Statistics from earlier this year give a picture of how long it takes for UK businesses to recover from a disruptive security breach. A third said it took up to a full day for operational recovery to occur, while a small yet still significant minority said it took considerably longer.But those statistics focused on the ability of the firm to restore normal business operations. What they don’t factor in is how long it takes for a business to recover from the consequences of any breach in terms of wider commercial and reputational loss.
In order to mitigate any such losses, speed is of the essence when it comes to identifying and addressing the specific issue. With this in mind, here’s how to get to the root of the problem, faster…
1. Inform all relevant staff and temporarily suspend operations where necessary
Depending on the nature of the breach, there’s a strong possibility that by carrying on with business as usual (e.g. entering data, processing orders) your staff might inadvertently exacerbate the effects of any breach - thereby increasing both the losses to the business and overall recovery time.
Having ensured that those personnel responsible for addressing the breach (i.e. IT staff and/or outsourced IT professionals) are aware that a suspected breach has occurred, the next immediate step to take involves informing all relevant staff to suspend operations pending further announcements.
2. Damage isolation
This involves isolating all online servers and accounts where data is stored. Again, this is vital for damage limitation purposes.
3. Identify both the source of the breach and the areas that have been compromised
In some situations, the source of the breach may be obvious (an employee may have inadvertently opened a malicious link, for instance). In other cases, expert forensic examination may be required to identify it.
This investigative process should also enable you to identify what information has been accessed and, for instance, which servers have been compromised. Once you have a clear picture of the problem and its severity, you can assess whether it is appropriate for staff to resume network usage and get back to ‘business as usual’. This might involve telling staff which applications and platforms are safe to use and which ones should remain out of bounds until further investigations are completed. So this expert proportional approach is ideal for minimising disruption.
4. Collecting evidence
Making an appropriate record of the source and nature of the breach, and preserving any evidence relating is crucial in support of any internal, regulatory or criminal investigation further down the line. Proper evidence gathering can save you a lot of time and effort when it comes to dealing with these external investigations.
5. Contacting outsiders
If the incident constitutes a breach of personal customer data, you should follow your industry-specific requirements for reporting the breach both to the ICO (where relevant) and to customers themselves. Your professional regulatory body may also have specific rules in place for reporting and recording incidents.
These points all relate to the key steps you should be taking after a breach has occurred. But your ability to get back on track as quickly as possible is also reliant on the robustness of your disaster management procedures as a whole.
Most importantly, can you rely on expert input when it comes to responding to the breach? This is one of the big reasons why expert, reliable and reputable outsourced assistance can be so valuable.