You know that data breaches have become part of big business reality when the Harvard Business Review publishes a hypothetical case study entitled “Boss, I Think Someone Stole Our Customer Data”. The case study does a very good job of illustrating the initial confusion and many gray areas that enterprises face when confronted with a possible breach.

When the first signs of a possible breach are raised, often there would be some uncertainty regarding the nature of the breach, its extent and whether there has been a breach at all. Insider breaches are especially tough, because insiders have a better shot at covering their tracks than intruders from the outside, and have more visible attack surfaces to begin with (this is one place where database monitoring can help).

Once it is established that a breach had occurred – and this does not have to be with 100% certainty, it’s enough to establish that a breach is likely – there are many things an enterprise needs to do, and do quickly.

Finding the culprit(s) (the “who done it”) would be many people’s instinct, but actually this should be quite low on anyone’s list, and usually takes a long time to do anyway. The top 3 immediate steps that I would take are as follows:

  1. Stop the breach from continuing: Some breaches are still ongoing when discovered, and the first order of the day should be to stop them. If it’s a database breach and you can’t be sure of how exactly it’s been breached but you know what the source data was, secure that. Change usernames and passwords, restrict privileges to the bare minimum, even take the database offline if necessary – until you find how it was breached.
  2. Notify affected individuals and relevant authorities: In the US this is law. Known as California Senate Bill 1386 (SB1386), and copied with some variation across at least 34 other states (apparently now reaching 39 states), it mandates that when personal identifiable information is exposed, such as social security numbers, credit card numbers and other types of information that can compromise a person’s privacy, the holder of the data must notify the affected individuals. This allows individuals to take defensive action such as scrutinizing their credit reports, changing phone numbers etc.
    I think this is the ethical thing to do even without a law, but clearly these laws are needed – the sad fact is that enterprises had not notified their customers/patients/employees of such things until they became legally bound to do so.
  3. Damage control: Company management, PR, marketing and customer relations should work together to issue a statement and answer any questions from the press. This is one of the cases where silence is not golden. Silence can only be interpreted as an indication that the situation may actually be worse than disclosed. A timely statement including the facts of the breach, and most importantly the steps that are being taken to handle it and prevent it from happening again, is the best kind of damage control you can do. Anything else might buy you time in the short run, but later on may result in a snowball of negative press and loss of customer trust.

Understanding exactly what happened, catching the culprits and upgrading security to handle such threats in the future are all necessary measures, but usually take weeks and months to carry out after an incident.