What next after a system breach?

Systems fail. IT systems, in particular, are prone to catastrophic failures. So interwoven has IT become in modern organisational life that when IT systems fail, pretty much everything else does. But IT systems are, in turn, made up of other sub-systems, including security systems. And security systems fail, allowing system breaches by attackers. At some point, the average IT security system will fail, whether the logical bit of it – via some form of hacking – or the physical bit of it, via forcible or masqueraded entry by unauthorised people. 

The first thing to do when systems are breached is to fly into a calm mode. The worst decisions ever made by humans, whether in war or when running an organisation, are those made in panic during an emergency. So, when a breach happens, sit down and calmly survey your systems – the worst has already happened, you are already in a hole. It might get a little worse, but not by much. After the calm, take stock of what has been compromised and what still can be compromised: is it data that has been stolen? Is it a physical server that is missing? Is it an entire system that is down? It is vital to make a quick inventory of what is present and what is missing or has been breached – both physical and logical resources. 

Second, seal off access to whatever systems that are remaining. If the organisation has suffered a logical breach, it makes sense to disconnect the remaining data and system servers from the internet or from the network, which are quite likely sources of the attack. Take backups of the systems as they are, as you might need to conduct forensics on the original systems. To complete the sealing off of the systems, common possible loopholes should then be sealed – disconnecting all forms of remote access, changing system passwords, changing public IP Addresses, changing database and server names, removing any recently installed patches in case they introduced loopholes or backdoors, and similar measures. If the breach was physical and a server has been stolen or computers are missing, then the organization needs to quickly change server room locks, install new lock combinations, review server room access security procedures, and recall all server room access keys for reprogramming.

With the remaining systems secured, assess the impact of the breach next. What has been compromised, to what extent? The organisation needs to quickly establish what logical assets are missing – passwords and data are the commonest targets of such logical security breaches. If the breach was physical, it should be clear what is missing – perhaps hard drives have been stolen, entire servers are missing, or other data equipment. The result of this exercise is a complete situation report detailing what happened, to what it happened, and what impact it will have on the organisation – on internal systems, on data, on customers, on the business. The IT Crisis Response Team can now be activated to respond fully to the crisis, covering the entire gamut from technical responses to Public Relations blitzes.

The Crisis Team then swings into action. First, contact affected customers, whether internal or external. Let them know exactly what has happened – trust has been lost and must be rebuilt, so honesty is the best policy. Internal customers would be the easiest to deal with, but breaches of customer data most often target external customers. Inform all the affected customers, taking care to let them know exactly what was stolen, what measures – if any – they need to take, what measures you are taking, and what the way forward is likely to be given the breach you just experienced. Customers will ask difficult questions, and it is vital to have trained PR personnel on hand to deal with those questions openly and quickly. The outreach effort should be all-encompassing, and should cover all of the organization’s PR outlets, from social media to phone calls to newspaper adverts. The key is to ensure that the customer perceives the organization as open and not hiding anything, because this is the only way that trust will begin to be rebuilt.

Reassuring customers should go hand in hand with some form of damage compensation and limitation. If it is a media company, for example, and subscribers’ information has been stolen, the company can offer free subscriptions for affected customers for a year, say. If it is a bank or other financial company, some monetary compensation can be offered to the affected customers. This helps avoid costly and reputation-damaging class action lawsuits, and shows the customers that the company is serious about making up for the breach and ensuring it doesn’t happen again.


Which leads directly to the next step: ensuring a breach never happens again. Logical breaches, in particular, are difficult to deal with, and some can persist in network devices for months. Every system must be painstakingly restored from scratch, with system experts on hand to ensure that the restore really is a clean copy and not just a Trojan Horse carrying more compromising code. If it was a physical breach, ensure the server room access procedures are re-written from scratch to eliminate any possibility of a repeat breach. Get proper, professional assistance to put in place both logical and physical controls to ensure that the breach never recurs. Even when your security looks good enough, remember that good enough is what caused you the breach in the first place. The key thing with security breaches is – once is an acceptable risk, but a repeat breach is evidence of carelessness.

Sign Up