[BreachExchange] 8 steps to recover quickly (and well) from a data breach

[Destry Winant]

https://www.healthdatamanagement.com/list/8-steps-to-recover-quickly-and-well-from-a-data-breach

8 steps for a successful recovery from a data breach
Despite best efforts to protect the organization’s health information,
a hacker has breached the walls and now client files are encrypted,
ransom demands have been made to restore health records and more
malware may have been placed on the network. An article from
Innovative Computing Systems, a professional services firm that helps
health organizations and other entities define and improve a
comprehensive IT strategy, offers eight steps to immediately take
after a breach.

Isolate the Infection
To start, isolate the affected endpoints and servers and disconnect
them from all other systems to stop malware from spreading. Do not
shut down information systems until internal IT security experts have
examined the systems. If the attack involved ransomware, it may make
sense to reload data from backups, but don’t do it without first
updating security software. Otherwise, the backups could also become
infected.

Get the Pros
Ideally, before a breach happens, the organization should have
retained security professionals with expertise well beyond systems
administration. Efforts to remediate a breach without pros is likely
to be inadequate. A third-party audit of information systems is
strongly recommended.

Notify Five Authorities
Start with the local police so the attack can be made official and a
paper trail initiated. Contact the FBI Internet Crime Complaint Center
at www.fbi.gov/investigate/cyber.

Next is the Secret Service, which has an Electronic Crimes Task Force
to report cyberattacks at www.secretservice.gov. Also contact the U.S.
Computer Emergency Readiness Team in the Department of Homeland
Security at www.us-cert.gov. Lastly, file a complaint with the Federal
Trade Commission and if your clients have been compromised, have them
visit the FTC’s identity theft sites—www.ftc.gov. and
www.identitytheft.gov.

Identify Vulnerabilities

Hired security pros can help identify and mitigate vulnerabilities
that let a hacker get through. Now, they will find other
vulnerabilities that need patching. No network is impenetrable, but by
performing due diligence and layering security by implementing
defense-in-depth on the information security infrastructure, the
company will be better protected.

Deploy Security Solutions
Obviously, the organization’s current information security processes
were not sufficient. With vulnerabilities identified, deploy security
software, hardware and protocols companywide to strengthen
cybersecurity. Use a defense-in-depth approach by layering security
with endpoint protection, anti-virus software, firewalls and other
defenses.

Create an After-Action Report
What happened? How did the organization recover? What were the
consequences? Answer these questions and include changes made in
response to the breach, then compile the lessons into a document to be
shared across the company. It is important that employees know where
the attack originated, its effects on the company, how to avoid
incidents in the future and what the company has done to increase
security.

Retrain the Workforce
No matter how the hacker got in, whether through an infected email or
through pure dumb luck in guessing a password, use the after-action
report to refresh employees’ cybersecurity awareness. Make sure they
know how to identify and respond to attacks, whether successful or
not.