5 Steps for A Data Breach Recovery Plan

By Morgan O'Mara | April 12, 2016 | 4 minute read

The moments after a data breach are the most crucial to a company. That is why it is so important to establish a data breach recovery plan that details the actions that you need to take at the first sign of a breach.

When it comes time to act, everyone must be able to remain focused and react quickly. Follow these five steps:

1) Isolate the Impacted Systems

System isolation is beneficial in two ways: Beyond simply isolating the affected machines, this phase enables law enforcement agencies to perform analysis that may help them identify the attacker and the vector of attack.

Isolate the breached machine from your network to prepare the system for forensic analysis. It will be important to look at all systems that interact with the compromised system.

If any one of those systems has been breached, it will be necessary to repeat the process with systems further along the network. Repeat this until all affected machines have been identified. After isolating all systems, create forensic copies and ensure to document all activity.

2) Make a Clean Start and Recovery

This step should include a rotation of credentials (passwords, encryption keys, etc.). Your incident response team must work with system owners to ensure any system-to-system communication remains in working order.

At the server level, you should take the same steps in a virtual and physical environment. If rebuilding is not possible, bring in experts who are capable of cleaning the system. Attempting to have untrained personnel perform this activity could lead to further breaches down the road.

After your system rebuilds, ensure that all systems are up to date with patches. It will take time, but data analysis will be required if any data repositories are breached. It will also be necessary to ensure the database is clean. This may require going back to a backup, analyzing the data, and working with transaction logs to rebuild your server.

3) Increase Monitoring

There are three main reasons for this. Firstly, the compromised server might not have been the original server. It’s possible your investigation missed the location of the initial breach. Increased monitoring can help you determine if that is the case.

Secondly, attackers may attempt to enter your system a second time. If they do, you’ll want to be ready for them. Lastly, there’s a good chance your system has a greater asset value than you originally thought. Increased monitoring is always a good option. It helps you keep an eye on things no matter where you are in terms of security.

4) Make Note of Lessons Learned

It’s always important to learn from a breach and the reaction of your incident response team. In the aftermath of a breach, it’s best to look at the existing processes that enabled the attacker to access your firm’s data. Additionally, it identifies any gaps in your incident response process.

5) Communicate

After a breach, communication is important, not only within your organization and your incident response team but also with customers and any other users who may have been impacted. Furthermore, it is imperative to make sure these communications go through your organization’s legal department and/or outside counsel.

No matter what lengths you go to to protect your highly valuable and sensitive data, there’s always a chance one mistake could occur and one extremely determined attacker could obtain access to it. Organizations with successful data breach response plans can recover quickly while regaining the trust of their customers.

Start Your Data Breach Recovery Plan With Record Nations Today!

Record Nations provides document and data management services via a network of highly specialized partners nationwide. We have over 20 years of experience in document and data management services. We’ll help you select a customized document management solution that fits exactly what you’re looking to do for your company.