Norman Safeground Blogs

insight, opinion & information


5 Steps For Data Breach Survival

Last week, online shoe retailer Zappos experienced a massive data breach that exposed the personal information of 24 million of its customers. The incident was just the latest high profile example of a company falling victim to digital attackers. Although data breaches at big companies make news headlines, a company doesn’t have to be large or well known to be a target of cyber criminals. Do you know what to do if it happens to your company? If your company is like most, the answer is no.

It’s time to figure it out.

Your company has spent time, money and effort purchasing security software, installing firewalls, hardening networks and educating employees to create a secure computing environment. When you were done, you likely felt safe – confident and assured because you’d followed best practices. These days, maybe you only really think about security when it’s time to apply a patch for the latest malware. Hackers will never breach your well-fortified corporate walls. Right? Unfortunately, as RSA, Zappos, Sony and many other companies will attest, a data breach can (and at some point probably will) happen. What are the first five things you should do after your company has been hacked?

1. Find

After a security breach occurs, your first impulse might be to disconnect and shut down everything.

Take a moment.


You will need to contain the breach, but it’s also critical to determine the scope and root cause of the security incident. Abruptly powering down a machine could destroy important details about how attackers circumvented your security measures since a lot of malware exists in memory.

Additionally, don’t assume that only a few machines were compromised. Unless you have strong evidence that an attack is isolated to a small set of infected computers, approach every breach as if attackers have gained access to your entire environment. Take the time to examine your network, end user workstations, mobile devices, web-based email accounts, servers and other assets for signs of an intrusion. Although this can be a time consuming process, it requires much less time and stress than handling a secondary outbreak after you’ve announced that an incident is resolved.

2: Contain

Once you have discovered the root cause of an issue – stop the bleeding. Your attacker is unlikely to keep the details of your security vulnerability private. If you fail to act quickly, it’s likely you will be attacked again. Block access to the infected machines and from any web addresses associated with the malware, disable compromised accounts and apply patches if applicable. Quickly plugging your security controls can be the difference between a negative incident and a full scale security disaster.

3: Restore

Once you have determined the nature and scope of an attack and neutralized or contained it, move forward and restore any services that were disrupted due to the data breach. Restoring service and returning to normal operations should only occur after you are completely certain that threat is contained or neutralized.

4: Communicate

After a data breach occurs, one of the most important things you can do to restore confidence in your organization is to communicate. Openly disclosing details like scope and impact to customers, partners and suppliers almost always increases the likelihood that will be understanding. Make it clear your company is taking the issue seriously and that you understand the root cause. Additionally, communicate the measures that have been or will be taken to prevent similar issues from reoccurring. Revealing the truth about a data breach may be difficult, but transparency is almost always the right approach.

In many cases, however, transparency is not a choice; it’s the law. Within the United States, forty-six states, Washington D.C., Puerto Rico and the Virgin Islands have laws that require companies to inform individuals when a data breach exposes personal information, and many states are actively attempting to expand their legislation. Several countries like Canada, Australia and Japan have or in the process of enacting disclosure laws. Communication requirements don’t end with governments. Industries, like healthcare, have additional reporting requirements.

5: Reflect

Once the threat is identified and contained, operations restored and the public informed take time to look at the non-technical issues that might have contributed to the security breach. Your should ask answer questions such as:

  • Are adequate processes in places to prevent and detect security problems?
  • Does your company have an accurate catalog of systems and software? Are relationships and dependencies identified in the catalog?
  • Has a team of “first responders” been identified that are responsible for dealing with security problems? Does the team have a leader?
  • Is there a data classification strategy in place that dictates how sensitive data should be handled?
  • Do employees, consultants and partners receive security training about social engineering?
  • Is security audit a part of the software development and deployment lifecycle.

After a security breach occurs, it’s normal to panic, point fingers or become frustrated, but having a response plan in place can minimize the damage. Does your company have a security response plan? Do you agree with the five steps that have been highlighted in this article? We would love to hear your thoughts.


One Response to 5 Steps For Data Breach Survival

  1. Jay Gould says:

    The Zappos hackers seem to have accessed some of the information stored in retailer’s customer profiles. We don’t know whether or not the criminals have been able to actually access the customers’ accounts, as we don’t know if they could have retrieved the passwords. Yet, even if they did, that wouldn’t have done them much good. What could have happened? Let’s say that they attempted to place an order. Well, even if it did go through, which is unlikely, it would’ve been disputed by the cardholder who would have been reimbursed for any possible losses. Aside from that, any card data that may have been stored in a hacked profile would have been perfectly unusable, because it only shows the last 4 digits of the account number.

    The bottom line is that, as the data breach was immediately discovered and the customer passwords reset, the hackers would have been left with such information that they could have found on Yellow Pages, with much less trouble and for free. For a more detailed analysis:

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>



The Author:

Made up of various contributors' opinions and insights - the power of the collective.

Security Exposed Bloggers

Norman Safeground Blogs Archive