Cleaning Up After a Data Intrusion — Five Strategies From Asiaciti Trust & Target

Data intrusions affect thousands of enterprises every year. They take many different forms, from relatively crude deliberate denial of service swarms to much more sophisticated operations that surgically remove data from secure systems — often without being detected for months or even years.

The most sophisticated data intrusions are difficult to characterize because they’re so well executed and well concealed. Asiaciti Trust saw no evidence of an actual intrusion in the wake of the 2021 data release that affected it and about a dozen other international firms, for example. Neither did any other affected organization that has spoken publicly on the matter.

But Asiaciti Trust and its fellow victims were aware that something had happened — as your organization is likely to be, sooner or later. Here’s what you can do to clean up after such an event and minimize the long-term damage to your firm.

1. Figure Out Who’s Responsible (If You Can)

First, retain a team of digital security experts to determine the cause of the breach, how it occurred, and the responsible party or parties.

Sony Pictures did this in the wake of a very public, very embarrassing data breach in 2014. Its decision to publicly attribute the breach to the North Korean government following its investigation had significant geopolitical consequences, but the firm rightly felt that its interests — and those of potential future victims — were better served by going on offense.

You might not be in a position to publicly disclose the results of an investigation so soon after the event, particularly if law enforcement investigations remain ongoing or your firm is the subject of civil action. But you can and should investigate for your own purposes if only to determine how to improve your defenses.

2. Patch the Specific Vulnerability That Led to the Intrusion

The sooner you correct the issue that led directly to the intrusion, the sooner you’ll be able to move on. And, hopefully, the less likely a similar intrusion will be to occur in the future.

The latter is not a given. But patching any associated vulnerabilities is nevertheless a best practice. It could well be required by your cyber liability insurance policy if you have one.

3. Make Sure the Event Is No Longer Ongoing

Tools on keyboard

Patching the vulnerability that led to the intrusion is important. However, it matters little if you haven’t already (or don’t soon plan to) expel the intruders.

Many intrusions are one-off events that are over by the time they’re discovered, but some are much longer in duration and may not functionally end until the victim or its agent takes action.

Again, this isn’t just a best practice; it may be required by your cyber liability insurance policy and could be a prerequisite for a formal post-incident investigation.

4. Conduct an Organization-Wide Cyber Security Review

Once the event is well and truly over, it’s time to conduct an organization-wide cyber security review to identify other potential vulnerabilities and shore up your security posture.

This is part of a well-worn post-incident playbook followed by organizations as diverse as Asiaciti Trust and Target (the U.S. retail giant that suffered a devastating vendor hack in 2013).

The goal is nothing short of a comprehensive view of your organization’s digital strengths and weaknesses — a road map toward tighter digital security.

5. Notify Affected Parties As Soon As You’re Able

Man holding cellphone

This step is not as clear-cut as you might expect. In fact, it can be downright fraught. The natural impulse of many victims of digital intrusions is to circle the wagons and pretend nothing happened.

For others, the overwhelming temptation is to release as much information as possible, as soon as possible — the thinking being that fast, fulsome disclosure is the best way to restore customer and stakeholder trust.

The best course of action typically falls somewhere in between these two extremes. The incident that affected Asiaciti Trust and its fellow fiduciaries, for example, prompted a complicated international investigation that remains ongoing. That investigation precludes total transparency, whatever the other benefits — even as the basic demands of crisis management necessitate some sort of public response.

It Gets Easier — If You Do the Work Now

Data intrusions don’t clean up after themselves. It takes a lot of work to get things back to the way they were before if that’s even possible. Often, such events necessitate sweeping changes that fundamentally alter a firm’s internal processes — and perhaps its public brand as well.

It’s enough to make a leader throw up their hands in frustration. But it must be done because the alternative is too dire to contemplate. Put in the work now and you can look forward to an easier, sunnier future. Perhaps not next week or even next month, but soon enough.