Article

Aftermath: Dealing with a cybersecurity breach

A cyberattack changes everything in a moment and the effects can – and should – last forever.

By Bill Clark

Fri 22 Mar 2019 @ 12:40

Cyberattacks are now a regular part of doing business. Planning, preparing and preventing them should be as central to business operations as planning for disasters in the physical world.

Physical disasters can impact a business, impeding operations or shutting it down entirely. Cyberattacks can be just as detrimental and a proper recovery from an attack can be the difference between survival and failure.

Cyberattacks are now an everyday occurrence. Organisations should, of course, do their best to keep attackers out. That’s a given. The next thing to do is to assume a cyberattack will get through the defences. The first step to recovering from a cyberattack is believing it really can happen.


There are four main steps in recovering from a cyberattack:

  • Detect: This is a given, as the organisation must detect the attack in order to be able to recover.
  • Respond: In the moments following a cyberattack, the organisation must put its response plan into action.
  • Mitigate: With a response plan now in action, shutting down the attack, ensuring unaffected systems remain safe and the point of entry is secured, stops the damage.
  • Recover: This stage affects every part of the business and can go on for years.

The first three steps get a great deal of press, perhaps because they’re dramatic. However, the fourth step is where the battle for survival is truly won or lost.

Honesty is the best approach to dealing with a breach. Neither business partners nor customers will be happy that their information has been compromised. However, if you are seen to be quick to respond and transparent about the incident, there is likely to be more understanding. You are also less likely to run afoul of regulators. Yahoo! received a $35 million fine from the SEC for taking nearly two years to disclose a data breach that affected half a billion users.

The EU’s recently enacted GDPR requires breaches to be reported within 72 hours of discovery, meaning any firm that does not comply risks not only fines but also public disapprobation.


An honest evaluation of what went wrong also allows your firm – and partners with whom you share your systems – to determine the changes needed to improve security going forward.

A successful cyberattack is a transformative event for an organisation. It will not be the same organisation after the attack as it was before. And it shouldn’t be. To survive, to recover, the organisation must evolve, adapting, learning from the experience.


A recent study of reported data breaches at public firms over a 10 year period, published by the Fisher College of Business at The Ohio State University, found long-lasting effects from a publicised attack:


“Attacks where personal financial information is appropriated are associated with a negative stock-market reaction, a decrease in sales growth for large firms and retail firms, an increase in leverage, a deterioration in financial health, and a decrease in investment in the short run. Firms further respond to cyberattacks by reducing CEO bonuses and risk-taking incentives and by strengthening their risk management.”


Surprisingly, the drop in the affected organisation’s share price, which can be dramatic, is often transitory. A study of the financial effects of cyberbreaches by Warwick Business School found that the bulk of the dip in shares happens on the day the breach is revealed and the following day. After those first two days, the effect largely disappeared. Interestingly, the Warwick study found that CEO pay tended to increase in the years following a cyberattack, as firms invested in management to address possible structural flaws.


The Warwick study also found that in the five years following an attack, firms paid lower dividends and invested less in R&D as they attempted to manage the financial risks that came with the breach.

The bad news is that cyberattacks are here to stay. The good news is that they are common enough that an organisation can recover in the eyes of its business partners, the financial markets and the public.

Learn more

Learn how the LogRhythm NextGen SIEM Platform gives you the power to respond to and rectify a cyberattack rapidly and resiliently.