The threat level has never been higher for organizations charged with protecting valuable data. In fact, as recent headlines will attest, no company or agency is completely immune to targeted attacks by persistent, skilled adversaries. The unprecedented success of these attacks against large and well-equipped organizations around the world has led many security executives to question the efficacy of traditional layered defenses as their primary protection against targeted attacks. At the same time, many organizations have begun reviewing and revising their security best practices in advance of suffering a debilitating cyber attack.

Answer the In/Out Question

What is the first thing you need to do after experiencing a data breach? You must be able to determine if the attackers have left the building or are still inside your system. This is critical because incident response differs significantly depending on attacker location. If malicious actors have come and gone, taking valuable data with them, companies can proceed with forensic analysis to determine both the scope of the attack and assess endpoint vulnerabilities.

If hackers are still in your system, however, these long-term questions need to be put on hold in favor of quarantine and containment—turning your top priority to ensuring that attackers are unable to cause any more harm or steal any more data. This often puts CISOs and CSOs at odds with other C-suite executives, but it’s critical to stay the course. Trying to get back to “business as usual” while adversaries are still lurking in your system will only lead to additional long-term damage.

Stay Running

As noted by Inside Counsel, it’s tempting to try to protect your network by shutting down the systems and hoping that attackers will simply vacate the premises. The problem? This could destroy valuable data or limit the ability of investigators to determine the cause of your breach. Taking this approach creates a scenario where systems come back online and they look clean but attackers are still lurking inside—but without any evidence of that fact, incident responders start response and remediation procedures. Hidden cybercriminals, meanwhile, are now privy to your security procedures and have full access to newly rebooted systems. While limited shutdowns may be necessary, it’s better to stay running if possible.

Call The Pros

Before an attack happens, it’s important to create an on-the-ground response team that is prepared to take action if and when a breach occurs. This offers two important benefits: First, there’s no confusion about who’s on call to handle the after-effects of a breach and therefore no delay between first detection and response. Second, selecting an incident response team in advance lets you hand-pick experts with the right mix of experience and out-of-the-box security thinking to give you the dual benefits of incident response and proactive measures on how to avoid similar breaches.

Go The Distance

Last but not least? It’s critical to have a plan in place to notify affected stakeholders, and make sure it’s adaptable. For this step, it’s important to determine the “harm threshold” required by state, federal and other regulatory bodies that require you to notify affected parties. In addition, notification must be tailored to the nature of the breach. Financial data loss may only require credit score and purchase monitoring, while the theft of health care data could require ongoing assistance.

Interested in better incident response handling and proactive measures? Understand that no defense is impenetrable and then take steps before a breach occurs to better protect and defend your network should an incident occur.