Today, cybersecurity is vital to the safety and security of your company and its data. Developing a proper risk assessment strategy for cyberattacks is about as necessary as breathing. Not only can an incident get you in a lot of trouble with your customers, lowering your reputation, but it can also get you into legal trouble with government and regulatory officials.
But breaches can and do happen. You might as well expect to experience at least one at some point during your business career. Nearly 1.4 billion records were exposed across 686 total breaches between January 1 and March 31, 2018.
While many professionals focus on the preventative side of cybersecurity, it’s just as essential to outline a plan for the during and after too. The faster you respond to a breach or attack and regain control, the better off you’ll be.
Here are some ways to respond to a cyberattack and make the best of any incidents you may encounter.
Mobilize Incident Response
As soon as an incident is discovered, assemble your mobile response team. You should already have a team developed and ready to go before you encounter any issues. Decide who will make up the team and what the ultimate goal will be.
Typically, a response team includes technical crews to investigate and deal with the problem, HR professionals to handle employee impact, data protection experts to understand what was affected and how and intellectual or legal experts to help with the regulatory side of things. Then, of course, you’ll want someone to handle PR for the sake of managing public perception.
The plan should be to assess what happened — obviously — and consider all the necessary actions to remedy the breach. This process includes notifying insurance of a breach, covering legal requirements, informing customers and clients and so on. Several patchwork laws and regulations require specific action in regard to cybersecurity incidents. It’s important to not only understand your responsibilities, but also ensure that regulatory policies are followed in the aftermath of an attack.
Contain the Breach and Secure Your Systems
Many cyberattacks are prolonged and happen over an extended period. By the time a breach is discovered, it may have been leveraged for weeks — even months — beforehand.
The first step is to contain the problem and regain control of your systems or network. To achieve this goal, you may need to suspend network connections, at least temporarily. Doing so can be disruptive for operations, yes, but it can also save you time and money — especially if the attack is ongoing.
Determine what systems or devices were compromised and whether or not you can trust said systems any longer. A machine may need to be factory reset, for example, to eliminate any possibility of future tampering. It helps to have a comprehensive monitoring system that can detect network intrusions and pinpoint what users or devices are unauthorized on the network — most enterprise-level networks have some form of this tool.
Leave No Stones Unturned
Once the network is secure and the breach has been contained, you must conduct a thorough investigation into what happened, why and who was involved. Such an investigation is necessary to understanding the real impact of an incident. It’s only when you know what data or systems were affected that you can truly understand the ramifications of an attack.
For instance, customer information like social security numbers, credit card and billing details and even addresses may have been absconded, which means it’s necessary to inform customers and provide some form of identity protection. But if, say, employee information is affected, you’ll need to take a different approach.
If employee involvement is an issue — inside threats account for nearly 75 percent of all security breach incidents — it’s essential first to consider labor laws and consult with HR before taking action. You may also want to consult with legal professionals in regard to pursuing legal action.
Through all of this activity, both your incident response and investigation teams should be documenting everything that happens. It may or may not be a requirement for regulatory proceedings, so it’s better to be safe in this regard.
Many regulations — like the National Institute of Standards and Technology Cybersecurity Framework — alongside customers, want to see how a company or business responds to a major incident after the fact. Do they, for instance, take action to ensure a similar breach doesn’t happen again? Or do they continue following troublesome and risky behavior?
One of the most common problems that arise during a data breach is that sensitive information is stored unsecured — there’s no encryption used to protect the raw data. A suitable plan of action after a breach would be to begin using encryption and more advanced data security policies to ensure absconded information cannot be leveraged so easily.
Remember, dealing with incidents is as much about the response and follow-up as it is about the preventative matters. If you want to make the best of a cybersecurity incident or breach, you need to be prepared.