Types of breaches: data theft (exfiltration confidential), data corruption (integrity compromised), denial of service (availability affected), unauthorized system access.
What is a security breach
A security breach is any unauthorized access, exposure or alteration of data, systems or infrastructure that affects confidentiality, integrity or availability. It may result from malicious attack (hacking, APT, ransomware), internal error (credential exposed in code), or negligence (unencrypted laptop lost). The impact varies: from theft of intellectual property to corruption of critical data or operational paralysis. CISOs must distinguish between incident (security event) and breach (confirmation of unauthorized access); the latter requires notification to regulators under GDPR, NIS2, and local regulations.
Why it matters
Security breaches are the primary business risk a CISO faces: financial loss (ransomware payments, remediation costs), regulatory (GDPR fines up to 20M EUR or 4% of revenue), reputational (customer loss, trust erosion), and operational (downtime, service interruption). Average dwell time of attacker is 200+ days; during this time sensitive data can be exfiltrated. Regulations mandate quick notification: GDPR requires notification within 72 hours of breach confirmation. A well-structured incident response plan reduces impact: rapid containment, preserved forensics, transparent communication, and effective remediation. Immutable backup is critical defense against ransomware; frequent audits accelerate detection.
Key points
Late detection is costly: average 200+ days undetected. Implement proactive monitoring (EDR, SIEM, threat hunting) to reduce detection time to hours or minutes.
Regulatory notification is mandatory: GDPR 72 hours, NIS2 requires authority reporting, DORA for critical financial services. Non-compliance adds sanctions.
Incident response plan is essential: defined teams, clear roles, transparent stakeholder communication, preserved forensics, and post-incident analysis.
Example: Breach from compromised credentials in ransomware
An employee receives targeted phishing; VPN credentials are compromised. Attacker accesses corporate network and escalates to domain admin during 40 days without detection. Ransomware is installed that encrypts 500 servers simultaneously. The breach is discovered only when operations stop. Impact: 2M EUR ransom requested, 30% of customers cancel contracts, GDPR fine for delayed notification. Post-analysis reveals that SIEM was disabled 6 months ago for cost reasons, and EDR had not been renewed. Implemented solution: 24/7 SOC with continuous monitoring, immutable offline backup, network segmentation, mandatory MFA on all remote access.
Common mistakes
- Assuming breach will not occur because we have a firewall; regulators require verification that breach has not occurred, not just hope.
- Incident response plan exists but is not tested; without drills, teams do not know what to do in real crisis. Annual tabletop exercises are minimum.
- Waiting to investigate if there is proof of access; if data is exposed, breach must be assumed until proven otherwise, especially under GDPR.
Related services
This concept may be related to services such as:
Frequently asked questions
What is the difference between incident and breach
An incident is any security event: failed attack attempt, detected and removed malware, suspicious login. A breach is confirmation of unauthorized access or data exposure. Not every incident is a breach; but every breach starts as an undetected incident.
When must I notify a breach under GDPR
Within 72 hours of confirming the breach, you must notify data protection authorities if personal data is compromised. Additionally, notify affected individuals if risk is high. Notification is mandatory even if definitive proof is pending. Delay in notification adds sanctions.
How does immutable backup reduce ransomware breach impact
Immutable backup cannot be altered or deleted by ransomware; it enables rapid data recovery. When backup is offline, it is not compromisable. Strategy 3-2-1: 3 copies, 2 different media, 1 offline. Monthly restore testing validates it works in real crisis.