Today data breaches are a costly and ever-present danger for businesses in both the public and private sector. Each year, the total number of reported breaches grows 5-10% over the previous year, with over 22 billion records compromised in 2021.

The average cost of a breach is $4.35 million – and that doesn’t count the long-term impact on trust, which is especially devastating for small government contractors (GovCons) entrusted with controlled unclassified information (CUI). Consequently, 60% of small businesses fold within 6 months of a breach, never to re-open.

It goes without saying that every organization should be prepared for a breach long before it occurs: but when prevention fails, immediate and strategic action can make a big difference. In this article, we’ll explain what you should do in the first 24 hours after a data breach, from harm reduction tactics to preparing for disclosure.

How Data Breaches Happen

Today data breaches can occur in many ways – the most common include,

1. Phishing and Ransomware – according to the Identity Theft Resource Center, phishing and ransomware are the leading causes of data compromise – the vast majority of cyberattacks begin with a phishing email, and the vast majority of data breaches begin with a cyberattack.
2. System Penetration – by exploiting vulnerabilities in your network and devices, cyber actors can bypass security controls, escalate their privileges and install persistent backdoors to exfiltrate data over a long period of time.
3. Compromised Devices – in the age of remote working and hybrid workplaces, lost or compromised devices are a rising factor in data breaches.
4. Insider Threats – malicious or disgruntled insiders may leak data themselves or work directly with cyber actors; careless insiders may share compromising information or credentials unintentionally. According to Ponemon Institute, insider threat incidents have risen since 2020, and are significantly more expensive than other security breaches.

Ultimately, a majority of data breaches are preventable with proper cyber training and security controls. But in the midst of a breach, harm reduction is possible, especially if cyber defenders catch the incident quickly.

Knowing You’ve Been Breached

By the time it becomes obvious that a data breach has occurred through the appearance of public data dumps or ransomware lock screens, the window for action has diminished. The earlier an organization can catch a data breach in progress, the more they can do to repel cyber actors.

Early warning signs for a data breach include unexpected network activity including increased file transfers and renames. If network devices show any of these signs, they should be considered potentially compromised – that is reason enough to isolate those systems and investigate further before bringing them back online.

Immediate Actions After a Breach

When it’s clear that a data breach has occurred or is in progress, four actions are absolutely essential:

1. Isolate the breach – determine which systems have been compromised and immediately isolate them from public and internal networks.
2. Eliminate threat actors – block any external IP addresses and remove any internal users associated with unauthorized file transfers.
3. Document activity – keep track of any discoveries and preserve any logs from the time of the attack for further analysis.
4. Reset credentials – if there is even a chance that usernames and passwords have been compromised, reset them immediately and inform users.

While these steps will not save any data that has already been stolen by cyber actors, it will prevent them from stealing more. In the case of a ransomware attack, cyber defenders will be faced with the immediate question of whether to pay the ransom.

A Contentious Question: Should You Pay the Ransom?

Ransomware actors want their victims to believe that paying the ransom is an easy way to restore their files and set everything back to normal. And while many companies will decide it’s worth the price when mission-critical data and assets are at stake, paying a ransom should be a last resort.

Ransom fees can be exorbitant – worse, paying them simply encourages ransomware actors to return, with 68% of businesses who pay a ransom being targeted again within a month of their first attack. Lastly, most businesses who pay a ransom do not get all their data restored in the first place.

Preparing for Disclosure

Laws regarding disclosure for a data breach vary from state to state – some require businesses to inform the parties affected by a data breach within 24 hours, and others extend that requirement to 90 days.

But under emerging data privacy legislation like the GDPR in Europe, businesses have 72 hours to report a breach – this is also how long government contractors have under the Defense Federal Acquisition Regulation Supplement (DFARS) and Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

Accordingly, businesses should prepare to inform the parties affected by a breach as soon as it occurs. They should begin by seeking legal counsel, determining the extent of affected parties, stakeholders and relevant authorities who must be notified, and collaborating to answer questions in a transparent way over the next few days.

Analyzing the Incident

Following a breach, businesses need to understand the attack and its root causes so they can fix any security holes which may have contributed to the incident and replace affected systems as appropriate. After determining what data and assets were compromised and what systems were involved in the attack, they should determine the parameters of the intrusion, vulnerabilities that may have been exploited, and interview experts within their organization to gain further information.

Preventing Further Attacks

Companies affected by a data breach are more likely than not to be breached again in the following months; to prevent that from happening, organizations must be prepared to identify the root problems behind the first attack and adopt a proactive mentality to prevent further cybersecurity incidents. While comprehensive cybersecurity strategy is beyond the scope of this blog, here are a few vital steps to prepare for future attacks:

1. Establish a Backup System – regular, secure backups are the most crucial insurance against a data breach or ransomware attack. They ensure that you can recover quickly with minimal data loss, especially when critical files are encrypted by cyber actors.
2. Develop a Business Continuity Plan – responding to a data breach requires coordinated action to isolate the breach, keep your business running and restore mission-critical operations as soon as possible. A business continuity plan will help your organization to adapt quickly in a crisis and get back on your feet.
3. Invest in Cyber Training – most data breaches are attributable to mistakes that can be prevented with cyber training; help your employees to recognize and avoid phishing attacks, report lost devices and better protect their credentials.
4. Get a Vulnerability Assessment – assess IT systems for cybersecurity vulnerabilities before they are exploited and implement security controls where necessary. For GovCons, the National Institute of Standards and Technology (NIST) special publication (SP) 800-171 provides a standard baseline for the cybersecurity standards necessary to protect CUI and other sensitive data.

Ultimately, the best time to stop a data breach is before it ever happens. Organizations who adopt a proactive posture to cyber threats are more likely to prevent harmful data loss than companies who wait until it’s too late.