What Will Happen If Your Company Suffers a Data Breach?

You’ve just been breached. Do you know what life in your organization will look like from this moment on? I can assure you that nothing will be the same, for a very long time. 

In some ways, becoming cognizant of a breach is akin to hearing a dreaded diagnosis from your doctor. Without advance notice, all of your priorities suddenly shift, and the future of your company is called into question. There are no guarantees, and everyone who knows you will see you differently. 

The vast majority of data breaches could have been avoided. But time and time again, companies get breached because they didn’t think it would happen to them. They might have done the bare minimum, or paid lip service to security, or they got complacent over time.

If you don’t know what to expect in the days, weeks, and months after a data breach, I can tell you this: every corner of your business will be affected by the attack you’ve just suffered. Let’s take a look at the fallout that’s typical for any organization that has been hit with a cyber attack.

Discovering a Data Breach

You’ve just gotten the bad news. What happens next depends on how you’ve discovered the breach. Your organization could become aware that you have a security issue through one of several channels:

• Your internal team spots the problem on their own.
• A known or trusted third party, such as a customer or vendor, tells you they’ve seen something suspicious.
• The attacker themselves alerts you that you’ve been breached.
• A news outlet got a tip before you did.

In the first two scenarios, you may be fortunate enough to have some time to get your arms around the situation before the news goes public. That may give you some space to potentially gain sufficient understanding of the situation and the extent of the attack. It will also give you the chance to plan and execute a tactical response.

But in the other two scenarios, the timeline is typically very short, or non-existent. You may only have until the end of the day to respond before the news goes public. Or, the news has already broken and you only find out because someone sends an article to you. There is no advanced warning.

Many companies have had the unfortunate distinction of finding out about their breach through a news report like Krebs on Security. And as soon as one outlet picks it up, it spreads like wildfire across the internet.

Your First Steps to Mitigate Disaster

Once you get tipped to a possible breach, there will be a quick succession of events:

1. The issue is confirmed by your IT/cybersecurity staff. DON’T DO ANYTHING YET TO STOP THE DAMAGE. See below.
2. The executive leadership is immediately notified.
3. Calls go out to your legal team and your insurance company.

Why shouldn’t you try to stop the damage of an active breach? When you first discover the incident, it’s a natural impulse to shut down your system to stop the damage. But that may not be the wisest course of action. Depending on the scenario, it can potentially destroy critical evidence that investigators will need. Wait for the experts to tell you what to do next. 

Your legal team will immediately counsel you on the way to handle the breach publicly. Make sure you coordinate communication with their sign-off.

As soon as your insurance company is involved, the first thing they’ll do is assemble their team of experts and deploy them to your organization. This team will investigate to determine exactly what happened (and if it’s still happening).

Hopefully, you’ll have the insurance protection you need.

All of these events will occur within hours, and your normal day-by-day operations are now a thing of the past. Your security issue will be top of mind every day for the next six to twelve months — if your business survives that long.

Experts will come in and treat your business like a crime scene. They’ll conduct a forensic  investigation to determine what happened, when, and what kind of damage was inflicted. 

During this time, the forensics team will investigate your logs and your systems to forensically determine what occurred and what the scope of damage is. 

While the forensic investigators are tracking down evidence and following audit trails, there will simultaneously be other validations and tests being performed. One team is on the inside trying to figure out what happened. Meanwhile, another team is doing analysis and evaluation of how someone could possibly have gotten into the system — essentially, vulnerability scanning and penetration testing, in concert with the forensics team. Both sides will glean valuable information and be able to assist each other.

If you haven’t been truly doing your due diligence to secure your company, you’re likely to discover for the first time that you don’t have the tools and resources you need to understand your situation — or to remediate it.

Going Public with Your Data Breach

At some point in the game — and it will be sooner rather than later — your security incident is going to become public. It’s not a question of if it goes public, but when. You’ve crossed that bridge and there’s no going back. Your current customers, your future customers, your partners, your employees, your stakeholders — they will all know about the cyber attack.

Besides the broad public announcement that you make to the world, you should deliver specific communications which are tailored to specific stakeholders. Anyone you pay, and anyone you receive payment from (or that’s in the various stages of your sales funnel), should be on that list. Segment the list as needed and draft audience-specific communications that address the unique questions, concerns, and fears of that audience. 

Don’t forget to pass these communications through legal prior to distribution.

What Are the Organizational Fallouts of a Data Breach?

The financial fallout of a cyber attack can be deadly to a business. The cost of a data breach for an average size business is over $4 million. Companies that don’t have cyber insurance — or adequate cyber insurance — typically have no way to survive a cyber attack. It’s a fatal blow.

Make sure you have cybersecurity insurance — and make sure it’s actually valid.  I’ve personally dealt with multiple companies that thought they were covered by cybersecurity insurance, only to discover they had unknowingly invalidated their policies.

Learn how to tell if you’re actually covered by cyber insurance.

Even with cybersecurity insurance, most companies don’t survive beyond six months after a cyber attack. 

Other financial fallouts include business loans and other sources of credit, which may be increasingly difficult to obtain or maintain following a public data breach. Your insurance rates are almost certainly going to rise, substantially. 

There’s also the staffing fallout. To make ends meet, companies often cut their staff drastically, leaving the organizations understaffed. And because these businesses are in a state of crisis, stress levels are high and morale is low. 

It isn’t long before an organization’s best workers have had enough and find other employment, creating a vicious cycle that can be challenging to correct. You’re already short staffed, and with your best people jumping ship, it increases load on the less capable folks that remain.

A cybersecurity event can haunt your business for years, even after you’ve survived the remediation and confirmed the implementation of security best practices. But the financial impacts take years to overcome, and the headlines are out there forever. 

Any time a new prospect does research on your company, those headlines will resurface — even years later. Some clients require vendors to fill out security surveys before signing contracts, and those surveys ask about data breaches you may have had in the past. In some ways, it will be a similar experience that a job applicant with a felony on their record would go through.

All Hands On Deck

This issue isn’t just an IT issue for your company. Almost immediately, it will start affecting other business areas, such as legal, operations, sales and marketing, customer support, HR, accounting and more. Before long, it will be an all-hands-on-deck situation.

On Day One, it’s all IT and legal counsel. These poor souls will be hunkered down 24/7, and it is an absolutely brutal experience. You’ll need to operate in shifts so that your people can get some sleep and shower, but the overtime is enormous. Expect to work nights and weekends for weeks to months.

It’s critical that your legal representatives are familiar with dealing with security and compliance issues. Cybersecurity is a highly specialized realm, and it takes an expert with firsthand experience to guide you through those treacherous waters. A competent contract lawyer or general legal counsel won’t have the expertise that you need in the midst of a cyber crisis. 

When you’re in this situation, you can’t afford to have your legal team figuring things out when you need expert guidance yesterday,

Once you’ve confirmed that you have a security issue, your leadership will need to have a conversation with everyone who interacts with your customers — especially sales and customer support. You’ll be in much better shape to do this well if your company already has a game plan that’s ready to go, which you’ve trained your personnel on in advance.

Accounting will be highly involved, because you’ll have a lot of spending to do, and a lot less money coming in. Chances are, your organization will need immediate access to funding, which underscores the need for pre-planning for funding access before this situation arises.

HR will probably get tapped due to the sudden need for specialized resources.

In short, every realm of your organization will get involved in one way or another.

Remember, your goal as an organization isn’t merely to fix your security or get things back in order — you’re on a mission to keep the company alive. Everyone’s job is on the line if things don’t work out.

Damage Control

The minute that your breach becomes public, there are several things that your sales team will be dealing with. Any prospective customers in your pipeline will immediately hit the breaks. Most of them will turn tail and run. A few prospects will put things on pause to see what happens, but you shouldn’t expect them to come back around for at least a couple of quarters until the dust settles.

A large part of damage control with customers depends on the results of your forensic investigation. If you already had a strong, robust security program but you just happened to get hit with a zero-day vulnerability, you may be able to salvage a lot of your customers, if you move fast with the right communication.

On the other hand, if the experts determine that your company was deficient in several areas, you will have a hell of a time retaining any of your prospective customers.

The biggest problem is that it’s not just your prospects that you’ll lose. Even your most loyal, satisfied customers will find a replacement solution as quickly as they can. These clients have the expectation you’re protecting their sensitive information, and your customer success teams will be on the hotseat to answer a deluge of very uncomfortable questions. 

And if your company isn’t perceived as being open and transparent about exactly what happened and how you’re handling remediation, then all of your stakeholders will seek answers on their own. Or, worse yet, they’ll make assumptions — and share those assumptions online.

In short, there is no way to keep this big of an event a secret. There are just too many people and technologies involved to keep things quiet. It’s in your company’s best interest to get your arms around the situation quickly, identify the issue quickly, roll out your remediation quickly, and communicate quickly (and honestly).

How Long Will It Take to Recover from a Breach?

Full recovery of a data breach typically takes more than 100 days — and often more than 150 days. By full recovery, I mean:

• Your business operations are back to normal in the areas that were affected by the breach. 
• You’ve met your compliance obligations and paid your fines.
• Customer (and employee) trust has been restored.
• Your organization has put controls, technologies, and expertise in place to avoid future data breaches.

Part of the ongoing activity during the initial 100 days is cataloging all of your lessons learned. There may be a myriad of actions for you to take. For example, you may need to switch vendors, or you may need to implement security solutions you didn’t have before. You may also need to bolster your cybersecurity and compliance stance — buttoning up your processes and controls that could have helped to prevent the security incident in the first place.

Almost certainly, you’ll need to train (or retrain) your personnel in security and compliance. That should include everyone from the CEO to the temporary mailroom clerk — whether they’re employees, contractors, freelancers, or vendors who have access to your sensitive data or supporting systems.

Whenever you find a vulnerability, you need to ask yourself, “How is it that this vulnerability was resident on our systems? How is it that we didn’t have a control to alert us to this issue?” In some cases, you’ll find vulnerabilities that were recently released and you wouldn’t have known about them before. But in other cases, there are lessons to be learned and applied. 

Use your vulnerability testing as an analysis for failures in control mechanisms within your overall security and compliance program. Implement a continuous improvement feedback loop to close up more holes.

Have an Action Plan Before Your Data Breach Occurs

Most organizations don’t have a clue who they need to notify after a security incident. They don’t know what their legal or contractual responsibilities are, and there’s certainly no SOP for this kind of event.

On top of that, you have an entire organization of people who want their own answers. Your employees and your board members are stakeholders with their own set of risks and fears. They’ll want answers, too.

Because you’ll have so many pieces that need to be immediately set in motion, you should have already developed an emergency plan ahead of time. That plan should include:

• The escalation steps that you’ll take, based on the circumstances
• Who will be involved
• What will be communicated to whom and when
• How it will be communicated
• Who will do the communicating
• And more

Your security team should go through tabletop exercises on a regular basis, and your entire company should be regularly trained for the roles they’ll have in the event of a breach.

Going Back to “Normal” After a Cybersecurity Attack

How long will it be until your company can return to normal operations? The reality is that there is no going back to normal. Your old normal is a distant memory as the lessons learned and pain experienced by the organization translates into fundamental changes to the company. 

The vast majority of data breaches were unfortunately preventable, which means your organization will need to adapt new ways of operating in order to prevent future breaches. 

Your security event will have fundamental and long-lasting implications. For example, Target’s huge data breach in 2013 is still being talked about in certain circles. So in order to survive a data breach, your company will have to elevate its stance on your security and compliance program.  

You’ll likely need different staff, different vendors, and different technologies in place. You will probably need to take painful belt-tightening measures to keep your business viable. The fact of your past cyberattack, along with the stark possibility of a future attack, necessitates a whole new way of running your business, at every level. The stark reality is that now that you’ve experienced this breach, you will be haunted by the shadow cast of this dark event for years to come.

Finding the Bright Side of a Breach

While the negative impacts of a data breach will endure, you can turn the event into a positive opportunity. Consider this post-breach existence as an opportunity to make your company stronger than ever. Educate your prospective customers and stakeholders about your improved security posture and the specific ways that you’re keeping their data safe.

Take the opportunity now to ensure that you are doing your fullest due diligence to prevent a cyber attack. Because most breaches could have been prevented, that means you can minimize the chances that your company falls victim to a breach. 

Our sincerest of hopes is that you’ve made it this far, and your organization has not experienced a life changing breach, yet. Take proactive steps toward validating your stance against target security and compliance standards and certifications, by leveraging a tool such as TCT Portal to determine where your organization truly stands. Don’t take the word of your internal IT personnel or vendors that your data is safe. Trust, but verify.

If you aren’t already compliant with a rigorous cybersecurity standard like PCI DSS, TCT can help you get there quickly. Let’s get you protected today.