Blog: DFIR

10 Non-tech things you wish you had done after being breached

Luke Davis 10 Dec 2022

 

TL;DR

  • Non-tech aspects to breach follow-up are often overlooked but essential
  • NDAs, supply chain, and third party contracts and obligations should be reviewed
  • Reviewing communication protocols and employee training increases resilience
  • Looking after, and retaining your people improves recovery for future breaches
  • Always conduct a reputation assessment following a breach

Introduction

When the dust settles after a cyber breach, the focus often shifts to implementing technical safeguards and investigating the cause. However, many organisations miss a huge opportunity by not dealing the non-technical aspects of recovery. These actions can make or break your organisation’s recovery, reputation, and resilience.

Here are 10 crucial non-tech things you should prioritise after being breached.

1. Disable temporary accounts and remove tools and logs left behind

Ok ok, this is kind of technical but it’s so important! During an incident, consultants and staff will need temporary accounts to access the network, and specialised tools and logs may be deployed and stored throughout the infrastructure. Once the investigation and remediation efforts are complete, these accounts and tools must be securely removed.

Failing to do so means that sensitive data may be exposed, or that access vectors are left open. Conduct a thorough audit of your infrastructure to ensure no temporary accounts or remnants of incident-response tools remain.

2. Reinforce NDAs for key staff and consultants

Breach investigations often reveal highly sensitive information about your organisation’s vulnerabilities, systems, and operations. Any consultants or staff involved in the breach response should have robust Non-Disclosure Agreements (NDAs) in place.

Review existing NDAs and reinforce them where necessary to ensure sensitive details about the breach or your organisation ’s security posture remain confidential.

3. Reward your team

Incident response is stressful, exhausting, and often emotionally taxing. Your IT and security teams, as well as other employees involved in managing the breach, have likely worked under immense pressure to stabilise the situation.

Acknowledging their efforts can go a long way toward maintaining morale. Whether it’s bonuses, public recognition, or additional time off, rewarding your team demonstrates that their hard work has not gone unnoticed. Maybe most importantly, look after your people during a breach. Keep them fed and comfortable. The power of a pizza cannot be underestimated!

4. Reassess relationships with third parties

A breach often highlights vulnerabilities in your relationships with third-party vendors, partners, or suppliers. These entities may have contributed to the breach or failed to meet contractual obligations.

Conduct a thorough review of third-party agreements, their access to your systems, and their security practices. This reassessment will help you identify weak links and take corrective action to minimise future risks.

5. Securely archive incident data

The breach may create vast amounts of data, including forensic logs, reports, and communication records. Securely archiving this is essential for compliance, legal, and historical purposes.

Ensure data is stored in a secure, access-controlled environment. This archive may also serve as a valuable resource for future training or audits.

6. Review communication protocols

The breach may have exposed weaknesses in your internal and external communication protocols. Review how information was communicated during the incident and refine your processes for clarity and speed.

This includes revisiting crisis communication plans to ensure the right information reaches the right stakeholders quickly and effectively in the future.

7. Update employee training

If a breach occurred, chances are that gaps in employee awareness played a role. Take this opportunity to update your training programs to reflect the lessons learned from the incident.

Focus on phishing awareness, secure password practices, and the importance of reporting suspicious activity. Empower employees to act as the first line of defence. Consider thinking bigger than an ‘awareness refresher’, a comprehensive program of awareness, mixing online, in person, gamified training, carrying out regular phishing simulations and regular messaging.

8. Communicate with stakeholders

Once the immediate crisis is over, maintaining transparency with stakeholders—including customers, investors, and regulators—is critical. Clearly outline what happened, what has been done to resolve the issue, and what steps you are taking to prevent future incidents.

A well-executed communication strategy can preserve trust and demonstrate accountability.

9. Build an employee retention plan

A breach often creates an environment of uncertainty that can lead to employee burnout or turnover. Build a retention plan that supports and reassures your employees.

This might include counselling services, professional development opportunities, or transparent updates about how the organisation is addressing the breach and improving security.

10. Conduct a reputation assessment

Your organisation’s reputation may have taken a hit during the breach. Conduct a reputation assessment to understand the extent of the damage and develop a plan to rebuild trust:

Track public opinion: This involves tracking what people are saying about your organisation on social media, review sites, forums, and other platforms.

Get stakeholder feedback: Gather insights from employees, customers, partners, investors, regulators etc. to understand internal and external perceptions.

Analyse media coverage: Review past media coverage and social media channels to identify strengths and vulnerabilities in your organisation’s reputation.

Once done, consider running campaigns to reaffirm your commitment to security and service excellence.

Conclusion

Recovering from a breach requires more than just technical fixes. By focusing on these 10 non-technical actions, you can strengthen your organisation’s resilience, rebuild trust, and ensure that you’re better prepared for future incidents.

The lessons learned from a breach should guide not just your security strategy but also your overall business operations and relationships.