Guiding Your Business Through a Cyber Security Incident – Part 3: The Action Plan

Guiding your business through a cyber security incident with the minimum of fuss and disruption to day to day activities requires having a strong response plan in place. Having looked at the first two stages of preparation and detection, it’s time to look at what you need to do to take action when your network or systems are threatened.

With the right detection software in place, and the right education and cyber security culture within your organisation, you should be better equipped to identify when you have fallen victim to a cyber security incident. Whether that is data loss or theft, or an attack from malware or ransomware, it is important to put your response plan into action in order to regain control – to contain, eradicate and recover.

Here are the steps your organisation should take:

Gather the troops

Based on the strategy laid out in your response plan, at the first signs of a cyber security incident, the relevant manager should be notified, and they should convene a meeting of the entire response team. This should include board-level personnel who can approve and validate the decisions regarding how best to handle the situation.

Assess the situation

Gather as much information about the security incident as possible so that your response team can understand and assess all activity around the time of the breach. System and operational logs, firewalls, etc, should be able to pinpoint to some degree what happened, and when, to give you a starting point.

Bring in the forensics

Your IT team needs to investigate the scale and depth of the attack, and using the information at hand, search for signs of further intrusion on all systems and devices across your IT infrastructure and network.

Often, this is well beyond the capabilities of an in-house IT team, which is why hiring an outsourced IT consultant is advisable. If they have been brought in from the very start to help with the creation and implementation of the response plan, even better.

Your IT team or external support can then investigate whether the cyber attack has resulted in data loss or leakage, which will inform you when it comes to necessary steps you need to take with regulators. With GDPR on its way, any organisation that has experienced a data breach will legally have to notify the relevant authorities within 72 hours of the incident, and could face very heavy fines, even if they are shown to have dealt with the situation. Failure to notify authorities will result in even bigger fines.

Make a big decision

Knowing that you are dealing with a cyber security incident presents you with a conundrum. On the one hand, you need to deal with it as quickly and efficiently as possible to avoid the risk of further damage to your network or systems. Viruses spread, so you have to act decisively. On the other hand, you probably don’t want to shut down operations altogether while you deal with it, and would rather turn to your business continuity plan.

Do you:

• Go into shutdown mode, disconnecting the systems immediately in order to recover as quickly as possible?
• Continue to run as usual, taking time to monitor the security incident in order to get a better understanding of the situation, and collect evidence against the cyber attacker?

The first of these options may seem like the sensible thing to do, because it is the quickest way to recover and get you back in business. A fast response can also minimise the amount of damage a cyber security incident can do, because if your systems and network are not up and running, any malware or intrusion can go no further. However, it also has its drawbacks.

For one, your organisation will potentially lose business, and reputation. Secondly, shutting down means you are not able to gather any further information on the attack, and may well miss a vital piece of the attack strategy, which could result in the incident re-occurring at a later date.

Shutting down will also alert the cyber attacker to the fact that you know they have successfully penetrated their security, leaving them free to escape and try again another day.

The second option also has its pros and cons. For one, it can take longer to deal with the incident, meaning a potential loss of revenue as you slowly return to business as usual, but on the plus side, you are more likely to identify the root causes of the cyber security incident and remove it effectively, while you may also be able to catch the perpetrator in the act as they continue to worm their way into your systems.

Your decision comes down to a number of factors that your response team needs to consider:

• Is it absolutely necessary to ensure a continuation of your services, or would it be acceptable to temporarily take your system offline?
• The consequences of the cyber security incident not being contained
• Whether the attack is doing immediate damage
• Could the attack lead to theft of assets or serious damage to your network and devices?
• Do you really need to gather evidence about the attacker, or avoid alerting them that you are aware of the attack?

Most organisations tend to try for a happy medium, whereby they work to get rid of the cyber threat while running the business at a lower capacity, but it is worth consulting an IT support expert who can specialise in cyber security to get advice on the best course of action to take, and what not to do. They can also handle the incident if it proves too big for your IT team.

Removing the cyber threat

Once decisions have been made about the best approach, it is time for the IT team to enter the fray and start dealing with the cyber security incident.

The first thing that needs to be done here is to ensure you have a full picture of what happened, when, and how, with a clear identification of the root cause of the incident. After that you should:

• Ensure that all files or services related to the incident and all malicious code or data left by the attacker are removed by running a virus or spyware scanner
• Run the same security checks on your back-up, as these may also be affected
• Run a cyber security audit to identify and fix every vulnerability used to penetrate the security measures, and include any devices that may have the same vulnerabilities in this
• Delete all malware found and disable all breached user accounts
• Update signatures and passwords
• Update email blocking based on sender or content
• Update firewall policies to block IP or domain-based traffic known to host malware
• Update staff, management and external stakeholders of new policies resulting from the incident

Getting back in the game

Once the eradication process has been completed, it’s time for the recovery process. Again, there are decisions to be made here regarding the most effective (and cost-effective) way to do this, and your decision may come down to the resources available.

Consulting with an expert is advisable here, as they can suggest the best possible process to suit your organisation’s needs and budget. The options include:

• Cleaning and replacing compromised files, apps, devices, etc with clean versions – this is cost-effective, but you may leave undetected malware behind
• Restoring from back-up – this is also cost-effective, but will only work if you can safely say that your back-up files have not also been compromised in the cyber security incident. Many malware attacks sit idle for months before kicking in, so it is likely that you may not have a clean, pre-incident back-up
• Rebuilding from scratch – While this option will take time and money you may not have, it is the only way to be 100% certain that all traces of the cyber security incident have been eradicated

However you choose to return to business as usual, there are some final steps to take. Unfortunately, eradicating a cyberattack does not mean a similar incident will not occur in the future, so you need to consider how you can bolster your cyber security, and again an IT consultant can advise on this.

You should also ensure that your entire IT infrastructure and systems are validated for both business and security functions. Your IT team should check that all security systems are in place and in working order by running a scan for further vulnerabilities, and run checks to determine that all networks, systems and devices necessary for business operations are working as they should.

Once you have done all of this, it’s time to go live and get back into business.

Responding to a cyber security incident is not easy, but by following your pre-prepared response plan, and getting help from an expert IT support service, you should be able to get back in business as quickly as possible after disaster strikes.

At pebble.it, we help businesses of all sizes deal with cyber security incidents, and help arm them with the tools they need to prevent further attacks. Find out how we can help you stay ahead of the cyber attackers by getting in touch or booking a security audit, and download our IT Security Checklist below: