What are the first things that organisations should do if they suspect that a breach has occurred?
Answered by Nick Klein, Executive Director, Digital Forensics and Incident Response
How an organisation responds will be based on how well prepared they are. If the organisation has an incident response plan in place, with trained staff, capabilities and processes, they already know what to do. But if you don’t have this in place, probably you will need some help from an expert.
The first advice is don’t rush into fixing the problem, take a deep breath, make sure you assess the situation very carefully and plan what the next steps are going to be. It’s a bit like ambulance officers at a crash or an accident. People need help straightaway, but the ambulance officers will never run. They’ll always walk over because they’re assessing the situation. So, the first step is always to understand exactly what has occurred; What do we know? What don’t we know? What evidence do we have? Where is it on our network? You need to know the facts of what’s happening rather than what people suspect could be happening.
The next step is identifying what the data sources are that could be useful for the investigation. So, by exploring the incident and understanding what is happening, you can start asking; what logs do we have? What backups do we have? Where can we get data for the investigation? Then start making a plan for collecting it and analysing.
The third step is around containment. This is where you need to strike a careful balance. Don’t begin by ripping systems offline, disabling accounts and pulling internet plugs. You don’t need to go into full eradication mode straight away, but you often need a level of containment so that you can “stop the bleeding”.
Map out a plan for containment at the start and make sure your main stakeholders are involved. It could be senior management, it could be HR if there are internal issues, it could be external providers, external IT or legal advisers. If you’ve got a potential data breach, it could be mandatory to report it under the NDB legislation, so you should definitely get legal advice on that. Also, check to see if you have cyber insurance in place because they could be tremendously helpful to you.
Next, assign roles and responsibilities to the people who are going to be involved in responding. Make an agreed plan of tasks across the team and then run it like an IT project. That means regular catch-ups, regular updates, regular status meetings and assigning someone to coordinate the response.
These are the critical first steps and if you can get those right, then you’re setting yourself up for success.
View our 5 easy steps to improve your cyber resilience.
