What to do when your business has been hacked

You might be here because the unthinkable has happened so let’s get straight into this, step by step:

• Immediate containment.
• Inform stakeholders.
• Inform law enforcement.
• Implement your disaster recovery plan.
• Analyze and future proof.

Early warning signs may be unusual user-account behavior, slow speeds, an unexplained rise in DNS traffic, and/or suspicious emails with unusual attachments. You or a colleague may be notified by a supplier regarding a supply chain code issue, or it may be a pop-up announcing you have been infected with ransomware. Whatever the signs, act immediately. Hopefully, you’ve already made preparations for this, so crack open your disaster recovery plan and get started. If you have no plan, here are actions you can still take right now. Speed is critical.

Immediate containment

Secure your network in order to prevent further damage or data theft. If you have a business continuity team, or an IT and/or data security team/provider, assemble them immediately. If credentials are indicated as compromised, change all passwords and access permissions until this is over.

Identify the source of the security breach. This will give you an initial direction from which to begin your containment and repairs. Was it a drive-by attack, where black hat hackers have added malicious scripts to a website to get access to confidential documents – and if so can you identify what was compromised? Was it a spear-phishing attack, and if so what information was disclosed to the attacker? Did this compromise originate with a disgruntled former employee, and if so what did they have access to?

Once you’ve identified the source and type of cyber attack, you can move to further secure your data and prevent further theft or damage. This may mean you need to isolate part (or all) of your network, shutting down and replacing compromised hardware, and implement temporary firewalls. You may need to contact your ISP to block traffic from certain sources.

Find a robust automated security solution that offers comprehensive alerts and actionable insights to further examine reports in order to quarantine any malware – which must be scrubbed from your system as quickly as possible to reduce any further damage.

This can be disruptive, and invariably it will cost your business time and finances, but it needs to be done and quickly. Identifying the source of the security breach is key to knowing how you must proceed and where you act first.

As you are conducting containment tasks, collect evidence. This may be useful if talking to law enforcement, or if an insurance claim will be involved, or if criminal proceedings happen.

Inform stakeholders

Depending upon the circumstances, you may need to notify important stakeholders, like customers, employees, investors, and other business partners. You should work with your legal team to identify what notification obligations you have quickly. Engage your marketing leaders to help you craft appropriate internal and external messaging when needed.

Inform law enforcement

Who you should contact depends on where in the world your business is based. You should, however, begin with your local police. They will then inform you where else you should report the breach, on a national level and possibly beyond.

There’s a great article on the National Cybersecurity Alliance website about how to do this if you live in the US. If you live in the UK you can report it to the police immediately by calling 101, or through the national Action Fraud website. Incidents in Singapore should be reported directly to SingCERT. Most countries have their own reporting website, including France, Germany, Ireland, Australia, and China. A quick search will tell you where you need to report your breach, though your first stop should be local law enforcement who will be able to point you in the right direction.

You may also need to contact your business insurance provider, to place them on notice, and then contact them again once the crime has been logged.

Implement your disaster recovery plan

A DRP (disaster recovery plan) often contains a list of all critical IT networks and systems, prioritizing the RTO (recovery time objective) – the length of time and the importance for service level in which a business process must be restored in order to maintain optimal business continuity. The DRP should detail priorities, and the amount of time before any disruption should seriously obstruct normal business operations. It should also outline the steps needed to restart, reconfigure, and recover systems and networks.

It should further contain a list of responsibilities and key personnel, including a clear owner, and should be printed in a physical form to avoid corruption. The DRP should also detail your data storage systems, such as physical files stored off-site or additional cloud storage, which can improve your speed of recovery.

While far from ideal, if you don’t currently have a disaster recovery plan in place then this is work you need to do now to the best of your ability. What is most important to your business operations? What’s critical to get back up and running first? What backup data have you got securely isolated? Priorities and dependencies.

Analyze and future proof

Post attack analysis and remediation, using knowledge gleaned during the breach, will be instrumental in preventing future incidents. Regularly review your potential attack surface: The points on a network where attacks can occur and where anyone can try to manipulate or extract data using a broad range of breach methods. Consider extra protection for managed databases, increasing DSAR effectiveness, monitoring access levels to identify potential insider threats, DDoS protection to guarantee continuous uptime, and consider automatic API protection. A full review of the attack and how it occurred, and how it was dealt with including any gaps in staff education, procedures, or your disaster recovery plan, will be critical to prevent this from happening again.

According to Interpol, world law enforcement is facing an unparalleled global surge in ransomware attacks and cybercrime. All businesses, regardless of size, must presume they will be a target and must be prepared. While it’s easy to be wise after the event, prevention is better than cure and far more cost-effective if the unthinkable happens. If you’d like help in preparing effective and appropriate security measures to counteract and mitigate any future hack or breach, please get in touch, and try our Imperva cybersecurity countermeasure solutions free for a month, to see how easy it is to keep your business safe from malicious cybersecurity attacks that could seriously affect your operations.