United States

Implementing a proactive data security plan: The 3 stages of a data breach


The frequency of data breaches is rising, but many organizations do not fully understand what a breach means and what protective measures should be in place. Every organization possesses valuable information, and no business is too small to be vulnerable. A data breach and its aftermath carry significant financial and reputational risk of harm, and you must be prepared to respond quickly and protect your company.

Many businesses treat data security as an afterthought; budgets are limited, and dedicating resources to security is often not a priority. Companies know about data risks, but many are not concerned due to their size, or because they outsource their data. However, if a company has employees, they have information that is at risk. You must keep in mind that incidents do not always involve outsiders and malware; employees may use more traditional, low-tech methods to access information such as paper documents.

Data breach is a buzz term; if you ask 10 businesses what it means, you may get 10 different answers. A true data breach is a compromise of protected information such as credit card data, personally identifiable information or personal health information, and often carries significant legal and regulatory ramifications. Many situations described as breaches are actually information security incidents involving malware or other disruptions. Incidents are disruptive and dangerous, and potentially have a lower risk of harm than a full breach.

Data breaches can be grouped into three distinct phases: pre-breach, breach and post-breach, each with key processes and concerns. Understanding what these stages entail and implementing a comprehensive plan can go a long way to protecting your organization.        


To protect against a breach, your organization should implement preventative measures into your daily operations. You must know what data you have, where it is and how it is secured. Employees should undergo awareness training to make sure they know the potential risks, and who to contact if an incident occurs. Many organizations think their controls and processes are secure, and that may be the case, but a trust but verify approach is a best practice.

You want to have trust in your employees and protective measures, but also have an unbiased third party analyze and validate the strength of your processes. You likely view your structure differently than an outside observer would. In addition, your employees are not exposed to data breaches on a daily basis or familiar with evolving methods and threats. 


Chances are, your business will be affected by a data breach and you must respond quickly to identify the issue and limit the damage. During an incident, evidence is collected, preserved and documented in an effort to determine the nature and source of the breach. You must recover as much information as possible, document your processes and evaluate your network status and controls.

Documentation is key in determining the source of an incident, providing more information and details. Keep a rolling log of information in the midst of an incident, including what evidence was discovered and any changes made to the environment. The information does not always have to be in written form. Using the “print screen” button on your keyboard to capture an image of what you are seeing is also extremely beneficial. The documentation should include enough information that if someone unfamiliar with the incident were to read the notes, they could fully understand the situation.

If you are not prepared, the response could cost more, your operations disrupted longer and you may be up against regulatory deadlines. An investigation is a very intensive process, and if you do not know where your data is and how it is protected, the response can be more difficult and time consuming.


In the wake of a breach, the focus shifts to data cleanup and remediation. These steps are largely dependent on the preservation and documentation of data during the breach. You must learn from the breach to help ensure it does not happen again; but some organizations are so focused on fixing the problem that they destroy evidence.

While focusing on stopping the bleeding, some organizations lose sight of actually determining who is responsible for the breach. From an investigative standpoint, the goal is multifaceted: identify the affected data, determine how the incident occurred and who might be responsible. Logging and surveillance capabilities are important, for both network and building access, because as mentioned earlier, an incident is not always technical. You want as many sources of evidence as possible, because you can’t recreate it to determine what happened.

During an investigation, advisors can access information in deleted space, such as documents and emails that were deleted from a computer. Just because information was deleted does not mean it cannot be searched or discovered from a forensic standpoint. An advisor can also discover other data fragments, email addresses, files and other helpful data points as well as examine external storage used to transfer files or introduce malware to a network.

From a regulatory perspective, each state has unique requirements. When responding to an incident, many organizations believe they are only subject to compliance standards in their state. However, if compromised data includes information on residents of other states, you are also required to comply with those specific state regulations.

Implementing a breach strategy

Your company can implement a variety of risk assessment models to help prepare for a potential breach, including ISO, NIST and COBIT frameworks. You can also benefit by thinking like a criminal, looking for network vulnerabilities and how difficult it may be to access and distribute your data. The value of preparation cannot be understated.

Rather than creating an incident response plan and having it on the shelf, we recommend that organizations undergo periodic mock exercises. Simulate an incident and evaluate how IT and other personnel respond. Be sure to identify the appropriate trained resources well in advance of an incident and not during one.

You must have experienced resources available, as cutting corners will likely cost you in the long run. Being prepared by making sure your network and controls are secured, and implementing and following a written information security program are critical to limiting your risks. Organizations cannot throw data protection strategies together reactively and expect them to be truly effective.

Working with trusted advisors is important when developing your data breach strategy, including security and privacy services, law firms and cyber insurance carriers. Aligning with advisors that have relationships with regulatory bodies and a deep understanding of applicable rules and regulations helps ensure that your strategy is comprehensive and secure, and minimizes your risk.    


A breach impacts your entire organization in a variety of ways. In addition to disruptions to your operations, you will experience legal issues, compliance risks, and financial and reputational damage.

With data incidents, it is a matter of when, not a matter of if. No organization is too small or too large to suffer an incident or breach. You must have properly trained resources in place to plan for and react to a potential data breach; without a proactive game plan, a breach can become ugly in the end.

How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Receive Risk Bulletin by Email


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.