Learn how to coordinate your technical, legal and PR response so that your business survives a cyberattack.
Your business is facing a cyberattack – now what? You know how much is at stake. On average, a data breach sets a company back by USD3.92 million. What’s worse, cybercrime tends to hit smaller businesses harder.
It’s important to understand the risk associated with cyberattacks and how it can affect your business. But this is not the time to panic. There are a lot of moving parts in an incident response plan. You need to coordinate with forensic IT and legal experts as well as potentially a PR team to manage damage control.
Taking the road to recovery one step at a time
With Digimune’s help and a swift but systematic approach, you’ll not only limit the impact a breach has on your business but also prove to regulators and your customers that you’re serious about cybersecurity.
While a good cyberattack recovery plan will give you the confidence to act without hesitation, bear in mind that no two cybercrimes are the same. The unique nature of your business coupled with hackers’ ever-shifting angles of attack mean that each incident exposes different data and vulnerabilities.
Despite there being no one-size fits all solution, this guideline provides a basic framework for designing your business’ incident response plan. Bear in mind that balancing the legal, technical and PR aspects of a breach means that some of the sections may overlap or even run in parallel.
1. Lock down: Secure operations and contain the cyberattack
When you suddenly notice new and unfamiliar applications, features added to browser toolbars or deactivated antivirus programmes, alarm bells should go off. Before taking any drastic action, check that you aren’t just experiencing a software glitch.
Once you have reasonable grounds to believe you’re facing a hack, your top priority is preventing any further data losses.
You can do this by cutting off all avenues of attack. If your network allows for it, isolate the affected endpoints and servers. Disconnecting them from other systems will stop malware from spreading.
Sometimes it’s better to simply take all computers offline and cut internet and remote access but maintain firewalls. It’s also essential that you don’t shut down compromised machines and systems.
Why? Because documenting the crime scene is just as important with a cybercrime as if someone had physically broken into your business premises. By the same logic, you should never destroy evidence. Not only can this cause legal problems, but you won’t be able to identify and remedy the weaknesses that led to the breach.
Bring in the task force
Although your in-house IT can take on the job of investigating the cause and nature of the breach, calling in an expert forensic team pays dividends. As specialists in this field, they’ll get to the root of the problem faster. What’s more, these teams routinely find evidence and vulnerabilities that in-house staff have overlooked.
At the same time, call in your legal counsel to work hand in hand with the forensic team. After all, a cyberattack is a crime with legal implications and they will be able to help you navigate the regulatory maze.
Although not comprehensive, this checklist is a good starting point for your efforts to contain a breach:
Cyberattack containment checklist
- Use a redundant system backup to restore critical data to a new network
- Quarantine malware from the rest of the environment
- Consider abandoning infected networks
- If possible, put clean machines online instead of infected ones
- Install any pending security updates or patches
- If you suspect that criminals have stolen financial or personal information, it’s advisable to request a credit report and get your bank to set a fraud alert
- Change all passwords
The last point is critical because if the criminals gained access via an employee account, your system will remain compromised until you change those credentials, even after you remove the hacker’s tools.
2. Stay on the right side of the law: Reporting to the authorities
In many jurisdictions, it’s necessary to report cybercrimes. Since the notification periods are often very short, you will need to meet these legal obligations while investigating a breach or even as you are still working to contain it.
For instance, Europe’s General Data Protection Regulation (GDPR) requires that businesses inform a Data Protection Authority (DPA) about any security breach that affects personal data within 72 hours. Failure to do so can carry a hefty fine.
Similarly, South Africa’s Protection of Personal Information Act (POPIA) makes it obligatory to report to the Information Regulator. You can brush up further on the subject by reading the Information Regulator’s guidelines on submitting a breach notification. What’s more, electronic communications service providers (e.g. internet service providers) and financial institutions must also contact the South African Police Service. Once again, the notification window is 72 hours, after which the business could face a fine of up to R50,000.
As the U.S. Federal Trade Commission explain in their Data Breach Response Guide for Business, businesses in the States should report incidents to local law enforcement agency and the FBI.
No matter which country or countries you operate in, you will also need to communicate with employees, customers and suppliers whose data the cybercriminals stole or who may be affected by the breach in other ways.
While the way that you handle this is instrumental to ensuring you don’t lose their trust, always get the green light from the authorities first. That’s because law enforcement may need you to delay notifying data subjects if doing so could impede their investigations.
3. Take stock: Pinpoint the source and scope of your breach
Whoever is tasked with closing the breach should create a disk image or copy of the affected servers and systems. These “crime scene photos” will be a key reference in determining how the hacker entered your systems and how you can eliminate those weaknesses.
Another key source of information is your intrusion detection and/or prevention system (IDS and IPS) logs. This is where you’ll see the criminal’s digital fingerprints that point to those files the hacker accessed and any other dangerous network interventions. Without them, your IT team is searching for a needle in a haystack.
A detailed picture of the cyberattack is the starting point for identifying the gaps in your system’s defences and how they were exploited. In doing the detective work, remember you’ll need answers to all the questions on this checklist:
Cyberattack investigation checklist
- What is the origin of the breach?
- Who discovered the breach?
- How did the culprit penetrate the system?
- What systems and applications have been compromised?
- How will this impact operations?
- Who among your customers, employees and vendors is affected?
With a better understanding of the nature and scope of the cybercrime, you’re ready to start taking remedial action. But don’t forget to keep running accounts of all expenses incurred in containing the data breach. Both the police and your insurer, should you choose to file a claim, will want this information.
4. Build your Fort Knox: Eliminate vulnerabilities and test your defences
Once you’ve identified the precise nature and extent of the breach, you want to erase all trace of it from your system. But you should also take the opportunity to test and improve all aspects of security. The best place to start is obviously the remedial measures in your forensic team’s reports.
As soon as you deploy a short-term fix to protect your network, test it. You want to be 100% sure that the cybercriminals can’t use the same tricks to break into your system again.
What’s more, you should repeat this kind of penetration testing for all your company’s servers or virtual machines to ensure a door hasn’t been left open there.
Part of the process of reviewing your security systems is reassessing your infrastructure’s defence-in-depth measures. These involve layering security and intentionally building redundancies into your security. That way, if one mechanism fails, there are still others in place to ward off the cyberattack.
Network segmentation is one such defence-in-depth strategy that is worth looking at more closely after a breach. To put it simply, dividing your network into sections allows you to prevent a breach on one site or server from spreading to others. Get your forensic team to analyse whether your current strategy was effective or whether you need to make changes.
Here’s a list of other things to consider:
Cyberattack security fix checklist
- Harden and patch your system, including installing all updates
- Verify whether measures, such as encryption, were active when the attack occurred
- Review who – internally and externally – has access privileges, and whether or not to restrict them
- Address internal or external involvement in the breach
- Re-image system
Once you’re confident that hackers won’t be able to breach your systems again, you’ll be eager to get your systems back up and running again. But it’s a good idea to continue monitoring affected systems for a while, at least.
5. Damage control: Managing the impact on your brand and reputation
Don’t delay communicating with employees, suppliers and customers whose data was compromised during the breach. The earlier they are informed, the better their chances at preventing losses due to the fraudulent use of their data. Of course, you still need to consult with law enforcement about timing your announcement so that it doesn’t hinder their investigations.
Since your communications and support for those affected can determine whether your business survives or not, a comprehensive plan addressing all stakeholders and audiences is essential.
Concealing or withholding details that might have helped individuals or businesses safeguard their information will not win you any friends. It’s not advisable to publicise information that might put them at further risk.
The best approach is to keep things honest and straightforward. Start by accepting responsibility. Then, use clear, simple language to explain the situation. Our checklist will help you ensure you don’t miss any of the important points:
Cyberattack communications checklist
- Describe how the breach occurred
- Provide a catalogue of the stolen data
- If you know how the criminals are using the data, warn those affected
- Detail what you are doing to make things right and prevent a recurrence
- Advise those concerned about what they can do to protect themselves
- Invite people to get in touch with your business
If you can address concerns and minimise frustrations from the outset, you’ll save your business a lot of time and money later on. That’s because when you not only anticipate people’s worries and questions but also respond to them as they arise, they feel that you have the situation under control and their best interests at heart.
Unsurprisingly, email is often the communications channel of choice, but consider complementing those messages with a hotline and/or prominently positioned information on your website.
Just be sure to provide clarity about when and where you’ll provide updates. This helps victims to avoid phishing scams by criminals pretending to be from your company. If you plan to post all updates on the website, say so. If you’ll never contact anyone by phone, ditto.
6. Object lessons: A breach is the best teacher
Unfortunately, you can’t be sure that the cyberattack you are now putting behind you will be the last time criminals attempt a hack. Analysing and documenting everything you’ve discovered about your breach will offer important insights into your systems’ weaknesses as well as the flaws in your response.
Incorporating what you’ve learned into improving both your defences and your response plan are the first step towards an incident-free future.
Cyberattack learnings checklist
- Establish what changes you need to make to improve security
- Assess whether staff need more or different training to recognise threats
- Understand the vulnerability that led to the breach and how you can ensure it isn’t exploited again
Get a partner to watch your back
As the saying goes, prevention is better than cure. But keeping up with hackers’ constantly evolving tactics is no easy task, especially when you have your hands full with your business. At Digimune, we specialise in developing ahead-of-the-curve solutions that provide outstanding protection.
And if the worst comes to the worst, we’ll be there to ensure a cybercrime is not a permanent setback to your business’ success.
Browse Digimune’s services to find out more about how we can help you repel cybercrime.