What Is the Difference Between a Security Incident and a Security Breach?

By |2019-09-05T13:44:34-07:00May 3rd, 2019|

Your organization has most likely already encountered security incidents and will continue to face them moving forward. You may even have dealt with a data breach. While these two terms might seem similar on the surface, it’s critical that you make distinctions between them. How you classify these events will dictate how you respond to them, which has implications for your company’s security, compliance and reputation.

Let’s take a look at the difference between security incidents and security breaches as well as how to deal with these kinds of events.

Table of Contents

What Is a Security Incident?

A security incident is an event that leads to a violation of an organization’s security policies and puts sensitive data at risk of exposure. Security incident is a broad term that includes many different kinds of events. A data breach is a type of security incident. All data breaches are security incidents, but not all security incidents are data breaches. A security incident can involve any type of data, including sensitive personal information or unregulated but sensitive data such as intellectual property.

What is a security incident?

A similar category of events is a privacy incident. Privacy incidents, as defined by the U.S. Department of Homeland Security (DHS), are adverse events that occur due to violations of DHS privacy policies and procedures. According to DHS, a privacy incident relates to the unauthorized disclosure or use of regulated data such as protected health information or personally identifiable information (PII), which is any information someone could use to identify someone or infer their identity.

If the data affected by a security incident is regulated, the security incident becomes a privacy incident. So, all privacy incidents are security incidents, but not all security incidents and privacy incidents.

Examples of Security Incidents

Security incidents cover a wide range of types of events including:

  • Malware infection
  • Distributed denial of service attacks
  • Unauthorized access
  • Insider breaches
  • Destructive attacks
  • Unauthorized privilege escalation
  • Loss or theft of equipment.

For example, if an employee receives a phishing email, this could be classified as a security incident. A hacker gaining access to a company’s network is another example. However, someone stealing a laptop that contains regulated data would be an example of a privacy incident.

The Democratic National Committee (DNC), for instance, experienced a security incident in August of 2018. The DNC reported to the Federal Bureau of Investigation (FBI) that it discovered a phishing campaign targeting its voter profiles and took steps to boost its security in response. The phishing attempt was unsuccessful and did not gain access to any data. Because the attempt was stopped, it never became a data breach. Instead, it remained a security incident.

What Is a Security Breach?

If a security incident results in unauthorized access to data, it can typically be classified as a security breach. The precise definition of a data breach varies depending on the laws that apply to your organization. When determining whether a security incident qualifies as a breach, you should use the legal definition of the regulations that apply to your organizations. These definitions can vary slightly between federal, state and other breach laws.

What is a security breach?

The General Data Protection Regulation (GDPR), the data protection and privacy regulation enacted by the European Union, defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Personal data is any information that can lead, either directly or indirectly, to the identification of a natural person.

Under the Health Insurance Portability and Accountability Act (HIPAA), a breach is defined as, generally, “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”

Under data breach laws, if a data breach occurs, you must send a notification to the person(s) letting them know that their data has been compromised. You will typically need to notify the affected individuals and the relevant regulatory agencies and may need to notify credit reporting agencies or the media. Contracts with business clients often require that you notify the business if their employees or customers are affected.

Examples of Security Breaches

According to the Identity Theft Resource Center, organizations reported 1,244 breaches in 2018, which involved the exposure of 446,515,334 records. While the total number of breaches decreased as compared to 2017, the number of records exposed and the number of exposed records containing sensitive personally identifiable information increased.

A data breach could occur in several different ways. It could mean someone gaining unauthorized access to a system that contains personal data. It could also mean the loss or theft of a device that contains electronic personal data as well as the loss or theft of physical documents that contain personal data. The corruption of sensitive data or an incident that affects the availability of personal data, such as a ransomware attack, would also be considered a data breach.

There have been numerous high-profile data breaches over the years. The largest occurred at Yahoo in August 2013 and exposed the names, email addresses and passwords of users. Yahoo reported the breach in 2016 and said the accounts of 1 billion customers had been compromised. In 2017, the company updated that number to all 3 billion of its users. A hack using forged cookies is believed to be the cause of the breach.

Another famous example is the scandal involving Facebook and Cambridge Analytica, a data analytics firm, that occurred in 2018. Rather than hacking, the breach occurred because Cambridge Analytica accessed Facebook user data through a third party without those users’ knowledge or consent. The app collected data about not only the people who used it but also their Facebook friends.

How to Determine Whether an Event Is an Incident or a Breach

So, when an event occurs, how can you determine whether it’s an incident or a breach? It’s necessary to have a plan in place for determining so you can react appropriately and promptly.

There is a relatively low chance that a security incident will result in data loss and, therefore, qualify as a data breach. Despite these low odds, you should treat every security incident as a potential breach. Various regulations require that companies approach security incidents in this way.

When a security incident occurs, organizations need to conduct a multi-factor risk assessment to determine whether it is a data breach. Under the HIPAA Breach Notification Rule, for example, a risk assessment would include:

  • The nature and extent of the affected personal health information (PHI), including the likelihood of re-identification
  • Who gained unauthorized access to the PHI
  • Whether anyone actually viewed or acquired the PHI
  • The extent to which the risk has been mitigated

Conducting a risk assessment such as this will determine whether an incident qualifies as a breach. Each organization should conduct an assessment that aligns with the laws which apply to them. It’s also essential that organizations document their risk assessment, actions taken and timeline if an incident involves regulated data. Your assessment will inform how you respond to and resolve an incident, which departments should be included and whether you need to send out any notifications as well as the nature of those notifications. In addition, reacting quickly to a security incident can help prevent it from escalating to the level of a security breach, as was the case with the phishing attempt at the DNC.

How to Respond to a Security Incident or Breach

Once you determine whether an event is a security incident or data breach, you need to take steps to respond to it. A significant portion of the work of responding to an incident or breach will occur during the preparation stage before an incident occurs. It’s important to have a detailed plan in place long before an incident occurs so you can respond quickly and effectively to minimize any damage that may occur. Your plan should include different steps to take for security incidents and security breaches. The process of responding to an incident or breach will look different for each organization, but here is a basic outline:

How to respond to a security incident or breach

1. Containment

After an incident or breach occurs, the first thing you need to do is contain the problem, so it does not spread and cause more damage to your business. Don’t delete any of the affected data as you may need to use it to determine where the breach began and create a plan for preventing a similar event from happening in the future.

To help contain the problem, disconnect all affected devices from the internet if possible. You may also want to update and patch your systems, review remote access protocols and change all credentials and passwords. Be sure to have strategies for both short-term and long-term containment prepared. It’s also beneficial to have a redundant system back-up in place to help you restore business operations. This will help prevent you from permanently losing data.

2. Eradication

After containing the issue, it’s crucial that you find and eliminate the root cause of the incident or breach. Depending on the cause, this may include securely removing malware, applying updates or hardening various systems. You can do this yourself, hire a third party to do it or use third-party software. Whichever method you use, it’s essential that you are thorough when eradicating the cause of the issue. If even minor security issues or malware remain in the system, you could continue to lose valuable data.

For example, when Facebook first learned about the issues related to Cambridge Analytics, it asked the firm to delete all of the unauthorized data and banned the app that was used to collect it to eradicate the issue.

3. Recovery

The recovery phase involves restoring all of the affected systems and devices. This can occur at the same time as the eradication phase or directly afterward. Recovery does not mean that the system is exactly the same as it was before the incident, as the system should be slightly stronger to protect against similar threats in the future. For a full recovery, the organization’s systems and operations should be returned to a fully functional state with new protections in place.

In the Yahoo incident, the company invalidated all unencrypted security questions and required password changes to protect user information and ensure that users’ accounts were again secure.

4. Review

After taking care of the incident and completing the recovery phase, it’s necessary to review the incident and take a look at the lessons learned. You should take a detailed look at the incident to identify what went well and which areas need improvement. This review should include the use of quantitative data such as the time it took to detect and recover from the incident.

You can use the results of this review to inform how you will prepare for potential future incidents and breaches. Through this process, you can update your plans with new policies, procedures and technologies. This enables a continuous cycle of improvement.

Following the Cambridge Analytica incident, Facebook investigated certain apps to ensure they didn’t have unauthorized data, imposed stricter rules related to developers’ access to data and made it easier for their users to access their privacy information. These steps were aimed at preventing similar issues from arising in the future and winning back the trust of users.

How to Provide Notification of a Breach

There are different processes for handling data breaches under different regulations, which can make compliance with data breach laws somewhat complicated. Each organization should take a close look at all of the legal requirements that apply to it and its options for how to comply.

GDPR, for example, requires that data controllers notify the relevant supervisory authority of a personal data breach “without undue delay” and when possible within 72 hours of becoming aware of the breach. If the organization does not report the breach within 72 hours, it must provide a reason for the delay. GDPR also requires that data processors notify data controllers “without undue delay” if they become aware of a personal data breach.

Under California’s data breach laws, businesses must notify any resident of California whose unencrypted personal information is acquired by an unauthorized person. If the business or person must issue a notification to more than 500 California residents, they must also send a copy of the notification, without personally identifiable information in it, to the Attorney General.

The HIPAA Notification Rule also requires HIPAA-covered entities to provide notifications of breaches of unsecured PHI. The Federal Trade Commission has similar requirements that apply to personal health record vendors and third-party providers.

The notification process can be time-consuming and expensive. For example, in 2016, Yahoo had to notify 1 million users of the breach that occurred and posted a notice on its website about it. The next year, the company had to send an additional 2 billion notifications by email. Having a notification plan in place before an incident can help reduce costs and the time needed to provide notifications.

How to Prevent a Security Incident or Security Breach

All businesses should have some processes or technologies in place to help prevent security incidents and breaches. These systems should include methods of detecting unusual activity and blocking threats and attacks. Some primary technologies might include firewalls, network security monitoring tools, web vulnerability scanning tools and encryption tools. Businesses should also have basic security policies such as requiring strong passwords and restrictions for the use of personal email accounts and devices. The intensity of the protection should depend on the sensitivity of the data the company handles and its risk level.

How to prevent a security incident or breach

Standard methods of a cybersecurity incident and breach detection include technologies that allow real-time correlation and logging which enable the organization to identify suspicious events on their networks. A slightly more advanced process uses historical analysis to compare current operations to previous incidents. Using these insights, organizations can establish new policies that help to prevent incidents from occurring. The most powerful detection methods include using intuitive security programs to detect even threats from insiders without causing detectable changes in standard network behavior.

Trust BlackStratus to Protect Your Data

The right tools are crucial for preventing security incidents and breaches. Many companies work with third-party companies that offer solutions for ensuring data integrity, providing protection and monitoring the network environment for threats. BlackStratus offers many custom solutions for businesses, managed service providers (MSPs) and managed security service providers (MSSPs).

Our cloud-based CYBERShark product is designed to provide affordable enterprise-level protection. It provides 24/7 network monitoring, advanced correlation, real-time alerts, remediation for malicious activity, an integrated incident management workflow and reports needed for compliance purposes. With CYBERShark, MSPs can provide advanced security and protection to small- to mid-sized businesses (SMBs).

We also offer LOGStorm, a powerful yet cost-effective log management and monitoring solution. In addition to complete log management and log monitoring, LOGStorm provides powerful correlation technology, real-time event log correlation and an integrated incident response system. It offers a reliable means of collecting, storing and reporting security event data to simplify compliance and enhance your security.

Our SIEMStorm offering, a comprehensive security management software, provides MSSPs with flexible threat visualization and migration tools. It can easily incorporate data from across numerous devices, databases and applications and provides advanced architecture, multi-tenancy support, vulnerability correlation, real-time attack visualization and reporting tools.

If you’re interested in learning more about how BlackStratus can help you prevent security incidents and breaches, contact us today.

Request A Free Demo

Related Posts



Don Carfagno

Strategic executive management and delivery responsibilities of BlackStratus MSP product line offerings of SIEM and Logging for direct, SOC-as-a-Service and channels. Operations professional with 20 years of security management experience. I place a high premium on cost reduction and containment for all aspects of a business. With many years of experience supporting software sales organizations I am uniquely trained to develop and coach cross functional teams. My main area of interest, what makes me want to come to work, is company building and creating successful teams. I enjoy to creating and championing the successful attitude throughout an organization.

LinkedIn Google+