Several of our past blogs have discussed online risks and suggested ways to minimize exposure. But if your company database and online accounts are compromised, what should you do?
Here’s when already having a response blueprint in place is crucial. Instead, map out an approach in advance and test your readiness with tabletop exercises coordinated with an outside security supplier if needed. Here are some additional key points for consideration:
- Ramp up. Rely on the expertise of an external cyber response team – but make sure your own internal IT team takes the lead. If you wait until an attack to identify a supplier, it can take two to three times longer to mount an appropriate response. Keeping an expert on retainer is an important investment.
- Be transparent. Once you understand the scope of an attack, share what you know with those affected. You don’t need to paint a worst-case scenario at the get go, but you also don’t want to sound nonchalant. Share regular updates.
- Don’t be too quick to disconnect. The frightening fact is that targeted attacks can span months to years before being detected. Once discovered, the initial response of many companies is to immediately disconnect the system. Yet too often, the criminal can simply infiltrate other areas of the system, creating yet another weak spot. Make sure you understand what’s happening before you react.
- Assume total compromise. Don’t use corporate email to communicate next steps; the interloper may be listening in. Meet in person or by phone call. If you must exchange email messages, use accounts outside the corporate system.
- Preserve all logs. Confirm that all centralized host-based and network-based logs are not only preserved, but backed-up. You don’t need to know how to do this yourself, you simply need to ask about it. If you’re facing a long-standing attack, rolling logs stretching over a year or more may prove particularly valuable.
- Learn for the future. Use network forensics to understand every aspect of the attack—What was the initial point of entry? Which internal mechanisms proved most vulnerable? Fix similar weaknesses throughout your network, even if they’re not part of this particular attack.
- Establish a clean slate. Isolate critical systems attacked. Remove infected hosts. Reset credentials.
- Tell someone. Reporting requirements vary based on the data compromised and the states in which the attack occurred (see security breach notification statutes per state). Rely on a public relations expert to help you determine if the breach should be shared with the media as well. You want to avoid any implication of a cover-up. Have a list of Frequently Asked Questions already identified and answered.
- Keep logging regularly. Not only are comprehensive logs an important tool for solving the issues of a breach, they are often what detects a breach in the first place.
- Clean up. Remove unused, dormant systems, software, accounts and data. This leaves you with fewer points of vulnerability.
Unfortunately, some cyber attacks will require involvement of law enforcement. That adds an additional layer of response. We’ll share more on that in the next blog; be sure to check back!