Halkyn Security Blog
Specialist Security & Risk Management Consultants

Security breaches – do you know what to do next?

One sad fact about security is that no matter what controls you put in place, you will suffer breaches and if you are on the internet it is likely to happen sooner rather than later.

Anonymous - often linked to security breaches

Anonymous – often linked to security breaches and globally distributed enough that it is hard, if not impossible, to anticipate if, when and how they will attack

People sometimes hold to a “physical world” security model which has a clearly defined threat actor (e.g. a burglar) casing properties in their target area for an eventual break in. if you are unlucky enough to leave a door open on the night they are casing you, you get robbed.

This is a good way of thinking but it is crucial to remember that on the internet, the burglars are worldwide and they are running automated tools which are constantly casing your property to see if there is something they can exploit. This means any momentary lapse (such as not applying a software patch, or changing a configuration setting) can be found by attackers and exploited faster than most people realise. The lesson is simple: Breaches can, and will, happen at any time of the day or night, while you are working, sleeping or on holiday.

This is not saying your security controls are useless – far from it. Without them, the breaches will be more frequent, more damaging and harder to recover from. You do however, have to avoid the mindset that security is putting in place controls and then saying “job done.”

If breaches are inevitable, why do I need controls?

Let’s clear this up first. You need your security controls. You really do.

Security is best delivered by applying layers of controls and constantly striving to maintain and improve them. Good security controls help you with:

  • Making you a hard enough target that lots of attackers, especially script kiddies, will simply go elsewhere.
  • Delaying attackers enough that your detection systems will be alerted to their presence.
  • Collecting enough data to allow you to investigate breaches.
  • Being adaptive enough to respond to attacks in real time.

If you come from a physical security background, this might be familiar as all security controls have the same basic requirements.

So, breaches happen, what do I need to do?

First off, if you are reading this as a breach happens, it is too late. Sorry. Incident response is all down to planning. If you don’t plan properly, any successful incident response activity is pretty much down to random chance. Secondly, if you handle regulated data such as personal data/PII, credit card data etc., then you need to make sure your plans are acceptable. The advice here is generic and high level.

So, to answer the question:

  1. You need to plan, plan and plan some more. Your plans need to include who is responsible for doing what. Your plans need to cover everything from minor incidents to breaches which put your very companies existence at risk.
  2. Test your plans. This is crucial. Make sure everyone involved knows what they need to do. Make sure the communications channels you have work. Make sure it all works at any time of the night or day. Make sure it works when your key decision makers are unavailable. Then test it all again. And again.
  3. Provide resources for incident response. This isn’t free. If you are a small business with limited internet facing systems you might just be able to get away with an ad-hoc incident response team, but don’t assume a good sysadmin or a good networks person makes a good incident responder. Also remember breaches are stressful. Your incident responders will burn out if you ask them to do too much.
  4. Learn from your mistakes. Just as breaches are inevitable, so are incident response mistakes. You need to be mature enough to analyse your behaviours and learn from what went wrong. Your attackers are constantly improving, you need to do the same.

In practical terms

Responding to breaches - six steps

Responding to breaches – six steps

As part of your plans, you need to be aware of the six high-level steps of incident response (see image), and your processes need to cover each step.

You need to make sure that you have an incident response team who have the right skills and knowledge to do the job. You also need to make sure you resource the team well enough that they aren’t trying to juggle a day job as well as respond to incidents and you have some way to rotate people.

There are no hard and fast rules on how much of your security budget should go on incident response – it really depends on your individual circumstances – but two things are always true. You need a security budget and some of it must be spent on incident response. Don’t fool yourself into thinking anything else is financially sensible or a long term option.

Make sure your incident response team either have the authority to act or the ability to seek this authority at very, very short notice any time of the day or night. The last thing you want is the complete loss of your network because the incident responders didn’t have the authority to pull the plug on an infected machine and couldn’t find the person to who did.

All of this goes a long way to making sure your organisation is resilient enough that an incident can’t kill you. At the end of the day, that is what really matters.

Similar posts
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
  • Security Incident Response Really Doe... Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces [...]
  • North Wales Cyber Security Cluster &#... The North Wales Cyber Security Cluster is meeting on 21 April at Solvings Ltd, in Mold, Flintshire. Solvings provide a great location and the cluster is a wonderful opportunity to learn about cyber security. Access to cluster meetings is free and everyone is welcome. No prior knowledge is needed. There really are no stupid questions! Clusters [...]
  • Ransomware: Don’t panic –... Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most [...]
  • 3 essential elements of any Infosec f... As the news often shows, Information Security (infosec) is a big part of any organisation. From the small business with just a couple of computers to the global enterprise, infosec wraps around what you do, keeping you safe. Infosec is the function which keeps you servicing your customers. It protects your data. It ensures that [...]


  1. Itay Semel Itay Semel
    20 August 2015    


    Please can I have an unprotected copy?

    Many thanks


    • 3 October 2015    

      Hi, thanks for getting in touch.

      An unprotected copy of what?

Recent Tweets Recent Tweets