What To Focus On After A Breach: Five Key Questions

By Pedro Abreu, Chief Strategy Officer, ForeScout Technologies, Inc.

The Identity Theft Resource Center reports that as of late October, there have been 629 data breaches this year, exposing nearly 176 million records. That’s about two breaches per day, with many more attempted. A company’s data and reputation are at stake, and managed services providers (MSPs) and their customers may share that natural human desire to know who was responsible for a data breach. However, you can waste a lot of time and energy in pursuit of “whodunit.” These days, there are more important questions than who’s to blame when it comes to network breaches and data theft.

When a system is breached, either yours or a customer’s, here are five questions to ask that are more important than who was responsible:

• “How did the bad guys get in?” If security managers have a real-time view of every connected device, every authorized user and every malware link clicked on, they have a better chance of pinpointing the incoming threats capable of causing damage. For this reason, network visibility is essential.
• “What data was taken, and how much?” Determining the scope of a data loss can take an agonizingly long time. This is especially damaging when a data breach affects consumers. Quantifying the breach with speed and confidence causes an affected company less harm in the long run.
• “What do we need to do to fix it?” Instead of placing blame, focus on repairing the damage. Speedy remediation is dependent on good visibility. The faster you can see and determine the size of the rip in your safety net, the faster it can be repaired. Companies have a clear fiscal incentive to minimize downtime, so this element is critical to running a business seamlessly. 
• “Is the compromise ongoing?” Post-detection, IT security teams put a lot of energy into stopping and assessing the extent of the impact.  However, without proper visibility, most companies are left wondering if they are still being breached — that is, whether the attackers left undiscovered backdoors that will allow them back into the company’s systems later, when the incident response goes down.
• “What’s the lesson here?” To make sure that the same attack method never works twice, cybersecurity defenses must evolve: intelligently, automatically, and rapidly. Pragmatic, real-world defense depends not on making a network impenetrable, but on making it so challenging to crack that most attackers will eventually move on to easier targets.

It may seem less satisfying, at least initially, to ask the above questions. They are certainly more complex and time-consuming than merely asking “whodunit?” but they zero in on the key information needed to mitigate and prevent cyberattacks. People are naturally curious, and we want justice, but it’s usually extremely difficult to track down the perpetrator of a data breach. Instead, put those work hours into discovering how the attackers got in, what they took and whether they’re still in there. Then focus on creating effective defenses to keep your customers’ data — and your reputation — safe and sound.

With more than 15 years of business experience in the high-tech industry across Europe and North America, Pedro Abreu brings a deep understanding of all go-to-market aspects to his role of CSO at ForeScout, along with knowledge of building highly effective teams and developing strong relationships with clients and stakeholders.