[BreachExchange] 10 critical steps to take in the first 24 hours of a data breach

[Audrey McNeil]

https://www.finextra.com/blogposting/12956/10-critical-
steps-to-take-in-the-first-24-hours-of-a-data-breach

The number of high profile data breaches that have hit the media headlines
in recent years is certainly a wake-up call to organisations to be more
prepared if it happens to them. But it's not just the high profile ones
that are being targeted. It's all organisations and it's across all sectors.

A recent study that we carried out with over 300 SMEs in the UK that hold
personally identifiable information on behalf of their customers, revealed
that almost a third of them do not have a data breach response plan in
place. This rose to almost a half of small businesses with up to 50
employees. The reality is that the smaller a business is, the more
financially vulnerable it is likely to be to the instant revenue impact
following a breach - not to mention the damage to its reputation.

When a breach is discovered swift action and strategic thinking is
essential. If you have not prepared and indeed practiced a breach response
plan on how your organisation will respond, reassure and recover, the
impact can be significant.

The first 24 hours are critical so following these steps will help to
reduce the impact:

1. Record the date and time the breach was discovered, as well as the
current date and time when response efforts began (eg. when a member of the
breach team was alerted).

2. Alert and activate everyone on the response team – including external
resources – to begin executing your preparedness.

3. Secure the premises – around the area where the data breach occurred to
help preserve evidence.

4. Stop additional data loss. Take affected machines offline, but do not
turn them off or start probing in to the computer until your forensics team
arrives.

5. Document everything known thus far about the breach, including who
discovered it, who reported it, to whom was it reported, who else knows
about it, what type of breach occurred, what was stolen, how was it stolen,
what systems are affected and what devices are missing.

6. Interview those involved in discovering the breach and anyone else who
may know about it. Document your investigation.

7. Review procedures disseminating information about the breach for
everyone involved at this early stage.

8. Assess priorities and risks based on what you know about the breach.

9. Bring in your forensics team to begin an in-depth investigation.

10. Consult your legal representation and senior management to clarify if
any regulatory agencies should be notified and, if so, notify them.

And from this point the real challenge of recovering begins.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160811/7321829f/attachment.html>