Cyberattacks cripple company operations, but swift action can reduce damage. Here’s how to respond to a security incident.
Cybercrime comes in all shapes and forms. It can immediately slow networks or send spam emails from your business account. Conversely, you may only know your business was hacked once fraudulent charges appear on your statement or a third party notifies you. In all cases, acting purposely and quickly can help you mitigate harm.
Review guidance from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Trade Commission (FTC), and the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce. These organizations provide instructions for responding to and protecting your business from cyber incidents.
Activate your breach response team
Once an incident is reported, your breach response team should spring into action. According to CISA’s Incident Response Plan Basics, businesses should assign an incident manager to lead the response, a tech manager to serve as a subject matter expert, and a communications manager to handle internal and external communications. They will follow your incident response plan (IRP) detailing various scenarios and corresponding actions. The FTC said, “The exact steps to take depend on the nature of the breach and the structure of your business.”
For instance, Hacked.com recommended different first steps based on the type of breach or attack, such as:
- Ransomware: Isolation is the first step because the ransomware attack spreads through your systems, devices, and networks.
- Data breach: Once cybercriminals steal data, everyone is at risk. You should immediately inform affected individuals inside and outside of your organization.
- Social media account hack: If a social page or profile is compromised, change the passwords and recover the account.
Detect and isolate affected systems and hardware
Detection and isolation are the first things you should do when handling a cyberattack, according to a Joint CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC) ransomware guide. The best way to contain the infection is by taking the affected network offline at the switch level. If this isn’t possible, you can disconnect the network’s ethernet cable and any hardwired devices while manually disconnecting wireless devices.
The exact steps to take depend on the nature of the breach and the structure of your business.
Federal Trade Commission
Powering down hardware is a last resort because turning off equipment may remove evidence necessary for a forensic investigation. RedTeam Security also suggested that information security teams “check for backdoors” and, if the compromise originated through a third-party tool, “block all of that supplier’s accounts until they resolve the issue on their end.”
The MS-ISAC and CISA checklist noted that “malicious actors may monitor your organization’s activity or communications to understand if their actions have been detected.” Consequently, it’s vital to immediately switch to non-internet communication channels and prevent employees from chatting about the incident within chat applications or email. If you determine the attack was a social engineering scam through email, notify users to delete messages with the bogus subject line.
Preserve, remove, and restore
Depending on the severity of the incident, your infosec team or a cybersecurity contractor will collect data about the breach. According to Delinea, this may involve collecting “logs, memory dumps, audits, network traffic, and disk images.” After preserving evidence, they should remove malicious code and restore your system to its pre-incident state.
Other potential steps include:
- Patching vulnerabilities.
- Updating software and firmware.
- Resetting passwords.
Inform affected parties and the authorities
Work with your legal department and communications manager to determine who to notify next. Local, state, federal, and international laws regulate how quickly you tell affected parties and what information you disclose. For instance, if the breach included more than 500 personal health records, you must notify the FTC within 10 days after the incident. It’s also a best practice to disclose a data breach to customers as soon as possible after securing your systems and evidence.
Lastly, CISA said federal law enforcement might have ransomware decryptors available. You should contact local, state, and federal authorities to report the incident and see if assistance is available. If you have cyber insurance or managed services, inform your agent or company contact of the attack or data breach.
CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.