A data breach is a specific kind of security incident where information is accessed without authorization. A data breach can occur if attackers attain access to databases that contain sensitive information or if an organization exposes sensitive data by mistake or with malicious intent.
Digital businesses store different types of sensitive data, including personally identifiable information (PII) of customers, payment card details, social security numbers, user IDs, and passwords, in on-premise or cloud-hosted storage facilities.
Channels of communication are established between a business’s public-facing assets and databases for the sake of functionality. Data breaches occur if the security of these channels is compromised.
Businesses need an effective and efficient data breach response plan to contain the damages, redress the security issue, restore operations, and minimize legal action and penalties.
This post will discuss tried and tested data breach response strategies that startups can adopt and practice to minimize damages during a security breach or data breach.
How to respond to a Cybersecurity breach in a startup
This section will talk about the specific steps to take when a startup faces a data breach or a security breach in general based on the type and scope of the breach.
The incident response strategies discussed here are in line with the recommendations made by the General Data Protection Regulation (GDPR), the Federal Trade Commission (FTC), the Office of the Australian Information Commissioner (OAIC), and the Information Commissioner’s Office (ICO)
Businesses cannot wait till the event of a data breach to prepare for it. There are preparatory steps that can remove the stress of dealing with a security incident.
Understand the vitality of time
Under the General Data Protection Regulations, businesses have a 72 hours window from the time of discovery to report a breach to the Information Commissioner’s office. That is 72 hours on a 24-hour clock that doesn’t stop for the weekend. A lot of mistakes are made in these 72 hours by SMEs facing a data breach. Most of these mistakes are triggered by panic.
Being able to manage this time is essential. A startup needs certain preordained arrangements for a breach scenario.
Distribution of responsibilities
When you are made aware of a breach, you should know whom to contact immediately. There should be people in your organization who know it is their responsibility to assist during a security incident regardless of the date, time, vacation, or holiday.
The key people in a business in this situation are
- Members of the IT department responsible for information security
- Legal advisors
- Business leadership – CISO, CEO, CTO, and CFO.
The incident response team may consist of
- A team leader to lead the response team and communicate with senior management
- A product manager to coordinate the team.
- Key privacy officer – a senior staff member with expertise in the domain of data privacy
- Legal advisors
- Risk assessment professionals to estimate the impact of a breach
- Experts in Information and communication technology to investigate the cause and impact of a data breach
- PR professionals to communicate with the victims of the breach and the general public
As you may assume, certain members of the staff may wear more than one of these hats.
Back up the data
If a data breach is reportable, businesses need to provide comprehensive information about the nature of the breach and the type and amount of compromised data. If a data breach leads to the loss of data, i.e. if the hacker deletes the data it gains access to, it becomes incrementally difficult to provide the right answers.
A data backup allows an organization to measure the impact of a breach more accurately. Not having it affects the operability of a business. The ICO is bound to ask if the data breach affected the business’s operability. If your answer is yes, then it creates doubts about your competence and seriousness about data security.
Adopt multi-factor authentication to protect critical assets
When a startup reports unauthorized access or data theft, the ICO invariably asks if the data was protected adequately using MFA. The answer determines whether the business will get away with a few security recommendations or pay a hefty penalty.
Create a culture of secure practices
Every employee must be trained to avoid the human errors that lead to data breaches. They should know how to detect a phishing email and should be encouraged to use an enterprise-level password manager for logins.
Lay down a basic incident response strategy
If an organization follows the important steps of setting up cybersecurity for a startup, it is already ahead in terms of dealing with an unlikely security incident. It will have easy-to-obtain audit trails, access monitoring mechanisms that will help investigate a breach, and a tried and tested incident response protocol.
The straightforward approach to responding a cybersecurity breach
1. Containment
Once you detect a data breach, trigger the incident response team into action. They must Identify the source of the breach and shut it down. Do this as soon as possible to minimize damages. This involves locking down the physical architecture that potentially led to a breach, shutting down business operations if required, and restricting access to all critical data while the investigation is underway.
2. Investigation and remediation
It is important to identify the root cause of the data breach, pinpoint what went wrong, and determine security protocols that were violated before or during the cyber incident.
The following step is to determine
- The amount of compromised data
- The nature of compromised data
- Vulnerabilities that led to the compromise
Adequate measures have to be taken to ensure the vulnerability is patched so that another one does not follow the data breach.
3. A legal discussion
This step should be performed simultaneously with the investigation to make the best use of time. Startups must enlist the help of legal advisors to determine whether the data breach is reportable. This is very important.
A breach is reportable under GDPR only if it poses a risk to the rights and freedom of an EU citizen – including the right to privacy.
4. Reporting
If the incident turns out to be reportable, the key data officer meticulously draws the report and files it with the ICO.
5. Notification
Staff members, external stakeholders, and victims must be informed about the security breach within a stipulated time. An employee with media and PR skills should be trained to carry this out smoothly. GDPR has detailed breach notification laws and a list of subjects that should be notified about a breach.
6. Implement the recommendations by the ICO
Once a breach is reported to the ICO, they will investigate the incident and draw conclusions about the sincerity and competence of a business. After that, they’ll share recommendations to mitigate the risk and/or issue a penalty. The startup has to be quick about following through with the recommendations so that it is not victimized for the second time.
The steps we discussed above are easy to pen down but difficult to follow without deviations when the clock starts ticking. The following section will discuss the data breach response in action, highlighting small mistakes businesses make in the first 72 hours.
Respond to the data breach in the first 72 hours
Businesses in the EU get 72 hours after discovering a breach to investigate and report it to the Information Commissioner’s Office. That implies, not only does a startup need to create a preliminary report of the breach but it has also to decide whether or not to report the breach at all.
If you report a non-reportable breach, i.e., it doesn’t pose a risk to the rights and freedom of any citizen of the EU, the ICO may doubt your organisation’s competence in assessing the gravity of a security incident.
If you fail to report a reportable incident within the stipulated time, your organization will likely be penalized. As it turns out, reporting a breach is a double-edged sword. So, it is better to be careful.
Actions that can save a business after a data breach
1. Do not phone the ICO right after discovering the breach
At the initial stage, you have no idea about what caused the breach, who was affected, or how much data was stolen if at all. There are multiple steps to be taken internally before involving the authorities. It’s crucial not to give in to panic and to follow the incident response plan without deviations.
2. Do not pay a ransom
If your business is struck by a ransomware gang that has hijacked your information systems or published a small set of confidential data, threatening to publish the rest, the reaction often is to pay the ransom. That is not a good idea since the attackers may have created backdoors that they’ll exploit to remain hidden in your network and launch attacks again.
3. Gather information about the security breach
The important questions at this stage are:
- When did the breach take place?
- When was the incident discovered?
- What is the type of information that is compromised?
- Does the breach involve customer information?
- What vulnerabilities were exploited to orchestrate the incident?
- What was the company’s immediate reaction to alleviate or de-escalate the threat?
- How much data has been compromised?
- Will the breach affect the operability of the business?
The investigative wing of the data breach response team has to answer these questions and record everything. If a startup doesn’t have an in-house team to work this out, it might have to pay a third party to run the investigation. But it has to be done fast.
4. Anonymize everything on the report
It is important to wipe the incident report clean of personally identifiable information. That means, the report should not have the names of the people who discovered the breach, or any information about the customers or stakeholders that were affected by the breach.
5. Work with the legal advisors to create a report
If it turns out that the intrusion of the database or exposition of data is reportable, the data privacy officer needs to acquire a form from the ICO and fill it out with the help of legal and digital forensic professionals. The information needs to be in line with the investigations. Double-check all the facts.
6. Notification and PR
Create a list of subjects that need to be notified about the hack’s nature, duration, and impact. This list should include every customer and stakeholder that has potentially been affected along with all users who may need to install a patched version of your software to avoid being victimized. It should also include the insurers who might help you to bear the cost.
The organization’s PR team has to play a pivotal role in designing and circulating the message among all subjects in a way that puts the least amount of strain on the organization’s reputation. The communication should convince the recipients about the efforts to secure the systems and get the business back up.
Bottomline: Preparedness is the best way to respond to a data breach
Startups often lack advanced and mature security measures. It makes them easy targets. No business can be 100% secure from cyber attacks even after doing everything right security-wise. Hence, the key to minimizing damages during an incident is preparedness. It helps you hold your nerves and prevents additional mistakes that worsen the matter. Most importantly, preparedness is reflected in the data breach report and the external investigations.
