Preparation not only prevents breaches, but also minimizes the impact of a breach on your business operations. Here’s what to do if you’re in the midst of a breach.
Experts say it’s no longer a question of if you will be hacked, but of when you will be hacked—and how quickly you can recover to resume operations makes all the difference. After the initial shock, you must act to minimize the effects of a data breach. How your team handles the aftermath of an incident impacts customer trust as well as the overall rate of recovery. Take the time to review your current mitigation efforts and business continuity plan now, before you’re in crisis mode.
The Reality of Cyberattacks: It Could Happen to You
Hackers commit several types of cybercrimes, including crimes of convenience—i.e. scanning for and targeting vulnerable endpoints, targeted attacks as a form of “hacktivism,” and those for financial gain and fame. Keep in mind, no organization is exempt.
For instance, San Francisco’s rail system experienced a ransomware attack in November of 2016. The attacker shut down the network running the transportation system and demanded thousands of dollars to provide the decryption key. Luckily, the rail system was able to gain access to its systems without paying the ransom and had prepared for such an incident using data backups.
Findings from a 2016 Kaspersky Lab report, “Measuring the Financial Impact of IT Security on Businesses,” indicate that over the past year, 34% of U.S. companies faced impactful cybersecurity events. Over three-quarters of businesses, (77%) admitted to facing one to five unique events involving data loss or exposure. According to a SANS Institute survey on the current threat landscape, released in September 2016, the top threats in the U.S. include phishing, ransomware, and advanced persistent threats (APTs). The most common entry points include email attachments, email links, and browser downloads. Companies of all sizes discover most threats (54%) through endpoint security tools. Help desk tickets account for 49% of discoveries. Intrusion detection and prevention alerts at the gateway, log reporting and reviews, and activity monitoring also contributes to threat discovery.
While large corporations often experience more targeted and high-profile attacks, half of small and mid-sized businesses faced security breaches over the last year. Here’s what we’ve learned from their experience:
Take These Steps First to Minimize the Effects of a Breach
Organization, communication, and leadership play key roles in the recovery process. When these three principles align, companies can rapidly to address any cyber threat. Depending on the stage of the attack, your business may have an opportunity to take immediate action to stall the attack or to minimize the effects of a completed breach.
- Implement your communication plan. Notify everyone who may play a role in the recovery process, including senior leaders, IT personnel, cybersecurity consultants, and legal advisors. You should have clear roles for each member of your response team to communicate and make decisions. Move quickly to identify and communicate with all stakeholders, employees, and the local community. Failing to provide timely communication can create distrust and decrease morale. Work with your legal advisors to understand what you should and should not share with the public during the stages of recovery.
- Investigate and stop the attack progression. Direct your IT department and cybersecurity specialists to gather information regarding the assault. Comb logs for suspicious activities, identify breach points and determine if and what kind of information was stolen.
Detect and shut down any lingering suspicious activities by locking down user directories to prevent file execution using group policy objects (GPO) or third-party tools, for instance. The infected endpoint will need to be patched or have the malicious software removed to ensure the machine will not re-introduce the infection once it’s back online. The technical analysis of the attack will drive all future communications and recovery activities.
3. Keep records, logs, and information associated with the attack. Secure all evidence of the attack, including logs, electronic paper trails, gateway information, and the recovery process. Maintain transparent records of every action taken to protect the company from similar events in the future. You should retain evidence of your infected system for law enforcement agencies.
4. Report the incident to the federal government, if applicable. Under the U.S. Cyber Incident Coordination Policy, organizations must report cyberattacks if they compromise national security, foreign relations, public health, or other sensitive data losses.
- Remember the business’s core principles. At some point, you may encounter a new area of contention regarding communication or other response measures. Use foundational principles to guide decision making in difficult circumstances.
6. Update training, educational materials, and disaster recovery plans to reflect lessons learned. Every identified attack, successful or not, represents an opportunity for improved cybersecurity. Learn what to do next from threats encountered in the past. Trade attack information with similar organizations to identify niche best practices, and involve all employees in cybersecurity training and support moving forward.
Caution: If you’re debating paying the ransom as a late resort, consider the impact and value of losing your data no matter what. Even if you pay, it does not guarantee that you’ll be able to restore your original data, as many attacks destroy information.
In the aftermath of a hack, minimize the effects of what has happened, but also focus on what could occur in the future.
Prevent Additional Breaches
Companies need access to cybersecurity resources that match or exceed the abilities of hackers to address mounting threats of cyberattacks. Secure data management, segmented network architectures, employee training, encryption practices, and secure managed hosting can all reduce risks associated with hacks. While many companies focus on one aspect of cybersecurity, all components must work in concert to intercept malicious activity.
If you have concerns regarding the security of your network, contact an OnRamp expert to discuss your options. Remember, prevention is always your best bet.
Additional Resources on This Topic: