Best Practices for Cyberattack Response: What to Do When You Experience a Data Breach
In the current online era, a number of us have been involved in a data breach. Data breaches are security incidents we now hear about every day. They strike every industry, every sector, and every country. Victims might be individuals, small, independent businesses, non-profits, or large companies. While avoiding attacks is the goal, there is no such thing as perfect security. How you respond in a crisis helps determine the future of your organisation, often cyberattack victims do not know what to do next.
With that in mind, let’s look at some best practices to cyberattack response.
1.Freeze everything
Do not shut down the affected devices or make changes to them immediately, instead take them offline. The idea is to stop the attackers from going on with their activity and also to avoid tampering with evidence that might be beneficial during forensics investigations (in case you intend on taking that route)
2. Change passwords or lock credentials
This is a common tactic in preparing to investigate a data breach since it will help ensure the cessation of the said breach if it is ongoing, and data breaches commonly rely on compromised passwords and credentials. Make sure to apply this step to all involved accounts, whether confirmed or suspected.
3. Ensure auditing and logging are still ongoing
Ensuring that existing system auditing remains intact and has been operational will be one of the most useful steps you can take to determine the scope of the breach and devise remediation methods. If auditing has been disabled (to cover someone’s trail for instance), restore it before proceeding; it will also assist in establishing whether breach activity is ongoing and when the breach can be safely determined to have concluded.
4. Determine the impact
Determine the root cause, did someone forgetfully give out their password? Was a system not patched for a particular vulnerability? Did someone plug an unauthorised laptop into the company network which then subjected the organisation to malware? Or did an employee simply click on a malicious link on some website?
5. Determine how it happened
Determine the root cause, did someone forgetfully give out their password? Was a system not patched for a particular vulnerability? Did someone plug an unauthorised laptop into the company network which then subjected the organisation to malware? Or did an employee simply click on a malicious link on some website?
6. Determine what needs to be done
Come up with a remedy to prevent future occurrences of similar nature. Establish whether, to update software, change network firewall rules, run anti-malware scans etc.
7. Communicate the details to the appropriate internal personnel
Let them know the breach occurred, how it occurred, what details were involved, and what has to be done. You may need to talk to legal, PR, the HR department, customer service or any other stack holder group which needs to be involved in the post-breach cleanup.
8. Make public announcements and prepare for responses
This is never easy but quite likely it will be up to someone to make a public announcement, perhaps in the form of a press conference, series of emails, social media announcements, website announcements or any other form of communication which exists between the company and the parties concerned. Make sure to describe what the organisation has done to remedy the breach, what it intends to do in the future, and what (if any) steps customers should take to protect themselves, such as by changing passwords, contacting credit card companies or placing fraud alerts. If possible, establish a hotline or name a specific group/contact information to address customer concerns regarding this breach so they can answer questions and provide guidance