The world is more connected than ever leading to more freedom when it comes to how we get our work done, however it has also led to more opportunities for bad actors. Cyber attacks, including data breaches, malware, and ransomware are occurring more commonly than ever. Businesses of all sizes are falling victim and when data, documents, or customer information is exposed the ramifications can be crippling. As we have preached before, taking a proactive approach to cyber security is critical, however, knowing how to respond quickly and effectively in the face of an attack is equally as crucial. Join us as we uncover the steps of what to do when you are the victim of a cyber security attack.
Following a Cyber Security Attack
1. Contact your cyber security partner
Organizations like ACP CreativIT are knowledgeable on best practices to ensure as minimal a loss as possible.
2. Review incident response plan
Your incident response plan should indicate who needs to be communicated to first and foremost, including your C-level executives and/or owners, IT personnel, marketing/PR, legal counsel, and potentially operations. Incident response plans are created specific to your organization through assessments with a cyber security partner. They’ll assist in creating a specific plan to notify the appropriate parties in the event you have a breach at your organization. Following the communication plan, an IR plan is a step-by-step guide to follow during an incident to avoid as much panic and chaos as possible.
3. Contact insurance
Your insurance company, or cyber insurance company if separate, should be notified following the steps laid out in your IR plan. Many times, insurance policies require notification within a certain period of time so you want to alert them as soon as possible. Contacting insurance early in the incident ensures quick and timely payment. If you do not currently have insurance, we strongly suggest your organization consider investing in it as the coverage can help with costs associated with cyber attacks.
From there, your cyber security partner, like ACP CreativIT, will likely follow and/or direct these next steps for your organization and to your IT teams:
4. Contain the breach
Immediately after discovering a breach a business continuity team should be assembled consisting of IT and data forensics experts who can determine the size and scope of the attack in addition to which devices and/or systems have been compromised. Containment of the infected devices/systems should be top priority to ensure other servers and devices stay secured. Other action items to help contain the breach may include changing passwords, disconnecting your internet, reviewing firewall settings, disabling remote access, and installing any pending security updates or patches. These things should be done immediately as part of an effort to mitigate the losses. With that being said, the temptation to delete everything after an incident occurs should be avoided. Evidence must be preserved in order to understand how the breach occurred and get to the root of who is responsible. What should be removed right away is any data that may have been posted online to other websites as a result of the attack. Keeping your private data…well…private…is of the utmost importance.
5. Communicate and assess the security breach
Once the breach has been contained, various chains of command should be notified of the breach. The key to a fast and effective response is having a clearly mapped out plan that highlights who will delegate responsibility during the breach and all the chaos that comes with it. The business owner should be atop the hierarchy with a trickle down happening from there. Additionally, your IT department and/or cyber security provider should be notified as they can act quickly in dire situations as a technical presence who will be able to properly assess the damage. Updates from trusted sources tasked with monitoring the situation should be followed to ensure you know what to do next if you fall victim to a larger scale attack that impacts multiple organizations. Regardless of if you are the only victim or not, you must figure out the cause of the breach at your facility so it can be prevented in the future.
Questions you should be asking yourself include, “Who has access to the devices/systems that were infected?”, “Which network connections were active when the attack occurred?”, and “How was the attack initiated?” Checking your security data logs through firewall or email providers, your antivirus program, or your Intrusion Detection System may provide insight on how the breach occurred.
A qualified cyber investigator may need to be hired if you are having difficulty determining the source and scope of the breach. Doing this may pay dividends in the future by helping to keep you protected moving forward. Another facet of the assessment phase is identifying the employees, customers, and third-party vendors who may have been impacted by the breach. Acquiring information on what data was targeted, such as email accounts, credit card numbers, mailing addresses, or birthdays, will play a factor in determining the severity of the breach. Finally, staff education should be a priority. Policies should be reviewed, continuous and interactive training should be provided, and protocols should be clearly communicated.
6. Manage the fallout
At the conclusion of the assessment phase the focus must turn to managing the fallout of the attack. This is often handled by marketing/PR and/or legal counsel. A memo should be sent out to your staff making them aware of the situation. Team members should receive instruction and clear authorizations on how to communicate the incident both internally and externally. When your business is attempting to heal from a crisis remaining on the same page with your team is critical. Customers/public, in some cases, will also need to be notified of the attack. Consulting a legal counsel for advice on the matter may be worthwhile when it comes to breaking the news to affected parties.
When the dust finally settles you will need to reflect on what went wrong and how your cyber security efforts can be bolstered to be better prepared for next time. As we have mentioned, cyber attacks are happening at an alarming frequency and it’s very possible your business will be the target of a future attack. Taking a proactive approach to cyber security, as opposed to a reactive, is the best course of action to prevent, or at least minimize, the effects of future breaches.
Resources should be immediately devoted to strengthening your defenses and frequent security checks should be implemented to reduce vulnerabilities. At a minimum, an automated security solution should be in place to review firewall logs and scan files so malware is quarantined before it can cause damage. A forensics team should further investigate your system to discover its weakest points and provide solutions. Often this can come in the form of upgrading/updating software, changing passwords, or implementing multi-factor authentication. An overwhelmingly large portion of attacks are the result of external factors—educating your staff on how protect sensitive data along with how to properly detect and respond to a potential threat can go a long way toward preventing a breach.
That is what to do when you are the victim of a cyber security attack. ACP CreativIT has cyber security experts who would be happy to help your business recover from or prevent a hack. Contact us to talk to one of our experts today or visit our cyber security page here.