What is the most important thing to do if you suspect a security incident?

A data breach is one of the biggest threats to an organization. It can harm an organization’s reputation and entail huge financial losses. According to the Cost of a Data Breach Report 2020 by IBM [PDF], the average cost of a data breach is estimated at $3.86 million. Thus, preventing data breaches and investigating them in a timely manner are among the most sensitive pain points when it comes to an organization’s cybersecurity.


In this article, we describe seven steps of how to investigate a data breach and explain what to pay special attention to during data breach investigation and remediation.


What is a data breach?


A data breach is an event that results in exposing confidential, sensitive, or other protected information to an unauthorized person. Breaches of confidential information can lead to financial losses, legal liability, and reputational damage through media coverage and publicity. That’s why if a data breach has occurred, it’s necessary to take actions to mitigate its consequences and investigate the incident.


What is the most important thing to do if you suspect a security incident?


Investigation is an integral part of a data breach response. Its goal is to clarify the circumstances of the breach, assess the damage caused by it, and develop a further plan of action depending on the results of the investigation.


It’s important to begin investigations as soon as possible in order to respond to potential risks and limit access to leaked information before it’s too late. There are a number of cyber incident response guides that provide detailed recommendations on handling security incidents:


  • Computer Security Incident Handling Guide [PDF] from the National Institute of Standards and Technology (NIST)
  • Incident Handler’s Handbook from the Escal Institute of Advanced Technologies, also known as SANS
  • Microsoft Incident Response Guide [PDF]
  • And more


Below, we outline seven steps based on the recommendations in these guides.


7 steps for responding to and investigating a data breach


Although the reasons behind a data breach may vary, there’s a set of steps you need to take when responding to and investigating such a cybersecurity incident. Let’s take a closer look at this data breach investigation checklist.


What is the most important thing to do if you suspect a security incident?


Depending on the industry you operate in and the requirements you need to comply with, the order of steps may vary, and some steps may be omitted or added.


1. Detect the data breach


All tips for investigating a data breach begin with incident detection. This step is aimed at determining the fact that a data breach has occured. You can confirm this by inspecting the signs of a data breach.


In the Computer Security Incident Handling Guide, NIST distinguishes two types of data breach signs: precursors and indicators.


A precursor is a sign that an incident may occur in the future. It can be:


  • Web server logs indicating a search for vulnerabilities in an organization’s network
  • Discovery of a vulnerability that affects the organization’s network
  • An announcement by a hacker group that they intend to attack the organization


In general, precursors are rare and mostly help organizations to stay vigilant.


An indicator is a direct sign that an incident may have occurred or is occurring right now. Common examples of data breach indicators include:


  • Buffer overflow attempts against a database server
  • Multiple failed login attempts from an unfamiliar remote system
  • Bounced emails with suspicious content


MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) can also be of great help. This is a structured knowledge base of known attacker behavior, divided into tactics and techniques and expressed in tables (matrices). The MITRE ATT&CK model for threat mitigation provides a comprehensive view of attackers’ behavior and is extremely useful for data protection, monitoring, and employee training.


Read also: How Can MITRE ATT&CK Help You Mitigate Cyber Attacks?

What is the most important thing to do if you suspect a security incident?


2. Take urgent incident response actions


There are a number of urgent steps you should take when a data breach is detected. The first thing among data breach investigation tips is to record the date and time of detection as well as all information known about the incident at the moment.


Then, the person who discovered a breach must immediately report to those responsible within the organization. Access to breached information should also be restricted to stop the further spread of leaked data.


Overall, you may stick to this general checklist:


What is the most important thing to do if you suspect a security incident?


It’s also crucial to launch a thorough investigation as soon as possible so you can find the root causes of the data breach.


3. Gather evidence


Collecting and checking all evidence related to the data breach is another step in a list of data breach response best practices. Make sure to gather data from all your cybersecurity tools, servers, and network devices and to collect information from your employees during interviews.


First and foremost, act quickly and gather as much information about the data breach as you can. The better your understanding of the situation, the better your chances of minimizing the consequences.


The list of data you should collect includes:


  • The date and time the data breach was detected
  • The date and time a response to the data breach began
  • Who discovered the breach, who reported it, and who else knows about it
  • What was stolen and how
  • A description of all events related to the incident 
  • Information about all contacts involved in the breach
  • Identification of the systems affected by the incident
  • Information on the extent and type of damage caused by the incident


Read also: Portrait of Malicious Insiders: Types, Characteristics, and Indicators

What is the most important thing to do if you suspect a security incident?

4. Analyze the data breach


Once you’ve gathered as much information about the incident as you can, you need to analyze it. This step is aimed at determining the circumstances of the incident. In addition, you may have to answer a series of questions that will further assist in the investigation:


  • Was any suspicious traffic detected?
  • Did the attacker have privileged access to data?
  • How long has the data been compromised?
  • Were people or special software involved in the data breach?
  • Was the data breach intentional and were outside attackers involved?


Having carefully analyzed information on the data breach, you can draw some conclusions about the source of the breach to effectively stop it.


Read also: How to Calculate the Cost of a Data Breach

What is the most important thing to do if you suspect a security incident?


5. Take containment, eradication, and recovery measures


It’s also important to take actions to prevent the data breach from spreading. This can be accomplished with three сountermeasures:


What is the most important thing to do if you suspect a security incident?


Let’s see how each of these measures can help you effectively mitigate the consequences of a data breach.


Containment measures


The goal of these measures is not only to isolate compromised computers and servers but to prevent the destruction of evidence that can help investigate the incident.


Conduct a comprehensive data breach containment operation and preserve all evidence, being careful you don’t destroy it. For example, if a data breach is caused by malware, it may not create files on disk but may place itself entirely in RAM because it’s harder to detect this way. Therefore, it’s unacceptable to power off the computer, as all the information contained in RAM will be lost.


Also, monitor the attacker’s activities and determine whether any data is leaking during the investigation.


Eradication measures


Next, it’s important to eliminate all causes that led to the data breach. For example, if the breach occurred as a result of an insider threat, security specialists should disable all accounts that leaked information. If the threat was external, such as malware, it may be necessary to clean up the affected system and patch exploited vulnerabilities.


Recovery measures


After a successful eradication step, it’s necessary for the organization to return to normal operations. This includes putting the affected systems back into a fully operational state, installing patches, changing passwords, etc.


Security specialists should carefully monitor the network, recovered computers, and servers to ensure that the threat has been fully removed.



Regardless of whether you’re legally obliged to do so, you should notify all affected organizations and individuals as well as law enforcement. Timely notification is a very important data breach investigation procedure as it will enable individuals to take measures to protect lost data, such as changing passwords, or at least to be careful in case scammers take advantage of the data breach.


The list of those to be notified will vary depending on the type of compromised data and may include:


  • Employees 
  • Customers 
  • Investors 
  • Business partners
  • Regulators
  • And others


Pay particular attention to notice periods. They depend on the regulations and standards you need to comply with and the type of data affected (personal data, financial data, etc.). Failure to notify regulators in a timely manner could result in liability and extensive fines:


  • Organizations that need to comply with the Health Insurance Portability and Accountability Act (HIPAA) must notify each affected individual within 60 days after discovering a breach. Fines for a HIPAA violation may be up to $25,000. The minimum fine is $100.


  • The General Data Protection Regulation (GDPR) requires data supervisors to notify the appropriate supervisory authorities no later than after discovering a data breach. The GDPR sets a maximum fine of €20 million or 4 percent of annual worldwide turnover (whichever is greater) for a data breach.


  • Brazil passed its own legislation that’s similar to the GDPR, called the Brazilian General Data Protection Law [PDF], which includes breach notification requirements.


  • Breach of Security Safeguards Regulations is legislation including additional notification requirements for data breaches that has been passed in Canada.


Many other countries also have laws and regulations regarding the use and unauthorized disclosure of personal data. If your organization operates in more than one country, you should consider the local data breach legislation and include its requirements when creating an incident response plan.


Read also: What Is a HIPAA Violation? Fines and Penalties for Failed HIPAA Compliance

What is the most important thing to do if you suspect a security incident?


7. Conduct post-incident activities


Once you’ve taken basic actions to counter the data breach, it’s time to analyze the incident and its consequences and take steps to prevent similar issues in the future. Every data breach should be thoroughly audited afterwards. The specifics of each audit depend on the data breach itself and its causes.


In general, an audit may include:


  • Reviewing the organization’s cybersecurity systems
  • Analyzing causes of the data breach
  • Creating a plan to prevent similar incidents in the future
  • Reviewing policies and procedures to reflect lessons learned from the data breach
  • Improving cybersecurity awareness among employees


By thoroughly implementing these steps, you can get a better understanding of the data breach that occured, discover its true causes, and determine the best pathway for mitigating its consequences.


Respond to data breaches with Ekran System


It’s extremely difficult to investigate a data breach and restore the full picture of what happened without detailed context. Ekran System can effectively help you in investigating a data breach.


By deploying Ekran System, you’ll get a full-cycle insider risk management platform that allows you to:


  • Perform comprehensive user activity monitoring by collecting information about login and logoff times, requests to access sensitive assets, visited websites, keystrokes, etc.


  • Prevent the incident from happening with Ekran System’s automated and manual incident response and alerting


  • Manage access rights to implement zero trust and least privilege principles


  • Use Ekran System’s robust built-in reporting tools to speed up and simplify the auditing process


Also, Ekran System can help you comply with requirements of various acts, standards, and regulations such as NIST, HIPAA, PCI DSS, GDPR, and FISMA.


Learn more about Ekran System’s tools for security investigation

What is the most important thing to do if you suspect a security incident?




Data breaches carry significant risks and can incur significant losses, so the sooner you deal with them, the better. Proper investigation will help you identify the extent of an incident and take measures to mitigate it in order to minimize the risks.


It’s best to have a set of measures prepared to respond to data breaches, such as an incident response plan and a pre-assembled response team. Coordinated actions and a consistent approach can significantly speed up the process of recovering after a breach.


Ekran System offers a rich set of features for data breach investigation and mitigation. Request a trial version of the platform to enhance your data breach protection.

What actions must be taken in response to a security incident?

The security incident response process is centered on the preparation, detection and analysis, containment, investigation, eradication, recovery, and post incident activity surrounding such an incident.

What is the most important step in incident response?

Detection (identification) One of the most important steps in the incident response process is the detection phase. Detection, also called identification, is the phase in which events are analyzed in order to determine whether these events might comprise a security incident.

Which is the best first step you should take if you suspect a data breach has occurred?

If you're notified that your personal information was exposed in a data breach, act immediately to change your passwords, add a security alert to your credit reports and consider placing a security freeze on your credit reports.

What is Step 1 of the investigating security incident process?

Step 1 - Identification The first step is to identify that there has been a cyber incident. You should also identify how the cyber incident was found. For example, this could be through a user reporting the issue, or through an alert from the monitoring system.