Preparation is everything when dealing with what happens after a data breach—and it starts with an effective incident response plan. Anticipating future scenarios will enable any organization to move quickly, accurately, and efficiently in a crisis situation. A strong preparation would include building an incident response plan, assembling an incident response team, and practicing the response through tabletop exercises and other simulations.
At the end of the day, though, it all comes down to the first 48 hours. We asked Jeff Chan, Vice President of Technology at MOXFIVE, for some tips on what to do in the immediate aftermath of an incident.
What do you do in response to a data breach event? What steps do you take immediately?
First and foremost, you have to keep calm and assess your situation. Often, people want to start ringing the bell when it’s not really needed. You should already have an action plan in place that tells you what key players need to be doing. Your priority should be to reach out to privacy counsel, the forensics team, and the recovery team to help you make key decisions and point you in the right direction. You also want to have a conversation with your insurance carrier to make sure you understand your coverage. They might also have a playbook or a plan ready for you to go when these situations happen.
What are clients most worried about in this situation?
Candidly, I think the most important thing that people worry about is a halted business because of a problem with the environment. They worry they can’t generate revenue; that their customers are going to lose trust in them. There are many other negative impacts and ramifications.
In our work, we see that some clients are good at dealing with a cyber crisis. Other clients have a tougher time, but they need to figure out a way to transition away from that mindset of fear to one where they can start dealing with the situation and figuring out how to move forward.
How should organizations go about creating an incident response team?
There are many different components you may need on the team, and they should all be documented in your incident response plan. Depending on your infrastructure or the nature of your business, you may or may not need privacy counsel. From a notification standpoint, privacy counsel may not be necessary unless you store sensitive information such as credit card numbers or patient health records, but it’s always good to have it. You also need to have a technical voice—somebody who can oversee issues related to forensics, recovery, ransom negotiation, and so forth. That advisor might have expertise across all of those domains, or they could be an advisor who at least understands your environment from a security and IT perspective. That way when you are down, they know exactly where to begin and how to guide you in assessing the situation, the environment, and the next steps.
How does the incident lifecycle typically play out?
We talk about the incident response effort beginning with the first 48 hours. The “first 48” is usually the most intense time when you have to assess and evaluate what is going on. You need to look at your backups, what systems are encrypted, and how the situation can be approached from a forensic standpoint. Do we focus on systems in this specific office or this specific general location? Whatever we need to do on that front, it happens during the first 48 hours.
You need to make sure that every key player working on the incident is aligned, and that everybody’s singing from the same sheet of music. You need to create an action plan with task items for everyone. Once you get past those first 48 hours, things start to smooth out a little bit as people start working through the tasks and everyone has a clear course of action.
Why are incident response reports important?
Incident response reports are crucial for many reasons. For your own company, getting that report can help everyone understand exactly how you were able to respond so you can better position yourself and ultimately this doesn’t happen again. You want to document all the moving pieces of how the threat actor got in, what they actually did within your environment, whether they were able to steal any data, and to what extent.
These reports are extremely beneficial for insurance carriers as well. Why? Because insurance carriers are typically not involved in the nitty-gritty of the process. So when you submit a claim, a report presents a better picture of what happened and the extent of the damage—the recovery efforts, the forensics efforts, and so forth.
Can you give us an example of a time when incident response was especially critical or challenging?
For me, it’s about helping clients, helping people—and in some cases, you are saving lives. I had an incident in 2020 where a hospital was faced with a ransomware attack. The threat actors had disabled systems used in the neonatal intensive care unit. The babies in this unit were hooked up to feeding systems that automated their formulas, which were specific to each patient.
So managing that crisis became priority number one. Because all of these formula calculations were stored in an electronic records system, we had to find alternatives, which required going out to other hospitals and bringing in nurses to prepare those formulas by hand. There are situations where threat actors impact critically important systems and we need to be able to respond quickly and effectively.
What else do people need to understand about the reality of incident response?
Oftentimes people think that preparation begins and ends with a tabletop exercise or other simulation and that once you’ve done that it’s going to be smooth sailing. The reality is you can’t quite anticipate every type of situation unfolding. Every situation is unique and at the end of the day, you have to deal with it right then and there.
True preparation includes creating a detailed incident response plan, testing it, making it accessible and putting appropriate security measures into practice daily. An incident response plan prevents organizational chaos, documents clear action steps and limits the severity of business interruption. There’s no quick fix and no last-minute substitution for consistent preparation. You have to go through the proper process every day, putting in the work, time, people, and money to ensure you are truly prepared.
If you don’t have an incident response plan in place, you’re not prepared for a cyber incident. NetDiligence has a suite of resources, including a turnkey incident response plan solution to help your business prepare for and respond quickly to cyber threats when, not if, they find you.
