Studies show one cyber attack takes place every 40 seconds. In other words, threat actors carry more than 2000 attacks a day. You’re bound to appear in a hacker’s crosshairs, meaning you need to be ready to prevent and respond to their attacks. Here’s how to respond to a cyber attack.
To respond to a cyber attack, companies must identify the threat, contain the breach, and notify law enforcement. At the same time, dealing with contingencies (such as deleting malware or resetting passwords) is a must. Updating cybersecurity policies is necessary during the aftermath.
A cyber attack is a complex situation full of moving pieces. It could involve insider threats or external factors (and, sometimes, both). Knowing how to respond to an attack is vital – but it’s also key to knowing what not to do.
What Not To Do During a Cyber Attack
- Hide the issue from authorities. Experts estimate one in five data breaches are hidden from the authorities. Your company must be in the remaining four of them (if a cyber attack ever takes place). Hiding the issue may seem attractive, as it prevents customers from panicking. However, doing so is a crime in most jurisdictions and could land you in jail.
- Panic. One of the worst things you can do during an attack is panic, which is what threat actors hope for – because you tend to make mistakes when that happens. Keeping your calm and following your cyber attack response plan is a must.
- Disregard the threat. Panicking is terrible – but so is taking it easy. A cyber attack and following data breach is nothing to laugh at as businesses tend to be one breach away from bankruptcy. Find a middle ground and follow our 10-step process to respond to a cyber attack.
10-Step Process To Respond to a Cyber Attack
1. Identify the Threat
The first thing to do during a cyber attack is understanding what’s going on. You have to learn who’s performing an attack, when it happened, how it happened, and what the target is.
It’ll be difficult to pinpoint who’s performing an attack, though you have to determine whether you’re dealing with an insider or external threat. Otherwise, you won’t know how to respond.
Figuring out when the whole thing started is necessary to see how far the damage goes. Data breaches could take days, weeks, and even months. You may have lost a lot of valuable information to a threat actor without knowing it.
At the same time, knowing how the attack happened and what the target was are a must to see how to contain the breach.
2. Contain the Breach
Once you identify several factors, it’s time to contain the issue. Unfortunately, doing so won’t be easy – and it may disrupt your way of doing business for a while.
For example, if you have malware running rampant on your network, it’s time to unplug servers and several devices from the system.
You must separate healthy parts from infected ones – unless you want a virus to compromise your entire network. Several pieces of malware self-replicate and even stay hidden to bypass detection.
If one employee falls for a phishing scam, it’s time to reset their password. Sending a widespread message to every employee to reset their login credentials could be necessary too, especially if you don’t know how many fell for the scam.
3. Deal With Contingencies
It’s vital to avoid the breach from expanding. That’s why you’re trying to contain it. However, some believe it’s only necessary to disconnect the infected server and call it a day.
Not at all! As you know, malware spreads and self-replicates easily, especially if you have no defenses in place (or if a virus is exploiting a vulnerability within your system).
For that reason, dealing with contingencies is a must. In other words, you have to monitor for suspicious activity even more than before. Check what employees are doing, if there’s a spike in bandwidth use, look for open ports (that should be closed), and so on.
The enemy is probably within the walls if a cyber attack happens. Containing the breach is of no use if it allows a hacker to infiltrate again.
4. Notify Law Enforcement
Remember not to hide the issue from the police. Doing so helps you two-fold: first, it helps you to not have trouble with the law; second, authorities can help you deal with the threat and catch the culprit, greatly reducing the damage a breach can cause.
You should contact local law enforcement first. However, they may not have the capacity to deal with cyber threats. Fortunately, your local FBI branch does, so that should be your second call if local authorities can’t help.
At the same time, it’s time to research if you must contact any government authorities or regulatory bodies to see if you have to report anything to them. A law enforcement officer will probably point you in the right direction.
5. Investigate the Breach
It’s time to do due diligence and find out what happened (on your own or helped by law enforcement). You briefly glanced at the what, when, how, and why – but now it’s the time to enact a full investigation to fully understand the attack.
An investigation is a must to know who you’re dealing with. Sometimes, threats come from outside. Other times, they come from the inside.
What’s the worst-case scenario? That you’re dealing with a threat actor who compromised several employees, meaning you have to deal with several fronts.
You won’t know until you take the time to investigate. At the same time, this investigation will show if the attack is over – or if there’s a dormant threat in your system. You can’t go back to normal until you know for sure you can do so.
6. Restore the System
After the investigation shows the attack is over, it’s time to go back to normal. Connect every contained device and server back to the network, get your employees back to work, and go back to business.
It’s vital not to rush your way to this step. Doing so may mean playing right into a threat actor’s hands. Some hackers leave dormant malware or keep login credentials and wait weeks or months until they attack again.
That’s right: the best in the business will compromise your system but wait until you have your defenses down to attack. In fact, a hacker may launch a cyber attack to study your response. That’s why the investigation in step 6 is a must.
7. Talk to Your Legal Team
In step 4, you notified law enforcement. We can’t stress enough that you must do so if you haven’t done so already – and if you don’t believe us, you will hear the same thing from your legal team.
Talk to your company’s attorneys to see how to move forward. Have you lost vital data? Do you have to talk to your insurance? Are lawsuits coming your way? Now that the crisis is over, it’s time to see what problems will come from the attack.
Small businesses without a legal team should contact a law firm that specializes in cybersecurity. You might want to discuss having them on retainer if the breach was big enough to create trouble.
8. Contact Those Affected
Your company isn’t the only one affected by a cyber attack. A threat actor now has valuable data if they were successful, meaning your users could be in trouble. Losing passwords is problematic (because a lot of people reuse them), though a catastrophic issue would be losing credit card information.
It’s important to contact users as soon as possible – but do so after talking to your legal team. You need to know how liable you are for what happened and what to do to diminish the likelihood of a lawsuit.
Doing a thorough investigation will help you in this step too. You need to know what kind of data you lost, who it affected, and how much damage the breach may do. Once you have that information, let users know about it.
9. Follow Up on the Attack
The attack is over. Users know what happened. Your lawyers are creating a legal strategy to defend your company from possible trouble. Your investigation has shown what happened, who the culprit was, and what the threat actors wanted.
Is it over? Far from it! You have to follow up on the issue: finally see if any lawsuits come your way, figure out how you can entice users not to stop doing business with you, and find out how your employees are doing.
At the same time, you have to talk to law enforcement to see how the case is doing.
More importantly, you must figure out how to improve your cybersecurity policies.
10. Evaluate and Update Your Cybersecurity
You may think it’s time to rest after you have dealt with a cyber attack – but that’s not the case. In fact, now is the time to work harder than before. This attack happened for a reason and, even worse, succeeded because of a vulnerability.
It’s time to study what happened and come up with a better cybersecurity policy than ever before. Who was the culprit? What did the threat actor exploit to succeed? What worked to keep the hacker out of bounds? You have to ask many questions to come up with the answer.
Of course, it’s always better to prevent a cyber attack than having to respond to one.
Preparing for and Preventing Cyber Attacks
- Train your employees. Did you know more than 80% of all data breaches happen due to human error? Hackers often rely on common scams, such as phishing, to steal passwords. They also look for clues on social media to crack login credentials and find out other vital information. Regular training prevents your employees from falling for a trap.
- Update your infrastructure. Your software and hardware are two lines of defense you can’t forget, even if breaches happen mostly to human error. In fact, having the right defenses in place will prevent employees from falling for certain scams. Nevertheless, not updating your infrastructure leaves holes for threat actors to do damage.
- Create an insider threat hunting team. Sometimes, the attack comes from within. Having a specialized department looking for insider threats is a must if your company is big enough. A strong screening process will also prevent hiring unreliable employees.
Conclusion
It’s never easy to deal with a cyber attack, though most companies can deal with the turbulence if they have a response plan. Identifying the threat, containing the breach, and talking to law enforcement is necessary. After that, restoring the system is necessary to continue doing business.