The statistical probability of a data breach hovers around 30%. Your organization is liable to experience breach. Whether you’re sprucing up your incident response (IR) plan or want to share post-breach best practice reminders with colleagues or contacts, the insights in this article can help. From the no-brainers to the more nuanced and obscure, here’s how to improve security after a data breach…

Secure systems. After a breach hits, secure your systems immediately to prevent lateral movement or the reappearance of the cyber attackers. As you go about this process, ensure that you’re aware of the entire scope of the breach.

  • Get to the heart of the issue. Was it caused by nation-state hacking or a forgetful employee?
  • Understand what the hackers had access to.
  • Recognize how the information was accessed.
  • Determine whether or not any materials were stolen or copied.
  • Check to see whether or not any of your organization’s data was dumped on the dark web.

Assemble a group of individuals to assist with incident response. This team of individuals can include members of your IT team, your HR department, your PR department and your legal representatives. Ideally, you won’t have to think about this because your incident response plan will describe the who, what, why and how. Encourage everyone to document activities in preparation for formal report development.

Seek legal counsel. Once a breach has occurred, seek legal counsel. Most countries maintain legal requirements around breach reporting, especially when it concerns personal information. Failure to report a breach or to adhere to legal guidelines could result in serious penalties.

In the European Union, for example, organizations are required to notify authorities of a breach within 72 hours. Lack of compliance could translate to 20M fines or the need to hand over 4% of the organization’s revenue to governing bodies.

In the US, all 50 states, along with the District of Columbia, Guam, Puerto Rico and the Virgin Islands have established legislation mandating breach reporting when personally identifiable information is involved. Federal authorities are exploring the possibility of enacting more stringent breach reporting mandates, especially in relation to ransomware.

At the end of the day, your legal obligations will affect all further cyber attack clean-up efforts. Therefore, it pays to prioritize legal counseling.

Notify appropriate persons. Once you have gathered the facts, share the information.

Law enforcement

Whether or not to immediately contact law enforcement depends on the precise circumstances of the cyber security incident. However, breached organizations are generally advised to eventually provide a police report.

Credit bureaus and banks

Call credit bureaus to let them know that your organization has experienced a cyber attack. The credit bureaus will then place fraud alerts on your records, as appropriate. Reach out to any banks and credit card companies that your firm works with. This can help prevent unauthorized transactions and can potentially release you from liability surrounding recent fraud.


Among large organizations, communications or PR teams can assist with this aspect of information sharing. Organizations may want to admit fault as appropriate, and to accept responsibility. Transparency around when and why the breach occurred is generally expected.

Also, be sure to describe what mitigation and prevention strategies are in place to prevent further issue. Most of the time, the average user isn’t particularly interested in what got an organization into a tight spot. They’re more interested in what you’re doing to correct the problem and to rectify the situation.

Securing accessories. Assuming that your firm does not provide life-saving services, take affected technologies offline after the breach. Experts recommend leaving them ‘on’ in order to allow forensics teams to investigate appropriately. Once equipment is removed from the internet, secure the physical locations of these pieces of equipment.

Further, consider updating the access credentials of those who retain permissions to use the affected systems and to enter the physical locations in which they are housed. More than 19% of all data breaches stem from credential compromise. Securing credentials is an easy way to stop a potential or ongoing threat in its tracks.

Dark web deletion. In the event that your organization’s data has hit the dark web, immediately contact site operators to request data removal and permanent deletion. In addition, consider reaching out to search engines, which sometimes store or archive data for set durations of time.

Zero trust network access. As your organization grows, an increasing number of people will receive access to credentials. This introduces increased data security risk. Limiting access to critical data is considered a crucial step that enterprises can take post-breach (although, ideally, this is part of breach prevention that should be carried out preemptively).

After a cyber security event, audit who has access to which systems, and for what reasons. Limit access to essential individuals. If fewer people have access, the likelihood of credential, insider threats, and other forms of attack declines.

To preempt potential attacks, consider using and asking employees to routinely use a breached password checker. This type of tool can check passwords in real-time. Password detection tools will inform individuals in the event that the password has been breached. It also allows for the prevention of further access until the user has updates his/her password.

Encryption of data. To make your data unintelligible for hackers, opt for encryption. The vast majority of hackers lack the mathematical foundations and patience to meticulously decrypt data. Despite propitious warnings, many organizations have not yet encrypted sensitive data. There are numerous ways to encrypt data. The recent warnings from CISA and the FBI surrounding VPN hacking suggest that enterprises should apply VPN-based encryption as soon as possible.

Focus on the human factor. Humans can be your weakest link or your strongest defense. Continually provide employees with cyber security awareness training. Avoid a once-a-year style awareness program. Rather, continually provide training and engagement year-round. Modern software tools can help you do this quickly and easily, and can even provide backend metrics to help you assess engagement and efficacy.

Explain why cyber security matters. Employees who understand the value of a behavioral practice are more likely to implement requested behaviors (like looking for phishing threats or reporting suspicious online activities).

Further, encourage employees to implement multi-factor authentication wherever possible. This provides an additional layer of security. If a password is stolen, a hacker will not be able to access accounts unless MFA credentials are also acquired.

In summary:
Moving to a proactive, prevention-first security model can help organizations avoid complex and convoluted breach mitigation and investigation processes. The best way to improve security after a data breach is to develop a multi-layered prevention-focused cyber security strategy. For further insights into improving your cyber security strategy, check out our short guide to why security can fail. Lastly, to receive cyber security insights, analysis and resources in your inbox each week, sign up for our newsletter.