Incident Response

April 23, 2019



BY Konstantine Zuckerman

Responding to a breach or Incident Response.

Incidence response (next steps after a breach, notifying employees, notifying shareholders, CYA, reputation, insurance, attorneys, if you’re a big corporation or a gov’t contractor you had to notify the FBI know the local FBI rep)

As we’ve spoken about on Cybri before, cybersecurity is becoming a more pressing issue by the day, particularly for small to medium sized businesses. While much of our content focuses on avoiding breaches, it is obvious that this is not a question of if; rather, breaches are a question of when. When a security breach occurs, a prompt and effective response is important to mitigate damage to resources and reputation as much as possible.

Here are the steps a company needs to take the moment a breach is detected to prevent the damage these hackers can cause.

In the immediate discovery of a breach, law enforcement and forensics must be notified in order to set in motion an investigation into the breach. The FBI should be notified immediately, as they will be of great help in ultimately determining the source of the breach. The local FBI representative should be easily within reach. As breaches should be assumed to be a “when” rather than “if” problem, an incident response plan should be ready before any breach, as soon as possible within the timeframe of the start of business. Creating a response plan after the fact is a recipe for disaster. Furthermore, the benefits of data insurance far outweigh the costs, and in the case of a breach, not having insurance can be endgame for a company of any size. The following information is of utmost importance:

What was the content that was breached? Was it credit card numbers and CVVs? Was it social security numbers?

How much customer info was compromised?

How much employee info was compromised?

As an investigation into the technical causes of the breach continues, any clues should be assumed to lead to the worst case scenario. It is likely, especially in the first 48 hours of discovering the breach, that the scope will be unimaginably greater than whatever was initially believed. Employees should be notified immediately if their sensitive data has been accessed, and what will be done in the interim to secure the breach. A PR and Marketing team should be put to the task of deciding how to inform the public. They should be wise to detail:

What kinds of data were affected?

How many people and/or accounts were impacted?

How sophisticated/in depth the attack was, if this is already known.

Whether or not the breach has been contained

How long the data was vulnerable

It is important to regularly troubleshoot and run cybersecurity drills within a company, in order to find any potential areas of sensitivity before they become a problem. When problems are found, it is your due diligence to solve them before they get out of hand. In an example of what not to do, Target had a massive data breach in 2013, where 40 million customer payment cards were stolen and leaked onto the Dark Web, for use by cybercriminals and scammers. The response plan was botched, and the breach occurred during the peak of holiday season. It came out that they had found the sensitivity in their system but the IT department chose not to do anything about it. Fast forward, and they found themselves paying over 100 million in renumeration to consumers, banks, and credit card companies, and saw their quarterly earnings at the time drop by a severe 46 percent. In the wake of the incident the CEO and CIO resigned, and Target was a loss for leadership during a crisis.

While Target is a good example of what not to do, it is important to recognize what they did correctly. “The Target breach, for example, resulted in direct costs of $252 million, but the company’s insurance reimbursement brought that number down to $162 million” according to a report by Sky High Networks. Preventative measures can save money and face in times of data sensitivity.

After these steps have been taken, to secure the sensitivity and investigate the root causes, it is important to connect with employees, consumers, and the media in order to communicate the issue. Press releases, email templates, social media post, etc. should be prepared in advance of a breach, in order to have a timely public response. A delay in a response to the public can shatter confidence in a corporation’s ability to continue to serve the community of people who consume their product or use their service. This continued reputation is, in the long run, more important than this quarter or that CEO. The destruction of reputation can take yearsto recover, so a prompt and measured response to the public is necessary.

A good deal of the best practices in cybersecurity are preventative measures rather than reactionary measures. Prevention is the best cure for this sort of thing, so keeping an updated cybersecurity system, including antivirus software and employee training, must go hand in hand with a well-groomed response plan for the inevitable day when a breach actually occurs. As always, stay diligent and stay safe, and keep preemptive measures as a top priority in the case of cyberattack.

Related Content


stay informed!

Subscribe to receive exclusive content and notifications