What to do if you have cyber-attack?
We are always hearing in the news about large companies that have been hacked and the vast amounts of data have been compromised.
How you respond to an attack is critical as knowing will help protect your companies’ systems from further damage or loss, and your clients’ data from being compromised.
In this article we aim to help:
- Limit the damage to systems and data.
- Comply with regulations.
If you hold any personal data of your staff such as HR/Employment records or are primarily a consumer business that hold customer records such as names, addresses & email, then you will need to comply with the General Data Protection Regulation (GDPR).
As a business, you will have business insurance and may have cyber insurance that will also have a process for dealing with any cyber-attack. It is better to obtain the right advice from your insurance company who can advise on the correct response, instead of worrying about an excess.
What is your business cyber response plan?
If you’re systems have been hacked, you should have a cyber response plan that can be part of your disaster recovery plan. The plan should include:
- Who to alert – so that the right members of staff can take actions and reduce damage.
- How to identify the affected systems?
- How to disable affected systems and utilise a backup system (such as paper records)
- How to restore the affected system – establishing how long the system will take to restore.
- Investigate and learning from the attack and improve upon the current system.
As most businesses rely upon the Internet for email, voip, web and file storage disconnecting from the internet may do more damage to your business however, you may be able to disable remote access and change passwords for primary systems.
If you have an IT department or external IT company (assuming they are on the alert list), getting their expertise as they look after your systems daily will be needed to resolve most issues.
Finding out what happened
Most Cyber attacks will leave some trace of who and how they accessed your systems. How do you know you have been hacked? Have you been hacked or is it a fake/scam email?
If you cannot find the source, then it may be likely that the hacker can still get access through the same method.
Encrypted data – If your systems are encrypted, then identifying the point of initial access. It could be one laptop, or a server had some files but not others. Who discovered the files? Who has access to the files? If your systems have been segmented into departments then is the whole server affected or just one folder?
Email – If your customers are receiving hundreds of emails from your company, getting a copy of the email (not just a forwarded email) so you can see the message headers can help validate the source.
Website – if your website is down, checking through logs and check file dates of any changed files.
Once you can identify the source or entry point then you can begin to secure & restore the system.
Restoring systems
Most companies will have a regular backup of data and being able to restore this with little or no loss is the ideal. However, if a backup has been failing or is not available, then you should consider how to restore systems.
You may need to wipe and reinstall complete devices to ensure that you have cleaned the systems. This will take time and prioritising which systems you need to restore first will be part of your disaster recovery plan.
Data that is backed up to the cloud will also need to be downloaded. This will take time.
Reporting the cyber-attack
You should consider who you need to report the data breach to, is it internal data, then do staff need to change passwords or check if other systems have been affected.
If money has been lost
Informing management and your bank fraud departments and your insurance company,
If the money affects clients, then informing them and advising them what you will be doing to resolve, and prevent further attacks.
If sensitive information data has been lost
GDPR requires that if you have lost personal data, you must report this to the Information Commissioner Office (ICO).
You may also need to report the attacks to Action Fraud or governing body.
Telling clients about the cyber-attack
If the cyber attack may affect your clients, then you should inform them. Depending upon the data that was compromised, you may need to handle questions with a standard PR strategy with your staff having a FAQ or point of contact.
The ICO has good information here on what and how to inform clients.
Learning from cyber-attacks
Security of your systems can generally always be improved. Ensuring you review the attack with your staff and IT team will help prevent future attacks.
Try to identify:
- How it happened
- What systems were affected and the impact to the business and clients?
- What went well in responding to the attack?
- Could improvements be made to the response process or systems to prevent future attacks?
You may need to consider if the attack was due to old software that needs to be updated/replaced or if permissions need to be tightened.
Training staff on a regular basis can help them spot fake/spam emails. Or implementing a process where if a bank payment needs to be made for the first time or is changed then a confirmation call is made to the individual.
Supplier cyber-attacks
Increasingly cyber attackers are targeting the suppliers of companies, so they get access to the client’s systems. IT support companies are no exception.
In one large attack we have heard of, attackers have gone through 2-3 companies before achieving their target.
Many IT companies will have access to a clients Office 365 portal or VPN access. If they have remote monitoring systems that can provide high level access to the client’s systems & data.
With our own systems we have 2 Factor authentication (2FA) for all our IT technicians and automatically log all access so we can trace our access. If you would like to discuss how we can help protect your systems and work on your disaster plan then please contact us