What to Do After a Data Breach: The Real Work Starts Now
The breach is over.
The systems are back online. Business is operating again. The incident response team has wrapped up. The cyber insurance claim is underway. Everyone wants to move on.
That's exactly when I tell clients to slow down.
After being involved in enough incident response engagements, I've learned that the recovery phase is where organizations either become significantly stronger or quietly set themselves up for the next incident.
The attack is over, but the work isn't.
A good recovery isn't measured by how quickly systems came back online. It's measured by what changes because of it.
So, what does good actually look like?
Start with the facts, not assumptions
The first priority isn't buying new security tools or launching a dozen projects. It's understanding exactly what happened.
How did the attacker gain access? How long were they in the environment? What controls worked and which ones failed? More importantly — which assumptions turned out to be wrong?
Almost every engagement uncovers the same conversations.
"We thought MFA was enabled everywhere." "We thought backups had been tested." "We thought our MSP was monitoring that." "We thought someone owned that process."
Recovery starts by replacing assumptions with facts.
Build a roadmap, not a remediation list
One mistake I see organizations make is treating every finding as an isolated task — reset passwords, deploy MFA, patch systems, review firewall rules. Those are all important, but working through them one by one doesn't create a stronger security program.
Instead, step back and build a roadmap. Prioritize improvements over the next 30, 60, 90, and 180 days. Identify what reduces the most risk, who owns each initiative, and how progress will be measured.
A breach should leave you with a plan, not just a checklist.
Fix identity before anything else
If there is one area that consistently deserves immediate attention after a breach, it's identity. Review privileged accounts, remove stale accounts, rotate passwords and credentials, expand multi-factor authentication, review conditional access policies, and validate service accounts. Most attackers don't need sophisticated exploits if they can simply use valid credentials. Strengthening identity is one of the highest-value investments an organization can make in the post-breach window.
Validate your recovery capabilities
Every company tells me they have backups. Far fewer can tell me how long it actually takes to recover their business. Recovery isn't about whether backups completed successfully overnight — it's about whether critical systems can be restored, in the correct order, within an acceptable timeframe. Test them. Document your recovery objectives. Run through realistic scenarios. Hope is not a recovery strategy.
QUICK CHECK
Do you know how long it would actually take your business to recover?
Most organizations assume they're covered. Very few have tested whether that's actually true. Here's what a real recovery readiness picture looks like:
✓Backups tested with a documented recovery time
✓Critical systems can be restored in the correct order
✓Incident response plan updated and tested in the last 12 months
✓Clear ownership of recovery decisions when it matters most
Do you know how long it would actually take your business to recover?
Most organizations assume they're covered. Very few have tested whether that's actually true. Here's what a real recovery readiness picture looks like:
✓Backups tested with a documented recovery time
✓Critical systems can be restored in the correct order
✓Incident response plan updated and tested in the last 12 months
✓Clear ownership of recovery decisions when it matters most
Incidents have a way of exposing gaps in shared responsibility. Internal teams assume the MSP is monitoring something. The MSP assumes the client owns it. A cloud provider secures the platform while the customer assumes the application layer is covered too. After a breach, review every vendor relationship — understand who owns what, review privileged access, validate monitoring responsibilities, and update contracts where the lines were unclear. If you worked with an incident response partner during the breach, that relationship is worth formalizing. Knowing who to call before the next event is part of rebuilding smarter. Good security extends well beyond your own employees.
Make security a leadership responsibility
The strongest recoveries don't end with technical improvements. They end with better governance. Leadership should understand the organization's highest risks, know where investments are being made, review progress regularly, and assign clear ownership for security initiatives. Security shouldn't disappear until the next annual assessment — it should become part of how the business operates.
Practice before the next incident
One of the best indicators of future success is whether an organization actually practices what it has learned. Update the incident response plan, run a tabletop exercise, test your communications, validate executive decision-making, and practice recovery. Every exercise should answer one question: "What have we improved since the last incident?" If the answer is "nothing," the organization hasn't really recovered.
Recovery Is an Opportunity
No organization wants to experience a breach. They're disruptive, expensive, and exhausting.
But they also provide something that's difficult to get any other way: complete visibility into where your security program actually broke down.
The organizations that recover the strongest don't waste that opportunity. They don't rebuild the same environment they had before. They build a better one.
That's what a real data breach recovery plan should accomplish — not simply restoring operations, but driving the post-breach security improvements that only become visible once you've gone through it. The lessons learned after a breach are the most honest assessment of your security program you'll ever get.
I've seen organizations come out of an incident with stronger governance, better visibility, clearer ownership, and a security program that was significantly more mature than the one they had before.
That's what good recovery looks like.
If your organization experienced a breach tomorrow, would your recovery plan simply restore your systems, or would it improve your business?
This is the final post in our three-part Breach Series. Part one covered the warning signs that exist before an incident. Part two walked through what the first 24 hours actually look like. This post covers what comes after — and why that phase matters most. If you're unsure how your organization would respond or recover, let's have a conversation before you're forced to find out the hard way.
Frequently Asked Questions
Common questions about data breach recovery, notification requirements, and rebuilding after an incident.
What should a company do immediately after a data breach is contained?
The first move is to verify that containment is actually complete — don't assume it is. From there, preserve evidence before remediation begins, start the regulatory notification clock, and begin a structured post-mortem. The goal isn't to get back to normal as fast as possible. It's to understand what happened before you rebuild.
How long does it take to recover from a data breach?
IBM's research found that 65% of organizations had not fully recovered from a breach at the time of their study, and of those that had, 76% needed more than 100 days. Operational recovery — getting systems back online — is different from full organizational recovery, which includes closing compliance gaps, rebuilding trust, and fixing the root cause.
What are the legal notification requirements after a data breach?
It depends on where your customers are located and what data was exposed. In Florida, FIPA requires notification within 30 days for breaches affecting Florida residents. If more than 500 residents are impacted, the Florida Department of Legal Affairs must also be notified in the same window. Outside counsel should be looped in on day one — not after the deadline has passed.
What security improvements should be made after a breach?
Start with identity — review privileged accounts, remove stale access, expand multi-factor authentication. Then validate that backups actually work and that recovery times are documented. Review every vendor relationship to confirm who owns what. And fix the process failure that allowed the breach, not just the technical entry point. Most organizations patch the vulnerability and leave the underlying gap in place.
How do you rebuild customer trust after a data breach?
Transparency early matters more than a polished statement later. Customers notice the difference between a genuine response and one that's been softened by lawyers. The trust signal isn't the apology — it's what demonstrably changed afterward. Organizations that communicate clearly, move quickly, and show what they've improved tend to recover their reputation faster than those that go quiet and hope it passes.
Breach Series — 3 of 3
Part 1: Before the Breach·Part 2: The First 24 Hours·Part 3: After the Breach
🧭
Free call
Breach Snapshot Call
If this series raised questions about how your organization would actually respond — that's the right instinct. In 30 minutes we can give you an honest outside perspective on where your gaps are before an incident forces the answer.
1
Incident response plan — do you have one and has it been tested?
2
Backup readiness — can you restore critical systems and do you know how long it takes?
3
Vendor accountability — do your MSP, insurer, and legal counsel know their roles?
4
Leadership clarity — who owns the call when it comes in at 6 a.m.?
Most cyberattacks do not start with elite hackers or advanced exploits. They start with simple gaps. A stolen password. A phishing email. A forgotten backup. For many organizations, the biggest threats are ransomware, email compromise, and credential theft. The damage can be significant.
Security is not one size fits all. A 10-person startup with an MVP and a short runway should not be investing like a 5,000-person global SaaS company preparing for IPO. But too often, companies either underinvest early or throw money at tools without a plan later.
Cyber insurance used to be a checkbox. Today, it is a battleground. Carriers have tightened their requirements, premiums are on the rise, and coverage exclusions are more aggressive than ever. Many companies find themselves unprepared, with no clear roadmap on how to qualify or reduce their costs.
What topic do you want to hear about? Let us know.
Is your organization prepared to handle cyber threats? From ransomware readiness assessments to virtual CISO leadership, TechCompass offers comprehensive solutions to secure your digital assets.