After the breach:
Rapid response

After the breach: Rapid response

In this section:

Knowing how to appropriately react for a range of breach types can save time, money, and your company's reputation.

Bottom line: Poorly coordinated incident response activities may cause more damage than the breach itself.

The email arrived shortly after the payment processing company's website began experiencing slowdowns. The chilling message: You're being attacked, and the attacks will worsen until you pay a digital ransom in bitcoins.

The company, which processes $37 billion annually in transactions, could not afford any downtime. Nor could it simply pay the ransom, since there were no guarantees that the attackers would stop after the first payment. So the company's leadership and security teams quickly sprang into action. They first contacted the FBI, which confirmed that the threat was real. Then they called their service provider to help them analyze and address the threat.

Within two hours, a mitigation plan was in place. Two hours after that, a defender program was launched against the DDoS attack to protect the at-risk systems.

The extortionists kept their promise to launch future attacks — but the reinforced defenses repelled the attacks "like they were bouncing off titanium," the firm's chief marketing officer said. The attack was resolved with no payment to the criminals — and no downtime for the payment processor's mission-critical website.

This example shows how the preplanning that goes into an incident response program enables an organization to move quickly to identify the scope of an incident and then take decisive steps to mitigate the damage.

Post-breach activities fall into two main categories: early-stage mitigation and post-containment analysis and communication.

Early-stage incident response activities

No two cyberattacks or data breaches are identical, nor are the ways in which companies first become aware that something's wrong. Small attacks or probes may be automatically detected and countered, or quickly contained by a company's security team. The seriousness of a breach may be immediately apparent, or its scope and damage may only emerge over time. But whether a major breach is only suspected or actually confirmed, the company's incident response plan comes into play.

Even at the first hint of a breach, the playbook should define a clear process for identifying a potential threat and prioritizing next steps. Consider building a set of tiered responses that are triggered by the escalating nature and severity of the threat. If a high-impact breach is confirmed, the CEO, board, and other key players must be quickly brought into the loop. Full incident response plans, processes, and teams go into effect when the breach is deemed serious enough to require full IT forensics and remediation, along with regulatory, legal, and public disclosures. These types of activities and programs can last for months, if not years.

Your team's commitment to adhere to the playbook is instrumental throughout a breach. In sports, if one team member decides to play by their own rules, the chances of winning are generally slim. Fully committing to the incident response playbook requires confidence that your plan — and team — will succeed.

Your security team will almost always lead the early incident response charge, given the imperative to identify the nature of the breach. This team will then work closely with the IT department to contain its spread and to terminate its activity. For small- and medium-size businesses, the security team and the IT department could have the same personnel, making their involvement in incident response planning even more critical.

Service providers may play a critical role as well. Last spring, students in Texas used a DDoS attack to shut down their school district's system four days before standardized testing was set to begin. The attack shut down the ability to take attendance, distribute grades, and assign tests or homework. A prolonged outage would have crippled the district.

Collaboration is key

Fortunately, network administrators detected the attack after just five minutes; within 15 minutes of confirming the attack, they began diverting the targeted IP address through specially designed "scrubbing complexes" to mitigate the attack. Minutes after the traffic was passed through the scrubbers, the attack was controlled. By the end of the school day, traffic levels were back to normal and the issue was successfully resolved.

This example speaks to the importance of having a plan to rapidly isolate compromised systems when a breach is confirmed, while also firing up backup systems to minimize downtime. Although some of these actions may be automated, others require IT personnel to evaluate the situation before responding.

Security teams and other incident response team members may have to perform rapid risk analyses, some of which will require C-suite involvement in the decision process. The CEO may be asked to weigh the damage an infected system might cause against the costs of shutting down critical systems and operations for hours or even days. These decisions aren’t made lightly: Enterprises experienced an average of 23 hours of downtime as a result of security incidents in 2015, while small- and medium-size businesses averaged nearly 14 hours of downtime.13 For some organizations such as ecommerce vendors, even an hour or two of downtime can translate into millions in lost revenue.

As security and IT teams work to contain and mitigate a breach, other actions and communications are activated. Relevant information about the breach needs to be distributed internally to C-suite executives, legal and compliance departments, the corporate communications team, and any impacted business units.

During this initial breach identification and containment period, it's important to assess when (or whether) to disclose the breach outside of the company. While affected customers or business partners will need to be informed quickly, going public with news of the breach may require more time. When your team is still working to counter and assess the scope of the breach, public attention can cause unnecessary confusion and concern, both internally and externally. Plus, any incorrect information that you release can be difficult to correct or clarify later.

Know the terms:

Security incident

Unauthorized access to assets, such as data, networks, and devices.


Collects, analyzes, and reports on data to use in the detection and prevention of a breach.

Companies have learned this lesson the hard way. In late 2013, one day after a security website reported that Target was investigating a large data breach, Target CEO Gregg Steinhafel confirmed that data was stolen and said the breach affected 40 million customers. In the weeks following the breach, Target was forced to repeatedly revise its initial estimate, eventually settling on its final tally of 70 million. The inaccurate claims fed a storyline of mismanagement — and ultimately contributed to Steinhafel's resignation.

Post-crisis responsibilities and actions

Once a breach has been contained and business operations have been restored, some of the most challenging work and communications gets underway. Security and IT teams — often with the assistance of outside experts — must perform computer forensics and other postmortem tasks to fully understand the root cause of the breach and confirm that that the threat has been eradicated. As noted earlier, having the right tools in place up front tremendously improves the accuracy and detail of this work.

"The knowledge gained from threat forensics and analysis will shore up organizations' cyberdefenses," says Alex Cherones, director of product marketing for Threat Management Solutions at AT&T. "It's a vital step in preventing successful future attacks."

As IT teams work through their forensics, mitigation, and remediation tasks, they will collaborate closely with corporate lawyers and compliance officers. Among other tasks, these departments will coordinate with federal and state law enforcement agencies to help identify the people, organizations, or countries behind the breach. At the same time, the legal and compliance offices will assess their organization's own liability for any exposed personal information or compromised laws and regulations.

Navigating breach communications

When it comes to post-crisis messaging, there are a number of best practices to follow:

  • Respond quickly, but resist the instinct to overcommunicate
  • Rely on boilerplate statements that have been prepared in advance and preapproved by stakeholders
  • Focus on customers in your public messaging, and not so much on your company
  • Consider setting up a section of your website where customers, the press, and others can get up-to-date information about the cyberbreach and your company’s response to it
  • Promote a proactive message about the positive steps your company is taking in response to the breach
Navigating breach communications

The applicable laws and regulations can vary greatly depending on the nature of the breach, the industry sector in which a company operates, the geographies in which it does business, and many other factors. Often companies are obligated to promptly notify law enforcement groups, federal agencies, and others of the breach. Preapproved notification templates and distribution lists will help an organization quickly comply with any such requirements. The same goes for any contractual obligations that require notification of partners, customers, or others after a breach.

Beyond legal and regulatory communications, a victimized company will also field questions from customers and the media. An incident response plan should clearly spell out who will serve as the primary public spokesperson(s) and enforce strict message discipline and flow. For major breaches, the CEO often serves as the lead public spokesperson to deliver messages about how the breach occurred, how future breaches will be prevented, and what the company will do to support and compensate customers or any other injured parties.

"The knowledge gained from threat forensics and analysis will shore up organizations' cyberdefenses. It's a vital step in preventing successful future attacks."

Alex Cherones
Director, Product Marketing
Threat Management Solutions

In the wake of the massive Sony hack in November 2014, Sony made several missteps in its public communications. Initially, the company released a vague statement about investigating an "IT matter," then characterized the breach as a "system disruption." As the hackers leaked more and more information, executives were put on the defensive about the sensitive content being released. Sony's outside counsel sent cease-and-desist letters to the media in an attempt to keep them from publishing the leaked documents — a tactic that was viewed as desperate and defensive. In an attempt to contain its scope, Sony took far too long to acknowledge the breach and focus on how it was fixing the problem.

One overriding communications strategy is to focus less on the damage to your company and more on the steps you're taking to protect your customers. Consider setting up a website where customers, the press, and other interested parties can get up-to-date information about the breach and your company's response to it. That's one tactic Home Depot took in 2014 after discovering that customer debit and credit card information had been breached. The retailer quickly set up a website to keep customers informed about the breach and ways to protect their personal information.

A communications plan that focuses on helping the customer rather than describing the problem also has a side benefit: limiting media interest.