Understanding data breach response and recovery

Robust preparedness is key in cybersecurity resilience. In this article, we’ll explore some key considerations to help you be prepared for and protected against data breaches.

Data breaches happen every day, and they’re expensive

In March, AT&T announced a breach that impacted more than 70 million customers. Approximately 7.6 million current and 65.4 million former customers had their information leaked on the dark web.1 This followed several high-level data breaches such as Change Healthcare, a UnitedHealth Group subsidiary, which processes about 15 billion healthcare transactions annually. The Change Healthcare breach caused a huge financial disruption, impacting 94% of hospitals surveyed by the American Hospital Association.2

Breaches are not new and are happening regularly. As we saw last year with the attack on both Caesar’s and MGM as well as the Microsoft breach, it can happen to anyone. And they have a huge financial and operational impact. Research from IBM and the Ponemon study shows that the average cost of a breach is $4.45 million and takes an average of 277 days to identify and contain.3

Be prepared and develop a data breach response plan

Organizations of all sizes are learning that it is no longer if, but when they get breached. While they may not be able to prevent the attack, there are things they can do to mitigate the impact.

Here are a few actions you can take to help make recovery more bearable:

1. Implement an Incident Response Plan (IRP)

One of the most important things to do is to create and maintain an IRP. According to NIST SP 800-61r,4 it should contain the following for incident handling:

  • Preparation – Plan for the incident, including training and awareness, communication channels, and defining key roles.
  • Detection and analysis – Identify and detect potential security incidents. Establish signals, as well as procedures, for analysis and assessment.
  • Containment – Build out a short-term strategy to prevent the threat from spreading. This includes decision-making processes for when to isolate systems.
  • Eradication and recovery - Create a long-term plan to eliminate the threat from the environment, including steps on how to recover and resume normal operations.
  • Post-incident activities – Ensure all communication, legal, and administrative actions are taken to close out the incident. This also includes reviewing what went right, identifying gaps, and determining areas for process improvement.

IRPs may also contain process flows and playbooks to follow based on various types of incidents. This can assist in ensuring all procedures are followed to include communication channels.

2. Conduct tabletop exercises (TTXs)

The TTX simulates an incident, allowing people to follow the processes they would implement if it were real. It is a great way to determine if the IRP is still valid for the organization. It also provides training and awareness, allowing participants to understand their role during an incident. It is recommended (and in some cases required) to conduct a TTX annually to remain current.

3. Engage legal counsel

Involving qualified legal counsel in advance of a cyber incident will help organizations reduce their risk, ensure compliance, and be better prepared to handle the complex legal landscape that can arise from a cyber incident. Many cyber legal firms also include or have access to negotiation services in the event of a ransomware attack.

4. Engage an incident response retainer

Engaging a qualified cyber breach firm with a retainer in advance can save time and money. It ensures the breach response team knows about your environment in advance, allowing for a more efficient remediation process. Some also include negotiation services as part of the retainer. Ensure that the organization you partner with for the retainer is approved by your insurance and legal counsel to prevent coverage delays.

5. Consider off-prem backups

One of the first things a threat actor will do during a ransomware attack is make the backups unusable, which could put pressure on an organization to pay the ransom. However, if the backups are off-site or in the cloud, they could maintain their integrity and be useful in restoration. Along with this, it’s a good practice to test these backups and ensure they can provide the needed function when required.

6. Consider Managed Detection and Response (MDR) / Extended Detection and Response (XDR)

Consider an MDR/XDR solution as a preventative measure. These solutions provide 24/7 monitoring, advanced technologies, and the ability to rapidly respond in the event of a breach. MDRs/XDRs should have current and global threat intelligence to be able to defend against emerging threats. They also can assist with more context and data to support incident investigations.

Understand data breach response strategies

As stated above, it is no longer a question of if, but when you will be breached. Following the methods above will help minimize the impact of the breach, allowing you to be better prepared to navigate through the incident. It’s equally important to understand your options in the event a breach occurs.

One question we are frequently asked is, “Should I pay the ransom?” While this is discouraged by many experts, there are times when it may make sense. These may include life-threatening situations or essential threats to the business. Having negotiation services as part of your breach response plan can help bring the cost of the ransom down to a more digestible amount. At the end of the day, most threat actors that use ransomware are looking for a payout of some kind—even if it is less than their original asking price.

Another consideration is what you would get by paying the ransom. Often it will be the decryptor to reverse the damage of the attack and recover encrypted files,   as well as the promise to delete data and/or not post exfiltrated data on public websites. Organizations need to consider this when deciding. We have seen cases where negotiation allowed time for the response and recovery team to get back up without requiring a decryptor, thus allowing more leverage to lower or not pay the ransom.

How you respond to a data breach will depend on the circumstances and the needs of your business, but it’s important to keep these considerations in mind as you build breach response plans.

Preparedness is key to protecting against data breaches

Robust preparedness is key to cybersecurity resilience. As organizations navigate through protection and response strategies, it is essential to remember that the strength of defense lies not only in the technologies deployed but also in the culture of vigilance and adaptability.

By embracing comprehensive IRPs, engaging in regular training exercises, seeking expert counsel, and maintaining secure and tested backups, businesses can fortify themselves against cyberattacks. In the end, the true measure of a cybersecurity posture is not reflected in the absence of breaches, but in the effectiveness of its response when faced with an incident.

At CAI, we take a proactive approach to cybersecurity, working alongside our clients to identify vulnerabilities and gaps. We assist in assessment and management including threat detection, response, and post-breach remediation services. If you’re looking to better protect your organization from the growing threat landscape, contact us.


  1. Veltman, Chloe. “Millions of Customers’ Data Found on Dark Web in Latest AT&T Data Breach.” NPR, March 30, 2024.
  2. “AHA Survey: Change Healthcare Cyberattack Having Significant Disruptions on Patient Care, Hospitals’ Finances: AHA News.” American Hospital Association | AHA News, March 15, 2024.
  3. “Cost of a Data Breach 2023.” IBM, 2023.
  4. Cichonski, Paul, Thomas Millar, Tim Grance, and Karen Scarfone. “Computer Security Incident Handling Guide.” CSRC, August 6, 2012.

Let's talk!

Interested in learning more? We'd love to connect and discuss the impact CAI could have on your organization.

All fields marked with * are required.

Please correct all errors below.
Please agree to our terms and conditions to continue.

For information about our collection and use of your personal information, our privacy and security practices and your data protection rights, please see our privacy policy and corresponding cookie policy.