You will often hear information security experts say that the best defense is a good offense; proactivity is better than passively waiting for something to happen.
Unfortunately, many of these same people will tell you to use the term “when” not “if” when referring to a data breach occurring. While you should have great data breach defense and offense strategies, you also need to understand real-time security. You need know what to do when an attack is discovered.
What to do: Real-time data breach
So, the time we have all feared has come; you have had a data breach. You should have an incident response plan in place, but real-time breach response requires you be flexible and adaptable to deal with whatever the attacker throws at you.
Clearly define roles and responsibilities
Each role and responsibility should be defined in the incident response plan, but you can’t plan for who is going to be available when a breach happens. You don’t know who is going to be sick or on vacation. Assign roles to the team you have and don’t forget to have a leader (likely you) who acts as a supervisor and a communicator between team members. If you have the manpower, have a “floater;” someone who can act upon unanticipated needs.
Don’t be mislead
Real-time data breach defense is vastly different than any practice scenario you have ever experienced. Yes, you will need to locate the source of the attack, but once you do, don’t think that is the end. For example, a hacker could have created multiple doorways into your system by the time you have detected the attack and started looking into it. Another thing to think about is social engineering; just because it may look like a certain employee was the source of the breach, think twice. Were their credentials compromised?
Don’t jump to any conclusions when it comes to eradicating a hacker. Always explore more possibilities and look deeper. Declaring successful containment too early could be a fatal mistake for your company.
Notify the proper authorities ASAP
Who the “proper authorities” are depends on your business and what the hackers took. Part of your incident response plan should include a list of whom you need to call after a breach. Don’t wait until you have all the details to make these calls. The legal system and government organizations are not known for their speed; give them a heads up on what is happening so your team and their team can work simultaneously.
Real-time data breach response is all about putting your incident response plan into action, but also, being willing to adapt it to the situation. It may sound odd, but you need to plan for the unexpected.