Cyberattack Next Steps

Getting hacked can be a scary time for a business, many people don’t know what to do or even where to begin. 60% of small businesses that suffer a cyber attack close down within 6 months. The average cost of a cyber attack is about $3.62 million globally. How you manage the cyber attack will be very important in preventing it from negatively affecting your business to a point of no return. Here are some of the key things you want to do to in order to to respond effectively if your company falls victim to cyberattack.

Pre Hack

Cyber Insurance: Having good cyber insurance is one of the best things to do to ensure that you aren’t wiped out by a bad data breach. Cyber insurance provides financial assistance for many of the costs associated with a data breach and it can greatly reduce the financial burden on your company. There are several forms of cyber insurance for different types of costs, so be sure to pick the right ones for your business concerns.

2 Factor Authentication: I would estimate about 90% of instances where an account has been hacked would be resolved if 2FA was being used on the account. It’s significantly easier for a hacker to get your account password than it is for them to get the code that is being sent to your phone when they attempt to login. Additionally, if you ever get a text message when you didn’t try to login, it acts as an alert that your account may have been hacked and you need to reset your password.

Good Password Policies: Weak passwords are one of the most common weaknesses that cause accounts to be hacked. Weak passwords can be guessed by modern software in less than a few hours and it is a very simple attack for many hackers. Fortunately, it's fairly simple to fix, you just need to ensure you have a good password policy and have a close look at the passwords being used by privileged users in your company.

Apply Security Patches: One of the most common places that vulnerabilities are introduced is through out of date software. To avoid this, you should keep track of the security patches released for any software you are using and have those patches applied as soon as possible.

Have Security Testing once per year: In order to ensure that your company is resilient from potential cyberattacks, you should have an overall test of your company's security posture at least once per year. This is the best way to identify any weakness that you missed from the point of view of someone that wants to hack into your company. You can do this through professional penetration tests or you can crowdsource it through bug bounty programs.

Mid Hack

Isolate any Infected Accounts and Machines: Once a hack has happened, the first thing you want to do is contain it. This means to prevent it from spreading to any other systems or compromising any other accounts. Say for example someone in your company clicked on a link in a phishing email, this link downloaded malware on their computer and tricked them into giving up their login information for a company account. To contain a situation like this, you want to deactivate the account whose information was stolen and then isolate the infected machine by disconnecting it from the company network and the internet. This prevents the machine from spreading the malware to any other machines on the network, from sending emails to other employees and keeps the malware from receiving instructions from the hacker via the internet.

Identify Notification Requirements: Whenever a data breach occurs you are required by law and regulatory bodies to notify affected parties. This includes regulatory bodies(dependent on which industry you are in), regional privacy commissions, your affected customers and third party vendors that may be affected due to a breach at your company. It’s important to look into these different categories and ensure the right people are notified. Many times there will be deadlines that you need to meet for notifying each party. It's important to know what those are so you don’t miss the deadlines.

Identify Root Cause and fix the Vulnerability that caused it: Once you have the situation contained, you want to fix the vulnerability that allowed for the hack to happen. This may mean updating a firewall policy, changing and improving account passwords, updating a piece of software etc.

Bring in outside help if Necessary: You should bring in outside help if the situation is too difficult for you to control. You can pay companies that specialize in incident response to come in and assist in recovering from a cyberattack, alternatively you can have these companies on retainer. Having a company on retainer means you pay the company a fixed sum for a specified amount of access to their services. For example you may pay 20K a year and have access to 150 hours of incident response support per year.

Post Hack

Perform clean wipes of your computer systems: It’s best to perform clean wipes of any computer systems that were compromised. Restore them back to the last clean backup that you have before integrating them back into your network or connecting them to the internet.

Perform Computer Forensics: It’s best to perform computer forensics if you had a really bad breach or suspect that the actor may have performed actions that weren’t contained. This investigation will seek to understand what the attacker did while on the computer such as creating new accounts, installing malware etc. This way you can be as sure as possible that you got rid of any infection to your network.

Offer Customer/Client aid: If any of your customers or clients were negatively affected by this situation, such as having their information stolen. You want to offer them services to help them deal with any problems that may come up. A common service companies offer is free credit monitoring for affected customers. In order to retain as many customers as you can and to save your reputation you want to provide as much support as you can to your customers.

Update the Media: Make sure to update the media, customers and regulators once you have the situation under control. Be sure to reassure them that the situation has been contained, provide them with a means to contact you for further information and if needed be able to state what steps you took to resolve the situation.

Restore Services: Once you are sure that you have the situation contained, reset any compromised accounts and removed malware off of any infected systems then you can go ahead and integrate them back into the company.