Many of the conversations around cybersecurity revolve around prevention. From how to stave off attacks or implement best practices to safeguard from data breaches, there’s no shortage of information out there. But what happens when — not if — your organization is compromised? The reality is, that despite our best efforts, breaches happen. And there’s a lot less information on how to respond versus how to prevent.  

Regardless of whether it’s a malicious attack or human error, identifying, containing and mitigating the problem is key to a swift recovery. While it may seem daunting, there are several immediate actions enterprises can take to address the event, rebuild confidence and strengthen future defenses.  

Here are four steps that security leaders can implement after a data breach:  

1. Get to the Root 

First and foremost, gather the right information. To do this swiftly and effectively, you need access to identity data within your organization. Remember, employees are usually at the root of a breach, and to contain the compromised accounts, you need to be able to disable access quickly. Attackers typically get on a network through an account, many via phishing scams and once they’re in, look around for other vulnerabilities. Being able to identify what access the person/persons who were breached have and amend that to protect those accounts is key. So ask yourself, if you wanted to reset the compromised passwords or disable certain accounts at a moment’s notice, could you? This is the key to containment.  

2. Consider Downstream Effects  

In many cases, the tip-off for a breach isn’t a smoking gun. It’s when day-to-day activity becomes slow, you’re locked out of certain applications, or software begins to act funny. The next logical step is to call the HelpDesk. But what happens downstream to contain the issue? First, temporary accounts should be given to those compromised, so their work isn’t disrupted entirely. Single-sign-on (SSO) is used by many organizations to make it easier for employees to access what they need to get work done. But if intercepted by the wrong person, it also makes it easier for them to access more within an organization. Disabling SSO until the issue is mitigated will prevent access to other corporate data that are federated. This is where the alternate work credentials come in handy.  

3. Take Responsibility 

Accountability starts at the executive level. It would be tough to hold employees accountable beyond IT, security and leadership. Except for SolarWinds, we’ve rarely seen employees be held personally accountable for a company breach. However, if this is the direction we’re headed in, we need to do a better job not only protecting our businesses but the people who run them. This starts with good communication. First, employees, customers, and partners should be notified of a breach as soon as possible. While this is mandatory in some states, transparency is important, whether bound by the law or not. For the next steps, security training should be implemented or rebooted for all employees, contractors, and individuals associated with your organization.  

 4. Start Rebuilding  

Post-breach recovery strategies should be implemented after the security incident has taken place. This involves incident response planning, data backup and rebuilding a comprehensive cybersecurity strategy. This starts with visibility. Historically, IT has had to rely on spreadsheets and siloed SaaS solutions to view the entirety of an organization’s user access. This is not sustainable as companies evolve, migrate to the cloud, and applications multiply. The only way to effectively manage identity and access in modern business is via a platform approach. This connects disparate information in one central repository so IT always has eyes on who has access to what. Not only does this improve security, but makes it easier to identify and address issues as they arise.  

The ability to fully understand why a breach has occurred and respond to it appropriately is vitally important to cyber resilience. While preventative measures are important, too, having a response plan in place is a necessity of modern business. Although the causes and consequences of each breach will differ, using these 4 steps to recover can help any organization bounce back and prepare for what’s ahead.