What To Do If You Discover That Your Business Has Been Hacked
What to do if you discover that your business has been hacked
You might be here because the unthinkable has happened so let’s get straight into this
Immediate containment
Secure your network to avoid additional damage or data theft. Assemble your business continuity team, as well as your IT and/or data security team/provider, immediately. If compromised credentials are discovered, immediately change all passwords and access permissions until the incident is resolved.
Determine the point of entry for the security breach. This will provide you with a starting point for your containment and repair efforts. Was it a drive-by attack, in which malicious scripts were added to a website in order to gain access to confidential documents – and if so, can you identify what was compromised? Was it a spear-phishing attack, and if so, what data was compromised? Was this breach initiated by a disgruntled former employee, and if so, what information did they gain access to?
Once the source and nature of the cyber attack have been determined, you can take steps to further secure your data and prevent further theft or damage. This may require you to isolate a portion (or the entirety) of your network, including shutting down and replacing compromised hardware, as well as implementing temporary firewalls. You may need to contact your ISP to request that certain sources of traffic be blocked.
Locate a robust automated security solution that provides comprehensive alerts and actionable insights to allow for further examination of reports in order to quarantine any malware – which must be removed from your system as quickly as possible to avoid further damage.
This can be disruptive, and it will almost always cost your business time and money, but it must be completed quickly. Identifying the source of the security breach is critical for determining how to proceed and where to focus your efforts first.
Collect evidence as you carry out containment tasks. This may be necessary if speaking with law enforcement, filing an insurance claim, or facing criminal charges.
Notify stakeholders
You may be required to notify critical stakeholders, such as customers, employees, investors, and other business partners, depending on the circumstances. You should consult with your legal team to determine your notification obligations as soon as possible. When necessary, engage your marketing leaders to assist you in developing appropriate internal and external messaging.
Notify law enforcement
Who you should contact is determined by the location of your business. However, you should begin with your local police. They will then inform you of any additional breaches that should be reported on a national level and possibly beyond.
If you live in the United States, there is an excellent article on the National Cybersecurity Alliance website that details how to do this. If you live in the United Kingdom, you can immediately report it to the police by dialing 101 or by visiting the national Action Fraud website. Singapore-based incidents should be reported directly to SingCERT. The majority of countries, including France, Germany, Ireland, Australia, and China, have their own reporting websites. A quick search will reveal where you should report your breach, though your first stop should be with local law enforcement, who will be able to direct you.
You may also need to notify your business insurance provider and then contact them again once the crime has been reported.
Put your disaster recovery plan into action
A DRP (disaster recovery plan) frequently includes a list of all critical IT networks and systems, prioritized by RTO (recovery time objective) – the amount of time and importance placed on service level requirements for restoring a business process in order to maintain optimal business continuity. The DRP should specify priorities and the time period during which any disruption should significantly impair normal business operations. Additionally, it should detail the procedures for restarting, reconfiguring, and recovering systems and networks.
Additionally, it should include a list of assigned responsibilities and key personnel, as well as a clearly defined owner, and should be printed in physical form to avoid corruption. Additionally, the DRP should include information about your data storage systems, such as physical files stored off-site or additional cloud storage, which can help you recover more quickly.
While this is far from ideal, if you do not currently have a disaster recovery plan in place, this is work that you must complete as soon as possible. What is the most critical aspect of your business's operations? What is critical to resuming normal operations first? What backup data do you have that is safely isolated?
Analyze and foresee
Post-attack analysis and remediation will be critical in preventing future incidents by utilizing knowledge gained during the breach. Review your potential attack surface on a regular basis: The points on a network where an attack could occur and where anyone could attempt to manipulate or extract data via a variety of breach methods. Consider adding additional protection to managed databases, enhancing the effectiveness of DSAR, monitoring access levels to identify potential insider threats, implementing DDoS protection to ensure continuous uptime, and implementing automatic API protection. A thorough examination of the attack and how it occurred, as well as the response, including any gaps in staff education, procedures, or your disaster recovery plan, will be critical in preventing this from happening again.
Interpol reports that global law enforcement is confronted with an unprecedented global surge in ransomware attacks and cybercrime. Regardless of size, all businesses must assume they will be a target and must be prepared. While it's easy to be wise after the fact, prevention is far more cost-effective than cure in the event of the unthinkable. If you'd like assistance in developing effective and appropriate security measures to counteract and mitigate any future hack or breach, please contact us. You can also try our Imperva cybersecurity countermeasure solutions for a month for free to see how simple it is to protect your business from malicious cybersecurity attacks that could have a material impact on your operations.
