If you are one of the lucky few who has avoided a cyberattack, now is the time to prepare for the day one comes along. We know from experience that having solid strategies for properly responding to a cyberattack plays an important role in reducing the damage these attacks wreak on businesses, as well as the fallout affecting your reputation after the event. Some of us can forgive a business that has fallen victim to a cyberattack (providing they have not been negligent) because it can happen to anyone. But rarely do we forgive a business that botches their response or, worse, tries to cover up the attack and fails to inform their consumers or clients. While avoiding attacks is the goal, there is no such thing as perfect security. How you respond in a crisis helps determine the future of your organization, with that in mind lets take a look at some best practices.
How NOT To Respond To A Cyberattack
In this article we cover the key fundamentals to a proper cyberattack response, but lets begin with some common mistakes that organizations make when they respond to cyberattacks.
- Slow to React - If your business is unprepared, it takes far too long to properly react to the incident. This occurs perhaps because of embarrassment, but usually because of panic. Trying to avoid a cybersecurity incident by failing to tackle it head-on can lead to seriously damaging outcomes where your business tries to downplay the incident or even cover it up. This of course leads to deeper scrutiny from your customers, regulators, and the public when the truth emerges.
- Responding Too Quickly - If your business is unprepared you can find yourself knee-jerking to a serious cybersecurity incident by shutting down IT operations. In the process, you are accidentally deleting critical evidence used in investigations or damaging IT assets that you could have recovered. It is important not to compromise any potential investigation before it begins. In this situation, your business will be forced to guess and assume the worst rather than accurately report on the extent of the breach and the damage it caused to your data and IT infrastructure.
- Failure to Coordinate - When expectations, priorities, and channels of communication are not properly managed in a crisis, the reporting that feeds back up to senior management can become inconsistent as response decisions are made in a vacuum. This leads to inconsistency in the way you communicate externally with your public and legal notifications. Handle it poorly, and various compliance and legal penalties will result.
Fail to Prepare & You Prepare to Fail
The common theme is that the organizations that made these mistakes were unprepared. They lacked plans and processes to properly respond to an attack and they failed to communicate both internally and externally after the attack. All of this can be avoided with essential planning and training.It was Benjamin Franklin who first said “By failing to prepare you are preparing to fail” and this is doubly so when it comes to cyberattacks. While it's always preferable to avoid cyberattacks, you must have a proper cyber incident response plan in place. Not only should you have a plan in place, but you should also practice working through the plan so that you are better able to respond while maintaining business operations. Being ready to respond in a comprehensive and well thought out way reduces the overall risks to your business and it sends a strong, positive signal to your customers. Preparing for a serious cyberattack is not that much different from the preparations you make for other incidents (natural disasters) which could damage your business. It also taps into your organization’s operational experience and knowledge. But what should your plan include?
- Consider the Incident - Consider what kind of events should be classified as a cybersecurity incident. For example, if your website is brought down would that be categorized as a cybersecurity incident? Information theft certainly would be. It's different for every business and you should develop a response plan for each category of incident.
- Consider the ‘Who’ - Draw up an emergency contact list. It's essential that your employees know who makes decisions around the recovery processes should a crisis strike. Decide who will make the determination if an event is a cybersecurity incident or not. They also need to know who will initiate contact and liaise with law enforcement.
- Consider the ‘What’ - Have a plan which lays out what happens to data in an emergency. This could include locking or shutting down IT infrastructure or migrating data to an off-site backup.
- Consider the ‘When’ - Work out when your executives, board, legal council and emergency personnel need alerting to an incident, and what the baseline threshold is. Include everyone concerned from your service providers, legal representatives, and even your insurance provider.
- Consider If I Your Plan Is Sound - Before you can rely on your plan in a crisis, you absolutely need to test its robustness. A great way to do this is to run a mock cybersecurity incident event to test your plan and make sure that everyone knows their roles and who is responsible for what. You can include external resources and stakeholders in this exercise too, it lets everyone concerned know that you are serious about planning for a future crisis and stress tests your plan before one occurs.
How You Should Respond to a Cybersecurity Incident?
You are the Chief Executive Officer and you were just told that your business has suffered a potentially catastrophic data breach. The hackers infiltrated your IT infrastructure and exfiltrated data from your corporate servers. They took your customer data, including credit card and personally identifiable information. You need to know what to do next.
First order of business - don’t panic!
The next actions you will take determine how your business is perceived once the incident becomes public knowledge. You must be seen making the right moves. As we established, people can forgive a cyberattack because it happens to the best of us.
You need to move quickly to secure your IT infrastructure and immediately engage a forensic investigation team to help you identify the source of the attack and its cause. This involves mobilizing your cybersecurity team (if you have one) and instructing them to start work on the forensics side of the investigation while the evidence is still fresh. The next step is to mobilize your incident response team, including your legal council, forensics specialists, information security professionals, and senior management. Working together, this team will deliver your initial response to the crisis.
- Hire a Data Forensics Team - Hiring a third-party forensics investigation will help you to work out the size, scope, and source of the attack. The forensic team gathers evidence, analyzes it, and outlines your remediation steps. The forensic team and your legal council will advise you on how to proceed with your response and disclosure of the breach.
- Notify Law Enforcement - Report the incident to your local law enforcement if recommended by your legal counsel. The quicker they know, the more they can do to help. If you find that the local police are not experienced with data breaches, notify your local FBI office.
- Secure Physical Access - You never know if a breach stemmed from an insider threat. Secure areas potentially related to the attack and restrict access to them until the forensics team and law enforcement let you know you can resume regular operations.
- Prevent Additional Data Loss - You shouldn’t shut down any systems until your forensics team tells you, but you need to be closely monitoring potential infiltration points to see if the attackers still have access. Force password resets of the users who had access to the compromised system. If the attackers used stolen login credentials it will deny them further access.
- Conduct Interviews - Quickly interview the employees who first discovered the breach while their memory is still fresh. Let your staff know where to forward information that may help and document absolutely everything from interviews and conversations.
- Don’t Destroy Evidence - This may go without saying, but do not destroy any forensic evidence while you investigate and remediate the incident.
- Work Out Your Legal Requirements - The majority of states have some kind of cyber breach legislation requiring you to notify stakeholders and the state government following a data breach. There may also be other regulations you need to follow. Check federal, state, and compliance regulations to see which apply to your business.
- Notify Affected Organizations - If any other businesses have been affected, notify them. This includes your bank, financial services partners, and the credit bureaus that can monitor your accounts for fraud resulting from the breach.
- Notify Affected Individuals - Notify the individuals affected by the breach so they can take steps to ensure their data is not used fraudulently (like freezing their credit cards and credit records).
- Designate A Contact - Designate a contact from your organization to release the notifications when appropriate. That person should have all the latest news on the breach, those affected, and your current response activities. You can also give out a toll-free number so those affected can call you for further information.
- Engage Public Relations - Work out a public relations plan to properly communicate your response via press releases. This way, you get in front and ahead of any media reports on the incident. Think about offering those affected free credit monitoring. In general, you will want to clearly articulate what you know about the data breach.
Dealing with a cybersecurity incident and data breach is never an easy task. Depending on the severity you will have to deal with panicked employees, screaming customers, frustrated partners, law enforcement, regulators, and investigators. This can be trying even under the best circumstances. The key takeaway is that you need to be prepared and have a plan in place before the worst-case scenario occurs. By keeping a cool head, implementing your practiced plan smoothly, and communicating clearly can preserve a lot of credibility. Ultimately, everyone wants cool and collected leadership with a plan for navigating through a crisis. Always remember the words of Benjamin Franklin and be prepared to fail, so that when you do, you can fail in the most controlled and graceful way possible.