View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
May 6, 2016updated 05 Sep 2016 11:48am

The critical first hours of a data breach: What to do when your business has been hacked

Analysis: The first in a series of articles looking at what business should do after finding systems and data compromised.

By Ellie Burns

Your business has been breached. A hacker has infiltrated your systems and now huge troves of valuable data are earmarked for the dark web. This is a reality which many businesses are waking up too – though many would say not quickly enough.

Business can prepare, but the consensus is that your business will suffer a data breach. Having previously detailed how to spot a data breach, the response to finding such an attack is crucial – evidenced not only by research, but by high-profile breaches such as Sony.

Firstly, a data breach costs money – £1.2m on average according to the Risk:Value report from NTT Com Security. Brand reputation also takes a huge hit from a data breach, you only need look at the impact of the TalkTalk data breach – over 100,000 customers and £60m lost.

In a series of articles, CBR will take you through the most important steps in how to deal with a data breach – immediate response, communication and public relations, long-term strategy and the perfect incident response plan.

The name of the data breach response game is protection – protect your assets, brand, reputation, customers and long-term future. With that in mind, this series kicks off with what to do in the first few hours following the discovery of a data breach.

What to do if your company has been hacked

Following a data breach you must lock down your systems. The first course of action for any business is to identify and isolate, as Piers Wilson, Head of Product Management, Huntsman Security, told CBR: "Following the discovery of a data breach, the first and most important step to take is to identify which systems and data were compromised and quarantine them in order to understand the nature and extent and to contain the risk."

Content from our partners
Fashion brands must seek digital solutions that understand the sector’s unique needs
Banks must better balance compliance with customer outreach

After having quarantined the vulnerability, it is imperative that you find out if the attackers have any other paths into your systems – the ‘three pronged attack’ is becoming more and more popular among hackers, as Laurance Dine Managing Principal of investigative response at Verizon Enterprise Solutions told CBR:

"Although their ‘route’ into your system might be easy to trace, in some cases criminals leave other ways to gain access or find additional methods to attack in addition to the breach you might have found. This is something that we have seen being exploited in this year’s Data Breach Investigation Report with the rise of the ‘three pronged attacked’.

"This has seen criminals sending phishing e-mails with malicious attachments that download malware onto a PC, these create an additional foothold from where additional malware can be used to look for secrets and steal information and credentials through key logging. Once the credentials have been gained they are then used for further attacks such as into third party websites or other networked systems not necessarily directly linked to the first attack that you might have found."

The first few hours of a data breach are crucial. Businesses must stay cool, calm and collected; panicking may only serve to damage the business further with hasty decisions made. In the first few hours, Russell Kempley, Head of Cyber Technical Services at BAE Systems, advises implementing the following procedure:


1. Assign an incident co-ordinator who can liaise with investigation teams and management

2. Ensure evidence is being captured and preserved – logs should be collected from key devices and extra logging enabled if the attack is ongoing. Compromised assets should be isolated from the network if appropriate to the type of threat and business impact.

3. Conduct an initial assessment to identify actual or potential business impacts; this informs the response strategy and what the key outstanding questions are

4. Call in specialist investigation support to help get accurate answers quickly and guide the business through the recovery. The UK Government / CESG has a scheme to certify incident response specialists so that you can choose a firm with confidence.

5. Take action, inform management and other stakeholders and seek advice from legal and communications teams.


Your immediate response to a data breach really depends upon its discovery. A breach is a technical issue, but if the breach has come to light via the press or a third party, instead of an internal discovery, then your response will be more reactionary and focus more on corporate reputation. Both external and internal discovery of a data breach requires the technical team to work closely with other departments such as legal and PR to devise an incident response strategy in order to limit the damage to the company.

According to Rashmi Knowles, the Chief Security Architect, EMEA, at RSA, the technical response takes a back seat to people and process. Speaking to CBR he said:

"People and process are more critical than the technology when it comes to incident response. First, a security operations team must have clearly defined roles and responsibilities to avoid confusion at the crucial hour. But it is just as important to have visibility and consistent workflows during any major security crisis to assure accountability and consistency and help organisations improve response procedures over time."

Once a strategy and the roles of those working to execute it are clearly defined, then comes the next stage in dealing with a data breach – communication. After establishing what has been lost, who it impacts and how it happened, the need to communicate to the authorities, employees and customers is critical.

Stay tuned for the next article in CBR’s data breach series looking at communication and public relations.


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.