For the average person or company, experiencing a data breach, or any kind of electronic security incident, it can be a lot like a car accident. It’s disorienting. It’s confusing. You’re not entirely sure what to do next.
In situations like this, it is often comforting to have a standard policy of some kind in place. At the same time, it is important to recognize not all security issues are the same, therefore, some cannot be properly addressed with a standard incident response procedure.
Experience comes into play in most situations, but ultimately it is knowledge combined with experience that makes it possible to navigate difficult circumstances and come out stronger as a result. If you think you might be at risk for a data breach or another kind of electronic or digital security issue, here are some things you should consider as part of your response.
If your data breach was discovered on any particular piece of hardware, like a server, a cloud machine, or even a mobile device, your first order of business is to isolate that machine from the rest of your network.
The reasons for this are two-fold. First, the overwhelming majority of data breaches rely almost entirely on network access in order to succeed. Second, your top priority is to preserve any evidence available to you and your team. Unless you isolate the breach, there is a better-than-average chance your evidence could be destroyed by the attacker.
It is absolutely vital you keep detailed records of everything you do from the moment the data breach is discovered. This is the undisputed top priority of any investigation or incident response. Without documentation, there is no way you will be able to put the pieces together later and there is no way you’ll be able to prove you performed your due diligence in the event of a dispute.
While it may seem strange to suggest that somehow photographs can help you solve a digital data breach, the fact is photographs are a vital tool in any investigation. As all programmers know, software problems are inherently hardware problems. If you have a reliable record of where your hardware was, how it was connected, what was on the screen, how the hardware was configured, what the conditions were at the time and so forth, you may have found details that can help you solve the existing problem or prevent future issues.
Any person indirectly or directly involved with the systems that were breached should be exhaustively interviewed. Leaving aside for the moment the possibility one of your employees or contractors could have been involved, having eyewitness accounts of the moments leading up to the breach could give you vital clues as to its origin and extent.
Use Your Knowledge
All the investigating in the world isn’t going to help you if you don’t put the knowledge gained to good use. Take what you’ve learned and prepare for the next breach. By and large, digital security issues boil down to inadequate knowledge of how security works. Solutions to that problem are hard to come by but are possible with the right steps.