If you do not have a Cyber Response plan this article will help you with practical steps if you suffer a Cyber Attack.
Identification and Resolution are the 2 priority tasks.
Indication that an issue could be occurring;
- computers running slowly
- users being locked out of their accounts
- users being unable to access documents
- messages demanding a ransom for the release of your files
- people informing you of strange emails coming out of your domain
- redirected internet searches
- requests for unauthorised payments
- unusual account activity
Identification: What is actually happening? Information gathering needs to happen as soon an issue is suspected. This needs to be collated and shared with your IT Team.
10 crucial questions:
- What problem has been reported, and by whom?
- What services, programs and/or hardware aren’t working?
- Are there any signs that data has been lost? For example, have you received ransom requests, or has your data been posted on the internet?
- What information (if any) has been disclosed to unauthorised parties, deleted or corrupted?
- Have your customers noticed any problems? Can they use your services?
- Who designed the affected system, and who maintains it?
- When did the problem occur or first come to your attention?
- What is the scope of the problem, what areas of the organisation are affected?
- Have there been any signs as to whether the problem has occurred internally within your organisation or externally through your supply chain?
- What is the potential business impact of the incident?
Stop the incident getting any worse
Take a look at your security software such as antivirus alerts and server/ audit logs, can you identify attack specifics and the potential cause?
If you know the device that has been affected, take this offline and run your antivirus programme to complete a full scan and take notes of the results it gives you.
Use the information you have gathered to look for advice online from trusted sources such as police or security websites.
In the case of internet outage, contact your ISP in the first instance; most will have pages that relate to service availability.
Use the information you have gathered to look for advice online from trusted sources such as police or security websites. Take extra care that any advice is from a verified and trusted source only!
Externally Managed IT; share information you have identified and work with them to resolve the issue where possible. Check your support contract to understand what they are responsible to action and in what time frame.
Internally Managed IT; working to resolve the issue can include;
- Replacing infected hardware
- Restoring service though backups.
- patching software
- cleaning infected machines
- changing passwords
If you lack the internal expertise for complex incidents consider using the services of a Cyber Security Practitioner, make sure they are from a reputable organisation and hold appropriate credentials.
Hopefully you are reading this article before your organisation has suffered any kind of cyber-attack, and if that is the case I strongly you stop now and prepare. The secret to surviving an attack is to prepare for it.
The cost of doing nothing?
Loss of ability to operate; average downtime after an attack or hack is reported as around 21 hours. If this is a result of ransomware this is more likely to be days not hours.
Loss of reputation; something that can be lost in seconds with the click of a button, and can be potentially unrecoverable. 85% of data breaches involved a human element.
Financial Penalties; the ICO has issued fines just short of £40 million in the last 8 months for failure to protect customer information. This can also lead to private claims by the customers or employees’ whose data was not protected.
Failure to win new business; more and more organisations are required to hold accreditations and certifications and without these can be excluded entirely for tendering and bidding.