Devin Partida writes about cyber security and technology. She is also the Editor-in-Chief of ReHack.com.
So the worst has happened. Your business suffered either a cyber attack or a data breach, and now it’s time to react and clean up. Many guides explain what to do before an attack and how to prepare. Afterwards, it’s easy to feel like you’re on your own.
Cyber attacks are inevitable in today’s digital frontier. But that doesn’t mean you shouldn’t plan and prepare accordingly. It’s best to have a proactive strategy in place to deal with events in real-time. If you don’t have something established, it’s too late to do so after the hack or breach.
Where do you go from here? How do you secure your systems and data and earn back the trust of your customers?
1. Confirm and investigate
It takes the average company 197 days to discover a data breach and up to 68 days to contain it. That can’t be business-as-usual.
Step one is to confirm that a breach happened as soon as possible, along with how it happened and what the results were. This should be a cursory investigation to determine the most critical details. You can focus on the nuances later to discover who was responsible, why they might have carried out an attack, or even what they’re planning to do with the stolen information and assets.
If you realize the attack is ongoing, which sometimes happens, you’ll want to skip right to the next step.
Be sure to identify what type of data was stolen or compromised, and what that will mean for your customers. That information will be critical going forward.
2. Take action
If the event is live, you’ll need to make sure you still have access to your systems, applications, or servers. Hopefully you haven’t lost control, in which case you should take immediate action to deauthorize or lock out the attackers.
Containment is vital. Doing so requires a real-time and advanced security solution, which would have been in place before an attack or breach. You might also want to contact your service providers to ensure any related platforms are secured.
It’s also a good idea to lock down the affected systems entirely, preventing any further damage, even if this would be detrimental to customer experience.
If the event has already occurred, you’ll want to move on to the next step as soon as possible.
3. Disclose the event
Communication is critical, both with your customers and the proper authorities. While you may not know everything for some time, it’s important to share what you do know. What happened? How did the attackers gain access? What did they steal?
What’s more, your customers want to know what you’re doing about the situation. How are you going to fix the problem or exploit to prevent it from happening again? Were you already using smart measures like data encryption that will affect the leaked data? What are you planning to do for the customers and clientele that were affected?
You’ll also want to make sure that the appropriate agencies are notified. Some states and municipalities require specific actions to be taken and also dictate what you need to disclose to the public about the event.
The faster and more detailed the communication, the better it will be for your company’s reputation and consumer trust. Many organizations have tried to limit or prevent this information from leaking to the public, which often ends in disaster.
4. Monitor your networks
Even after the attack, there’s a chance the involved parties might return for round two. This is especially true if you don’t remedy the exploit or vulnerability they used to gain access. Therefore, you and your team must continue to monitor the network, systems, and data to ensure no unauthorized users are connecting.
What can make this tricky is when an attack was carried out through a legitimate user profile or account, like when employee passwords are compromised. If that happens it’s best to disable the related account immediately and keep it locked down for some time after. It’s better to be safe than sorry. You should also push a company-wide password reset, and enable two-factor authentication wherever possible.
It is possible the attack came from within the company, as well. According to Verizon’s Data Breach Investigations Report, internal bad actors are responsible for 30% of attacks, while partners are responsible for about 2%.
5. Triage and further analysis
Finally, you’ll want to tap into all available resources to begin an extensive analysis of the event. This is where you’ll learn some of the finer details about the attack, which should be used to inform future security protocols and measures. You should take your time with this stage of the process to ensure you don’t miss any details in the fog of war.
Everyone involved should have a strong background in IT and cybersecurity, and they should be able to participate in the campaign by offering valuable insights. If you don’t have the talent available within your team, you’ll want to hire an experienced third party for the assessments.
Some things you’ll want to explore during this phase are:
- What was the extent of the damage?
- Have you identified the cause, and has it been patched?
- Were the appropriate parties dealt with, especially inside jobs?
- What can you do in the future to prevent similar attacks?
- Why did the vulnerabilities exist?
- How did your existing security solutions fail? Where could they be strengthened?
- What were the response times?
Time Is money, so don’t delay
The longer you wait to investigate, react, and respond to a breach, the more damage you’re going to incur. Moreover, you need to disclose what information you have available as soon as possible. Consumers don’t look kindly on companies that try to sweep this information under the rug, and that’s not a viable strategy for securing and rebuilding trust.
As scary as it is, the people affected need to know so they can take the proper precautions, just as you are doing.
The opinions expressed within this piece reflect those of the author’s.