When a company suffers a security breach, the first reaction is to try to stop the bleeding as quickly as possible. For some, that might mean pulling the plug on whatever system sustained the attack. But the first, best course is to quickly deploy an incident response team, conduct a forensic investigation to identify the nature of the attack, contain it and ultimately expel the attacker.

It’s important to note that no matter how much we prepare, attacks will happen. Therefore, the speed and quality of the initial response is critical. Getting incident response right helps minimize brand damage, regulatory fines, downtime and overall breach cost. Companies that contain a security breach within 30 days can save $1 million compared to companies that don’t, according to the Ponemon Institute’s Cost of a Data Breach Study 2018.

Once the crisis has passed, it might be tempting to breathe a big sigh of relief. But even more important than detecting and responding to the immediate attack is conducting post-event remediation. Companies need to recover their business operations. They need to collect and preserve evidence. And they need to take a comprehensive approach to shoring up their defenses to protect against future attacks.

Move from defense to offense

Based on decades of experience providing incident response services, DXC Technology has learned that remediation efforts entail more than just plugging that one hole through which the attackers gained entry. Nor is it about trying to fix every single presumed flaw, especially since that’s often done without any analysis or tactical prioritization. Instead, turn your attention to three broad areas — operational, organizational and technical — and make adjustments and changes as needed.

Operational issues run the gamut from simple housekeeping activities to larger strategic initiatives. Companies should deploy effective patch management, which entails defining the patch process, implementing it and verifying that up-to-date patches are in place. They should delete unused accounts, identify accounts with no password reset and properly protect the password vault.

Identity and access management, particularly with respect to trusted insiders, is important. Companies should explore whether they have too many shared accounts, or too many people with administrator status or with Group Policy or Active Directory permissions. Companies should also look at configuration management databases with an eye toward identifying insufficient or wrong entries. Remediation efforts should also include asset classification and security tier definition and enforcement.

There are a number of potential stumbling blocks to be taken into account, such as not having an effective change management process, not having adequate documentation, and possible cultural and political issues. Even something as basic as time differences should be considered when taking systems offline, conducting remediation efforts and bringing them back up.

Longer-term, the goal is to create an overall security strategy that is aligned with the business and has the backing and support of company leadership.

Organizationally, companies should closely evaluate their help desks to find out whether they require extensive permissions, whether too many infrastructure components are outsourced and whether they have enough skilled security people. Shadow IT is also a major issue for most companies.

On the technical front, remediation efforts should include network segmentation, two-factor authentication and strong passwords. Mobility is a concern, so companies should address unmanaged devices that might be insufficiently protected, as well as unrestricted access to the network from remote locations.

Remediation activities should also focus on gaining visibility into what’s happening on the network, effectively managing event logs and making sure policies and procedures are enforced. One area that might fall through the cracks is performing compliance testing on technology that has been outsourced.

Assemble the best resources

While many organizations have an internal incident-response team or work with a third-party provider, the key to an effective response is speed. Organizations should have external resources on retainer and available within 60 minutes of an attack. Look for partners that have deep and broad expertise, preferably with decades of experience in incident response services, and who focus on a technology-agnostic approach, using your existing technology and systems to accelerate the response. When that’s not possible, a short-term solution can be dropped in to help the organization fill the gaps during response and investigation.

Remember, not all outside vendors are alike. Make sure vendors are accredited with the National Security Agency and capable of providing expert assistance, as well as 24×7 support and personnel training.

Before you’ve been hacked, make sure you know what to do. Learn more about security incident response.