Skip to content

What Should Businesses Do After a Data Breach?

What Should Businesses Do After a Data Breach?

No one wants to think about the possibility of a data breach, as it can be extremely devastating. Some companies have been damaged beyond repair by such data breaches because their reputations suffered a fatal blow. However, the situation is not totally out of your control. Your response to a data breach is extremely important, as this can make the difference between a problem and a complete disaster. Let’s talk about some of the things that every business should do after suffering a data breach.

1. Disconnect The Internet Entirely

Once a data breach has been positively identified, the first thing you should do is disconnect the network entirely. All cyber attacks require a connection, so this is the only universal way to stop them. If the connection is cut before the intruder has finished their work, you might be able to avoid significant harm. For instance, if someone was attempting to install ransomware, but you cut the connection before the installation process is completed, that will probably save you from suffering any ill effects.

It should be noted that not all data breaches occur as a result of cybercrime. Sometimes, data breaches result from simple human error. In fact, according to this study, about 82% of data breaches can be attributed to human error. When people simply aren’t careful enough when dealing with sensitive information, all sorts of leaks can occur. Still, you should always assume the worst and disconnect entirely.

2. Quarantine The Affected Systems And Devices

Once you have positively identified a data breach, you will probably have some idea of what data was compromised and what systems or devices were affected. This might include specific end-use devices, specific servers, particular sections of the network, or maybe even the entire network. Anything that may have been compromised needs to be isolated immediately. Some malware is self-replicating (much like a real virus), so it must be kept from spreading.

Incidentally, this is why you should consider using a compartmentalized network structure. This concept has proven to be very good from a security standpoint, and also from a stability standpoint. We are talking about isolating certain parts of the network from accessing one another. This way, you can create a layered security system with multiple perimeters. With any luck, an intruder will be caught in the process of penetrating the outer barriers.

3. Check System Logs And Network Packet Information

It is very difficult for a cyber-attacker to penetrate your network and do something shady without leaving some sign of their presence. Most of the time, those telltale signs will be found in system and network logs. As long as you have someone that can properly interpret the raw data in these logs, a lot of information can be obtained. The main priorities would be to identify the method of attack and the data that was targeted. This is probably where you will find out if the connection was killed in time.

You should be using some sort of network monitoring software, and the data collected by such software will be invaluable when doing post-breach analysis. Internet data flows in small increments. This is what allows for the transfer of huge amounts of data: All that data is divided into smaller, more manageable files, and these files are transmitted at a great speed. The faster your internet connection, the more packets per minute you can send and receive. Network monitoring software allows you to capture selected packets and keep them for later analysis.

4. Fix The Damage Or Re-Install

Once you understand the method of attack and the targeted data, you can then work to correct the problems. The rule here is to undo whatever the attacker may have done. If you are dealing with an accidental breach in which no malicious activity was involved, you just need to figure out what went wrong and how it can be prevented in the future.

For example, let’s say the attacker just compromised a low-level employee through phishing, gaining low-level access to the network. If they were detected and booted before gaining a higher level of access, then you would really just need to change the password or passwords that were compromised and completely remove any malware that they may have installed.

On the other hand, if you can tell that the intruder had privileged access for an extended period of time, you should probably delete the operating systems on all servers and devices, restoring them from the most recent backup before the breach. It also wouldn’t hurt to flash all your routers and other network hardware, just in case anything was hidden there. While you’re at it, you can also install some high-security firmware to protect those devices from future attacks.

5. Reporting And Post-Analysis

There are certain laws that mandate the importance of post-breach reporting. Both investors and customers alike have a vested interest and thus, a legal right to be informed. Companies that have sought to conceal a data breach will pay a heavy price if they are caught doing so. A data breach is going to affect your reputation to some extent, but the damage can be minimized with honest and timely reporting.

Finally, you have the most important step, which is to analyze the entire incident and figure out where things went wrong. You mainly want to isolate the system/network/application vulnerabilities that allowed the breach to occur. There is no universal advice for this part, as every situation requires a different response and teaches different lessons.


While this article may not contain all the specifics that you need to know, this is a good general framework for effective data breach response. You should not hesitate, however, to create your own custom response plan that is tailored to your needs. We simply offer the above information as a good starting point. However, if you would like more specific advice, we would advise you to call the experts at PCH Technologies, who can be reached at (856)754-7500.