Incident Response: What to do after you are hacked.

incident response

Having an Incident Response after a cyberattack is a crucial step to getting your business back online.  As the number of cyberattacks increases, so are the number of victims. You may have excellent cybersecurity defense in place.  Yet it still gets hacked.  It could be a significant shutdown or a minor inconvenience.  The question is, have you heard of incident response?  Are you familiar with it?  Is it continuously updated? And communication channels and stakeholder obligations have been established?

In most organizations, the answer is usually no. This gets worse for the smaller businesses.  They have no clue, and the mindset of it will not happen to us. We are too small.

Here are some guidelines on what to do if you become a victim of a hack. All steps are of equal importance.  There are templates and plans available online if you do not have an incident response plan. 

  1. Incident containment: Incident containment entails both proactive and reactive actions. Disconnect the infected devices from a network immediately. Change passwords.  Identify the source of the breach.
  2. Immediately notify the organization’s IT team about the infected device to contain the situation. Notify all the stakeholders and your clients, vendors, and employees impacted by the cyber incident. Notify legal counsel and applicable regulatory and law enforcement organizations as soon as possible.  There is a public relations aspect of it, too, that depends on how large of an organization you are.  How much information do you release at the time? 
  3. Consider help from external resources and share information about the cyber threat. For example, you may have to contact the FBI or local police department.
  4. Investigation and documentation of the incident: Be prompt and comprehensive; document every pre- and post-incident response step. The investigation’s goal should be to figure out what’s causing the problem in the first place, as well as any loopholes that could allow future attacks to happen. Proper documentation is a requirement for this analysis.
  5. What steps are in place to get your operation active without your computers, network, and internet?  How long can you be without computers?
  6. Check out your backup.  Wipe out the infected device(s).  Then, restore from your latest known good backup.
  7. Ensure the latest updates are up to date.  Then, contact your Antivirus company’s support team.  Are there any remedies that the antivirus company is offering? 
  8. Should you pay the ransom?  If yes, should you negotiate with the hackers?  Should you ask your insurance company to repay you?  Should you contact the police or the FBI? Each of these steps needs consideration. The response should be documented after an incident occurs. 

One major problem is that most businesses do not share their experiences outside of their business for various reasons.  However, it would be ideal for them to do so. This way, other companies can learn from the experience and protect themselves accordingly. 

Unfortunately, cybersecurity is part of business life nowadays.  We cannot ignore it.  It has become part of the cost of doing business. Therefore, the incident response plan will need frequent review and updating as seen fit.

need help multi layered security plan CEO Computers

Posted in IT Blog