8 steps for a successful recovery from a data breach
Despite best efforts to protect the organization’s health information, a hacker has breached the walls and now client files are encrypted, ransom demands have been made to restore health records and more malware may have been placed on the network. An article from Innovative Computing Systems, a professional services firm that helps health organizations and other entities define and improve a comprehensive IT strategy, offers eight steps to immediately take after a breach.
Isolate the infection
To start, isolate the affected endpoints and servers and disconnect them from all other systems to stop malware from spreading. Do not shut down information systems until internal IT security experts have examined the systems. If the attack involved ransomware, it may make sense to reload data from backups, but don’t do it without first updating security software. Otherwise, the backups could also become infected.
Get the pros
Ideally, before a breach happens, the organization should have retained security professionals with expertise well beyond systems administration. Efforts to remediate a breach without pros is likely to be inadequate. A third-party audit of information systems is strongly recommended.
Notify five authorities
Start with the local police so the attack can be made official and a paper trail initiated. Contact the FBI Internet Crime Complaint Center at www.fbi.gov/investigate/cyber.
Next is the Secret Service, which has an Electronic Crimes Task Force to report cyberattacks at www.secretservice.gov. Also contact the U.S. Computer Emergency Readiness Team in the Department of Homeland Security at www.us-cert.gov. Lastly, file a complaint with the Federal Trade Commission and if your clients have been compromised, have them visit the FTC’s identity theft sites—www.ftc.gov. and www.identitytheft.gov.
This is one of the most difficult steps, but it is of upmost importance. Walk clients through appropriate measures to protect themselves and their families, and let them know about your legal and liability requirements after first reviewing the requirements with legal counsel.
Hired security pros can help identify and mitigate vulnerabilities that let a hacker get through. Now, they will find other vulnerabilities that need patching. No network is impenetrable, but by performing due diligence and layering security by implementing defense-in-depth on the information security infrastructure, the company will be better protected.
Deploy security solutions
Obviously, the organization’s current information security processes were not sufficient. With vulnerabilities identified, deploy security software, hardware and protocols companywide to strengthen cybersecurity. Use a defense-in-depth approach by layering security with endpoint protection, anti-virus software, firewalls and other defenses.
Create an after-action report
What happened? How did the organization recover? What were the consequences? Answer these questions and include changes made in response to the breach, then compile the lessons into a document to be shared across the company. It is important that employees know where the attack originated, its effects on the company, how to avoid incidents in the future and what the company has done to increase security.
Retrain the workforce
No matter how the hacker got in, whether through an infected email or through pure dumb luck in guessing a password, use the after-action report to refresh employees’ cybersecurity awareness. Make sure they know how to identify and respond to attacks, whether successful or not.