is your responsibility to share this information accurately.

“If you enlist the help of a cyber incident response specialist, make sure that they have the relevant legal expertise in data protection and that they are well-versed in liaising with the ICO on behalf of their clients. In some cases, this can be the difference between whether the ICO chooses to impose a fine, or not,” warns Pete Bowers, COO at NormCyber.

Don’t think you can just fill in the ICO form and move on either. “Businesses also have a duty to report all cyber attacks to the police,” Mitchell warns, “and they should also report phishing attempts to Action Fraud.” This isn’t likely to result in squad cars showing up at your premises, but, as Mitchell points out, “reporting breaches can aid police efforts to catch and prosecute cybercriminal gangs, preventing other businesses from falling victim to the same attacks.”

Those businesses in the UK should also report any incidents to the National Cyber Security Centre (NCSC), and any other relevant regulators operating within your industry, such as the Financial Conduct Authority (FCA) for those in the financial services sector.

Once the relevant authorities and regulators have been informed, you will next need to get in touch with your insurance provider.

Once you’ve finished talking to the authorities, your next call should be to your insurance company. As Oscar Arean, head of operations at Databarracks, explains: “Insurers can help by providing cyber forensic experts to help deal with the incident. It’s also important because if you don’t involve them early on, you might not be able to claim back costs you incur.”

Once that is done, it will then be time to inform your customers - something that many businesses will be hesitant to do. Disclosing a data breach is undoubtedly a painful task for any company, but customers respond well to companies that try to be as transparent as possible. If customers suspect a cover-up, the reputational damage can be far worse.

“Businesses worry that they will lose customers if they think they have a breach,” Irfahn Khimji, chief systems engineer at Tripwire notes. “However, the reality is that a well-handled breach response increases customer confidence.”

Even if you don’t know all the details at first, keeping customers informed that a breach has occurred, and is being investigated, is crucial. “It’s better to be transparent about what has happened, and what might be the impact on your customers, than to try and hide facts, lose trust and potentially receive a GDPR fine,” explains Hugo van den Toorn, manager of offensive security at Outpost24.

The one thing to avoid is apportioning blame. When a breach happens you may naturally want to protest your innocence, but that’s the wrong call. “It makes you look bad if you try to pin the blame on someone else,” van den Toorn warns. “Take responsibility, and focus on the future; how will things be better now that you’ve learned this painful lesson?”

The privacy breach response perspective

We’ve focused so far on data breaches caused by cyber attacks – but there are plenty of privacy breaches that aren’t security incidents. “You might have misconfigured cloud storage making sensitive information publicly available, or an employee might have accidentally emailed sensitive information to the wrong person,” explains Oscar Arean, head of operations at Databarracks. Situations like this are simpler to deal with, though no less serious.

Chris Linnell, senior lead data privacy consultant at Bridewell Consulting, says that the steps to take depend on whether you’re dealing with a breach of confidentiality, integrity, or availability.

“Confidentiality breaches are unauthorised or inappropriate disclosures or theft of information. They can be via many means, including use of malware, phishing attacks, social engineering or human error,” he explains. “In the event of a confidentiality breach, organisations need to quickly ascertain what has been lost or stolen and when, and what technical controls are in place, such as access controls, encryption at rest or in transit, or complex password policies, to mitigate the risk.”

“Integrity breaches concern the completeness and reliability of data or assets. These breaches commonly involve viruses or human error in configurations of assets,” he continues. “Depending on the manner of the breach, the focus is likely to be more on data recovery, which is where the use of back-ups and replication comes in.”

That leaves availability breaches, where “there is a loss of access or destruction of data or assets.” Typically this type of breach could be caused by things like ransomware or denial of service. “In responding to a breach like this, the first step is to work out how the bad actor got in, what has been destroyed, accessed or transferred – and then how to recover from the vulnerability using patching or additional threat detection.”

Regardless of the type of breach, you once again need to think about your legal disclosure obligations, and to inform customers and stakeholders. “An organisation will need to ascertain to whom the data belongs” Linnell advises – “and where in the world it is being processed, to determine the jurisdiction.”

Long-term post-incident action

Once you’ve addressed the immediate aftermath of a breach, you can start to look at the bigger picture and work to stop the same thing happening again. If you can afford a full security audit – and there’s a good argument to suggest that you can’t afford not to – then you should be able to uncover the root causes of the breach, as well as other potential security problems that could bite you down the road.

“There is never a better time to push through improvements than after an incident,” Arean says. “It’s also a good time to review your incident response plan and update it too. Did the plan work for you, and could it be improved?” Chester Wisniewski, Principal Research Scientist at Sophos, suggests hiring a penetration testing firm to provide a detailed analysis of your weaknesses and advise on which things you should prioritise for improvement. “Criminals are basically pen testers gone bad,” he says, “so having some of the good ones help you identify weaknesses goes a long way.”

One thing is for sure. As Joani Green, managing consultant for incident response at F-Secure, concludes, “traditional prevention tactics are no longer enough for SMBs, as threat actors become more advanced. SMBs must possess the ability to predict, prevent, detect, and respond against potential threats. For small businesses, this comes down to acquiring basic expertise in all these areas and the solutions to support IT staff.”

This article was first published on 20/11/2017, and has since been updated

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at