Cybersecurity Data Security Identity & Access Security Awareness Security Boulevard (Original) Threat Intelligence Threats & Breaches 

The Five Stages of Grief: Coping With a Data Breach

Avatar photo by Jim Broome on August 11, 2023

Have you been a victim of a data breach? You’re not alone.

As an incident response (IR) professional, I have met many different types of corporate staff, from the IT staff to the C-suite. Unfortunately, it was probably on their worst day ever, and in our world, it’s most likely due to phishing or ransomware. According to the Verizon Data Breach Investigations Report (2023 DBIR), the median cost per ransomware more than doubled over the past two years to $26,000, with 95% of incidents that experienced a loss costing between $1 and $2.25 million.

Many seasoned law enforcement personnel share the same sentiment, especially those that work in serious crimes. Like these responders, we’re walking into an active crime scene. Emotions are high, those involved are stressed and they’re having a difficult time wrapping their heads around what happened, why and, more importantly, how to resume operations.

While customers are the main victims of security incidents, followed by the enterprise, infosec teams on the front lines are also victims. Feelings of defeat, loss, failure of oversight and knowing that they could potentially become unemployed as a result are harsh realities teams face, especially when budgeting decisions were made without their input or if the enterprise didn’t have a business continuity plan in place. Often, victims will progress through the same five stages of grief that victims of other crimes experience.

The five stages of grief–denial, anger, bargaining, depression and acceptance–were developed by Elisabeth Kübler-Ross in a book she published called On Death and Dying. The model was used to describe terminally ill people facing death, but was quickly adapted as a way of thinking about grief in general. Having guided many customers through data breach events to remediation, we’ve seen the “five stages of grief” model in action.

Looking at this model with an infosec lens, we have outlined the five stages of incident response grief and how to work through them for a better outcome.

Stage 1: Denial

“There’s no way this happened to us.”

“I really can’t believe this.”

These are just a few soundbites we’ve heard incident response (IR) customers express in the early stages after a breach. While it is important to acknowledge this ugly truth and sympathize with the situation at hand, there is no time to waste. You need to act fast.

Know that the threat actor is alive and well; the time is now to move forward.

Stage 2: Anger

“How could you let this happen?”

At this stage, reality sets in and folks can become angry. There might be anger toward management for lack of appropriate purchases over the last few years due to budgets, or anger toward third parties for mismanagement of the enterprises’ information, aka finger-pointing.

The reality: This stage is highly unproductive and the most useless in the entire process. Not only is the business already disrupted, but the issue could become compounded by someone’s effort to seek retribution.

In this scenario, it’s imperative to take a deep breath, slow down and focus. You don’t want someone with the keys to the kingdom to walk out the door.

At this stage, you must remind everyone that you’re all here to do a job together. Refocus the conversation on getting past anger as quickly as possible.

Stage 3: Bargaining

Bargaining can take on two different forms. On one hand, staff may bargain internally by thinking, “Maybe if I download this anti-virus software, it will fix all of my problems.”

Waving a magic wand is not going to remediate all your problems. For example, if you are a victim of ransomware, the threat actors have already broken in. In fact, they have been inside your network for at least 24 hours; in some cases, months, if not years. Launching ransomware is one of the last stages of a data breach; they’ve just been planning their attack and decided to detonate when you least expected it.

On the other hand, bargaining with bad actors to get your business back online is the other side of the coin. Bargaining in relation to ransomware is why entire ecosystems around insurance providers, breach coordinators and ransomware negotiators exist to help the company try to restore services or find viable avenues to get back in place and get back to business.

If your organization falls victim to ransomware, we can’t stress enough the importance of partnering with a team of expert professionals to help you eradicate, restore and recover any stolen, deleted or encrypted data. The last thing you want is for the threat actor to dig deeper than they already have, potentially causing you to pay a higher ransom and pose a larger risk to your organization.

Stage 4: Depression

“I wish we would have handled things differently.”

“I’m sorry this happened on our watch.”

Depression usually hits around the 48th to 72nd hour. This is when it becomes clear that the IT staff will bear the brunt of the storm, especially if the organization never prepared a proper business continuity and disaster recovery plan.

At this stage, staff can become emotionally and mentally tired. Productivity declines and doubt sets in. Additionally, people need sleep and food regularly, which needs to be accounted for.

The reality: You will get through this. Instead of lingering in the depression stage, focus on tackling the list of priorities in order to get the business back online.

Like the anger stage, this stage can be very unproductive and/or the least productive. The path to remediation can be a long one, but there is light at the end of the tunnel. You just need to keep pushing through to see it.

In due course, they will get through the depression stage and will reach the final phase–acceptance.

Stage 5: Acceptance

“We’ve got a long road ahead of us. How are we going to tackle this?”

“How do we prevent this from ever happening again?”

Most, if not every, impacted corporation eventually reaches acceptance, and business operations ultimately resume. Coming out of the depression stage to acceptance can be a huge milestone for organizations.

The quicker you accept the issue at hand, the faster your organization can find solutions and get back to business.

Data breaches have become common events that affect organizations in a multitude of ways. They can cause severe strains on revenue due to productivity damage, lost business during downtime, attorney fees and remediation costs.

Those repercussions could be even worse if your business powers critical infrastructure. Utilities that are a basic need for human survival such as power, water and energy could be compromised, and the general population could be negatively affected.

IBM’s Cost of a Data Breach Report revealed the average total cost of a data breach increased by nearly 10% to $4.24 million, the highest ever recorded. Costs were even higher when remote working was presumed to be a factor in causing the breach, increasing to $4.96 million.

How to Ensure Your Organization Has a Stronger Security Posture

1. Conduct a tabletop exercise.

There is nothing that could prepare your team more for a real-life attack than a simulated event. These simulated real-world cybersecurity and physical security incident scenarios educate leadership and staff on breach detection and tests your organization’s response and readiness plan.

2. Map out a business recovery and continuity plan and keep a backup accessible.

A functional business continuity and disaster recovery plan is critical for organizations of all sizes. Having a plan ready to execute in the event of a breach will allow you to spend less time worrying and more time getting back to business as usual. This plan can even be built directly into the design of your backup process so that in the event you are not able to execute it, a colleague on your team can manage the data storage and backup the right way.

3. Invest in a penetration test.

Using various tools and techniques, pen testers examine external and internet-accessible systems and internally accessible systems for patching, system and service configuration and authentication vulnerabilities. Through a penetration test, your organization can gather information to understand where threats lie and offer a remediation roadmap with strategic recommendations to aid in resolving systemic issues moving forward. This method also measures the effectiveness of your solutions and the quality of the security visibility of your SOC.

Recent Articles By Author
Avatar photo More from Jim Broome
Jim Broome , , , ,
Avatar photo

Jim Broome

Jim Broome is a seasoned IT/IS veteran with more than 20 years of information security experience in both consultative and operational roles. Jim leads DirectDefense, where he is responsible for the day-to-day management of the company, as well as providing guidance and direction for our service offerings. Previously, Jim was a Director with AccuvantLABS where he managed, developed, and performed information security assessments for organizations across multiple industries, while also developing and growing a team of consultants in his charge. Prior to AccuvantLABS, Jim was a Principal Security Consultant with Internet Security Systems (ISS) and their X-Force penetration testing team. Jim has also developed and provided training courses on several security products, including being a primary author of the CheckPoint Software Software CCSA/CCSE/CCSI training program, as well as creating and delivering numerous client-focused training programs and events.

jim-broome has 6 posts and counting.See all posts by jim-broome