Skip to content

What Is The Most Important Task After A Security Breach?

What Is The Most Important Task After A Security Breach?

In spite of your best efforts to prevent them, data breaches can still occur. The possibility of such an attack is always there, even if you take every precaution that you can. Of course, if your security is well-configured, most of those attacks will not succeed.

A data breach doesn’t always necessarily require a cyber-attack. The majority of hacking attempts are quite amateur, but a very skilled hacker can be much harder to stop. That is why your organization really should have a detailed response plan just in case some kind of data breach does occur. Let’s talk about those essential first steps.

Step One: Contain The Breach

As soon as you realize that a cyber-attack has occurred, the first step is to contain the breach and keep it from causing any further damage. There are a number of ways in which you can do this, but it depends on the method by which the attack happened.

For instance, if you look at your network monitoring tools and find that data is being uploaded to an unauthorized device or IP address, you can immediately block those devices or IP addresses using your firewall rules. However, it is best to go ahead and disconnect the internet entirely before you do that. No matter what kinds of tricks they might use or how good they might be, a hacker cannot exfiltrate your data without a solid internet connection.

On the other hand, if you can see that the damage has already been done and the attack is already completed, your first step should be to investigate and verify that there is no further data loss/theft taking place. In many cases, intruders will gain access by compromising a legitimate account. By isolating or deleting that account, you can remove their main point of access. This is the most important task after a security breach has been detected.

Step Two: Investigate

Once you are confident that the attack or breach is no longer taking place, you can focus on trying to figure out how, why, and where it happened. System logs will be very helpful in this case, assuming they haven’t been wiped or altered. If malware is detected, it obviously must be removed as quickly as possible. Before you do this, it might be necessary to isolate specific parts of your systems or networks.

Apart from finding out the method of attack, you will also want to find out what sort of data was exposed. This will tell you certain things, and it will also allow you to assess the extent of the potential damages. As you do these things, it is incredibly critical that you document everything and preserve as much evidence as you can. Law enforcement will eventually need to be notified about this breach, so you want to make sure you can give them all the information they need.

After a day or two has passed, it might be wise to have your IT people (or a third-party company) perform a dark web search. The dark web is basically the hidden underbelly of the internet, and it is mostly (though not entirely) populated by criminals. As such, it is used to sell all sorts of illegal and illicit things, including stolen data. If you find your data on the dark web for sale, it might be possible to get the website shut down by law enforcement. They probably won’t be able to track down the person who posted that information, but they can at least take the site down and prevent that sensitive data from being further compromised.

Step Three: Notifying All Affected Parties

You definitely need to understand that there are certain laws (which vary by state) that relate to your post-breach response. You are legally required to notify all affected persons in the event of a data breach. This includes customers, investors, employees, and any other companies with whom you do business. It may be slightly embarrassing, but the potential consequences of concealing a breach are far greater.

There are numerous good examples of what can happen if you fail to notify your customers (and the authorities) in a timely fashion. For instance, the accounting firm Bansley & Kiener suffered a data breach in 2020 but waited a full year before informing anyone outside the company. As such, they were hit with a class-action lawsuit and forced to pay $900,000 in total.

Step Four: Learning From The Breach

The final step is to analyze the entire experience and figure out what you can learn. While we have mainly focused our discussion on cyber-attacks, some breaches have occurred as a result of simple negligence. Sometimes, private information gets published by accident. In fact, some sources say that about 82% of all data breaches happen as a result of human error.

Sometimes, breaches can occur as a result of both human error and malicious outside action. For instance, if someone foolishly gives away their password (whether deliberately or by accident), it gives malicious attackers an easy route of entry. Obviously, social engineering attacks (like phishing) would also fall into this category. In fact, that is probably the explanation for the high numbers cited above. In any case, you need to figure out how you can close whatever loophole allowed the attack to happen in the first place. You can never make yourself 100% resistant to cyber-attack, but you can definitely shut down all the known routes.


To summarize, the most important task after discovering a data security breach is to stop and contain the attack. Until you do that, any other actions you take could potentially be hijacked. After that, you need to conduct a thorough investigation into the causes of the attack and the extent of the damage. You also need to document everything for accountability purposes. The next step is to notify all the affected parties, and the final step is to analyze and learn. Of course, this kind of thing is highly technical and many people will require some help. If that is your situation, you can always call PCH Technologies at (856) 754-7500.