If you run a small business (or even a large one), you probably spend a significant amount of time thinking about how to protect yourself from cyberattacks.
But let me share a secret with you: in many cases, how you respond to an attack after it has happened is just as important as – and perhaps more important than – the cyberdefenses you have in place. Even the most advanced cybersecurity systems do not offer 100% protection, and the fact is that you are going to get hacked at some point.
In this article, we'll look at the key steps you need to take following a cyberattack.
Developing an IR Plan
The first point to make is this: that all of the steps below should already appear in your incident response (IR) plan. I understand, of course, that if you are reading this because you’ve just been hacked and don’t know what to do, pointing out that you should already have a plan will not be very useful.
Nevertheless, it’s crucial that all businesses develop a detailed IR plan for responding to cyberattacks, and there are plenty of resources out there that can help you do so. The NIST Computer Security Incident Handling Guide (SP 800-61), the gold standard for guidance in this regard, specifies four areas that should be addressed in this plan:
- Preparation – Planning in advance how to handle and prevent security incidents
- Detection and analysis – Encompasses everything from monitoring potential attack vectors to looking for signs of an incident, to prioritization
- Containment, eradication, and recovery – Developing a containment strategy, identifying the hosts and systems under attack, mitigating the effects, and having a plan for recovery
- Post-incident activity – Reviewing lessons learned and having a plan for evidence retention
These principles can also be applied to the way in which you respond to a cyberattack.
Further reading Designing a Ransomware Response Plan
How to Respond to a Cyberattack
Every cyberattack and every organization is different. However, it’s possible to outline a fairly standard set of responses to cyber-incidents. Here they are.
The first step in responding to a successful cyberattack is to iterate the lessons you’ve learned from the recent attack back into your IR planning. Once you’ve identified how you were hacked, you should take immediate steps to disseminate these lessons to all relevant staff groups. In particular, you should ensure that all staff know how to protect your business, and are aware of the importance of setting a strong password.
2. Communication and Delegation
Next, you should immediately inform every relevant staff member that an attack has occurred. This will certainly include technical teams, but it should also extend to your customer service teams, who may have to field some complicated requests and complaints over the coming few weeks.
Secondly, assemble a team that is able to carry out the steps below. Appoint a team leader who will have overall responsibility for responding to the incident, and make sure that this team is protected by using a VPN to encrypt their internal communications at all times.
This IR team should work to uncover the source of the attack or leak. This process is technically known as “attack forensics”, but in reality can be a lot less complex than that name suggests.
For most organizations, most of the time, this step will involve scanning file systems for malware, and identifying what type of infection you have fallen victim to. You should then immediately update how your phishing filters work in order to avoid the immediate reinfection of your systems.
4. Contain and Recover
The next stage of incident response is to contain any further damage that might have been caused by a successful attack. A security incident – especially one caused by malware – is like a forest fire, and unless you take steps to contain it, it can easily spread and cause further damage.
You will need to perform system/network validation and testing to certify all systems as operational. Recertify any component that was compromised as both operational and secure, and don’t bring crucial components back online until you are positive they pose no further threat.
5. Stay Up-to-Date with All Your Security Systems
It is pointless to have a security system in place that you won’t keep up-to-date. However, this is something we see pretty often. The capability of attackers is increasing regularly and scams continue to evolve, which means you always need to have the latest release of definitions or software to stay protected.
This goes not just for your company-owned mobile devices, but for all the available technology in the office. Numerous case studies in web application design have revealed the best practices for how web applications can be kept more secure from hackers. This includes making it so that your web applications will run with the fewest-possible privileges to reduce vulnerabilities, and avoiding third-party themes and plugins.
6. Assess the Damage
Once the smoke starts to clear, it’s time to assess the damage. You should take a holistic approach to this, in order to capture the full range of consequences of a successful attack. Further, you should also review the pros and cons of launching a full-fledged cyber attribution investigation, which will help to protect you against similar threat vectors in the future.
Don’t just look at the cost of a data breach to your business, but factor in the monetary consequences of any extra systems you put in place as a result of the hack; at a time when business debt is rising, added expenditure on cybersecurity systems is often the most damaging outcome of an attack.
The Bottom Line
As we've pointed out elsewhere, staying safe from cyberattacks, and particularly staying safe from phishing, requires constant vigilance. However, you should also recognize that getting hacked is not – necessarily – a sign of failure. Instead, remember that all organizations get hacked and that the mark of success is what you do afterward. Respond well – as we've shown you above – and no one will blame you for falling victim to a breach. Just don't let it happen again.