Ten Critical Steps to Take in the First 24 Hours of a Data Breach
When a breach is discovered swift action and strategic thinking is essential. If you have not prepared and indeed practiced a breach response plan on how your organisation will respond, reassure and recover, the impact can be significant.
The first 24 hours are critical so following these steps will help to reduce the impact:
- Record the date and time the breach was discovered, as well as the current date and time when response efforts began (eg. when a member of the breach team was alerted).
- Alert and activate everyone on the response team – including external resources – to begin executing your preparedness.
- Secure the premises – around the area where the data breach occurred to help preserve evidence.
- Stop additional data loss. Take affected machines offline, but do not turn them off or start probing in to the computer until your forensics team arrives.
- Document everything known thus far about the breach, including who discovered it, who reported it, to whom was it reported, who else knows about it, what type of breach occurred, what was stolen, how was it stolen, what systems are affected and what devices are missing.
- Interview those involved in discovering the breach and anyone else who may know about it. Document your investigation.
- Review procedures disseminating information about the breach for everyone involved at this early stage.
- Assess priorities and risks based on what you know about the breach.
- Bring in your forensics team to begin an in-depth investigation.
- Consult your legal representation and senior management to clarify if any regulatory agencies should be notified and, if so, notify them.