You’ve been hacked. Now what?
Cybersecurity is now paramount in the operations of every business. While large hacks, such as the attack on UnitedHealth’s Change Health Care last year and Equifax in 2017, dominate the headlines, cybercrime against businesses is nearly ubiquitous. In fact, small businesses are target of 43% of all cyberattacks annually. Yet, only 14% of small companies even have a cybersecurity plan. Even fewer have cybersecurity insurance.
The most common expression in the world of cybersecurity today is “not if, but when” will a cyberattack happen. While all efforts should be put on prevention, there’s also little guidance for companies on what to do if systems are breached.
This is a basic, somewhat rudimentary, guide for steps companies can take to address a cyberattack before, during and after the event, compiled from several reputable sources in the sector, including the U.S. Chamber of Commerce, IBM and federal agencies.
Six steps companies should take after a data breach
While response plans are required in some industries and those with certain federal contracts, they are recommended for every company. An IRP is exactly what it sounds like — an outline of steps required to plan, respond and recover from a cyberattack. The National Institute of Standards and Technology and private companies like the SANS Institute and Crowdstrike offer free, step-by-step frameworks for developing an IRP. Setting a framework of procedures can be the difference in discovering and addressing a breach and mitigating the damage as well as immense cost savings.
Develop an incident response plan
Once your systems have been breached, it’s of timely importance to determine what the attackers are or were after. Has data been stolen? If so, what data? What can they do with it? Ransomware attackers generally let the company know they are there, with demands for ransom to return control of the systems back to the victim. The response will be dictated by the type of attack. The U.S. Cybersecurity and Infrastructure Security Agency has a guide on how to handle ransomware.
Determine the type of attack
Among the most challenging aspects of a cyberattack is rooting out the bad guys, finding what systems are struck and removing those systems, computers, etc., from the larger connected network. Powering down hardware is not recommended because maintaining evidence is key to understanding the hack and vulnerabilities.
Isolate affected systems, hardware
Hackers may very well be monitoring IT communications and activity. So it’s important to immediately switch from email and chat app communications to in-person meetings. Allowing the culprits to know what you know could cause them to better cover their tracks or destroy valuable information or rapidly lock users out of the systems.
Go ‘old school’
At this point, a third-party cybersecurity contractor should have been brought in if the attack is above the internal IT department’s skill level. But preserving logs, memory dumps, network traffic and more is critical to restoring the systems to full working status. Then the work of removing malicious code and software updates commences as well as resetting all passwords. If ransomware is involved, all the data may need to be decrypted, a laborious step. Once the systems are free from hackers, the systems’ files should be tested and then, once determined to be safe, the systems can be reconnected to the network.
Preservation and restoration
The company’s legal team, internal or external, should have by now informed the proper authorities on the attack. Different states and federal agencies require notification following a cyberattack at various times depending on the type of attack and what data has been compromised. Customers and vendors should also be notified as soon as possible about the attack, especially if their data has been compromised.
Inform and communicate
Photos: Adobe Stock
By Dustin Walsh
November 14, 2024
Related
Michigan wants companies to beef up cybersecurity measures