The most important steps to take in the wake of a cyber attacks
Whether you’re a small business or a multinational conglomerate, the threat of a cyber attack is potentially ruinous. How you navigate through a hacking incident at your business can be the difference between a speedy recovery and months of legal action, a damaged reputation, and angry customers.
To that end, I’m going to go over some of the key actions you need to take as a stakeholder when responding to a cyber attack. 1. Accept that your normal work day is over
It’s 4pm and you’re wrapping up the day sending out emails, when you notice something suspicious. Maybe it’s a ransomware popup or a phishing email from another internal email address. Your stomach drops. You think your company’s been hacked.
It may feel like the world’s ending, but here’s the first rule of thumb: don’t panic. Yes, time is of the essence, but making decisions without thinking them through really won’t help. Take a moment to gather yourself, put the coffee-maker on, and start thinking about how you’re going to take back control of the situation while it’s brewing. Making a knee-jerk reaction could have huge repercussions later on down the line, so it’s crucial to take a moment.
How you proceed from there depends massively on how the incident is unfolding. If you think you’ve discovered evidence of an attacker while they’re trying to remain hidden, then you need to notify your incident response team so they can begin investigating, collecting evidence, and formulating a response. If you don’t have an incident response plan, check out tip #6.
It’s important to remember that if a hacking group has infiltrated your systems, they could potentially have access to or even taken over your communication systems. It’s not unheard of for intruders to sit on systems for a prolonged amount of time and monitor emails sent to internal security teams for keywords that relate to an intrusion alert.
So, the clock is ticking, but you don’t want to blow the element of surprise. Your organization should have outlined an out-of-band communication method to raise alerts that isn’t susceptible to monitoring and is resilient even in the face of a total network outage. Not only is this essential for quietly informing the security team that you think something is wrong, but it’s also vital for continuing to coordinate a response if you have to use the nuclear option and completely shut down your network.
It’s a little different if there’s a pop-up on your desktop demanding money or your files are going to be encrypted. In this situation, the attackers know that you know they’re in your network. They’ve made all the necessary preparations to launch their attack, and now time is really not on your side.
However, even in this situation, you need to take a second. Ransomware attackers often use time pressure tactics to get you to pay the ransom, but their deadlines are often measured in hours or days, not minutes. A big ticking clock counting down to doom is as much a method of psychological warfare as it is a deadline you’re working against. Especially if you’re in a position to make executive decisions, you need to calm down and not make the first move that comes into your head. Do whatever you can to mentally regain control of the situation, acknowledge that what has happened previously cannot be changed, and focus on the task of remediation ahead.
Also, start a timer from the moment you report to your incident response team. I’ll talk more about why that’s necessary in tip #4.2. Activate your Incident Response Plan
After you’ve taken a moment to clear your head, you need to get to work. Every organization should have a robust incident response plan in place to guide its actions in the event of a cybersecurity breach.
As soon as a breach is detected, you need to begin activating your incident response plan (IRP). This plan should outline the roles and responsibilities of key personnel, the steps to contain the breach, protocols for communication both internally and externally, and procedures for post-incident analysis and recovery.
The value of the IRP is that it’s well-researched, practiced, and easy to follow. Making decisions while under fire is difficult, so the IRP works as a reference for decisions that were made with a clear head and with the time necessary to carry out detailed research. You should not be writing or rewriting your IRP in the middle of a crisis. Ideally, you should have already held practice incidents that involve the various stakeholders around the business that will need to work together during an incident.
A hacking attack isn’t just a problem for security, or even IT as a whole: It requires actions from the executive team, from HR, from Legal, and from stakeholders responsible for internal and outbound communications.
As such, one of the key functions of the IRP is to dictate how talent is assigned from within the business to the incident response teams. Not everyone who is useful in an incident will work inside the IT security sector of your business, but IT engineers may be brought on to help identify anomalies within their areas of expertise according to the type of threat you’re facing.
