While most of your staff might have paid attention to your training about avoiding security breaches, it only takes one employee who may have missed it or forgot what they learned.
He or she could be the ones to open a bogus email, download and execute the wrong file, visit the wrong site, or use the wrong thumb drive loaded with malware. All of these actions could potentially provide easy access to your network to an intruder.
Whether that employee did so deliberately or accidentally doesn’t matter – you have a cyber attack on your hands. The scary thing is you may not know right away – it might take weeks or months for intruders to actively access your network.
It doesn’t matter whether the intruder looks at your data, steals or destroys it: they don’t belong and the longer they’re in, the more damage they can do.
Once a breach is detected, it’s easy to want to panic, but good training in cyber threats should give you guidance on smart next steps:
1. Notify your team. You should already have people ready to handle critical risk assessments. According to the Walker Agency, this team should extend beyond technical people like IT and security to include legal, human resources, financial, marketing/PR, plus relevant vendors. These different sectors need to be advised on what’s happening so they’ll know how to respond to the security breach, investigation, and any future actions. If you don’t have this team, round one up fast.
2. Lock down other systems. In order to reduce potential damage, look for ways to isolate that particular network or terminal. This could involve easy hardware solutions like unplugging network cords, or changing passwords or security settings. You can even consider shutting down your whole network or site – your customers or staff may dislike it, and you may lose money, but it can separate the intruder and let you dig deeper.
3. Implement back-up plans. If you aren’t sure where the intruder is, how to get rid of them or the timeframe for an investigation, create work-arounds. Are there back-up networks you can switch to? Should people stop all network activity and use local machines or mobile devices? Should memos be created on paper and hand-delivered? Your procedures for dealing with threats should also be kept on hard copies, not just the network.
4. Notify appropriate authorities. Although a local law enforcement agency may not have the expertise to deal with major cyber threats, they should at least be advised that a possible crime has occurred or is occurring. They may be able to provide access to more prominent cyber security experts, especially if your security breach seems more significant than a sole local hacker. You may not know this either early in the investigation but extra resources may be appreciated.
5. Manage the investigation. This should take priority, even if people need to be pulled off other projects. Your crisis team can expand or break into mini-teams that can focus on different implications of the breach, including how to deal with the intruder and any financial or legal effects.
6. Conclude any investigation. Once the system is cleaned, it’s time to start notifying employees, clients and customers. Even if you may not be able to explain specifics, advise them what happened and what action you took.
7. Take steps to prevent future breaches. This critical step is sometimes forgotten but it’s vital to patch any vulnerabilities and make it harder for next time. And, according to the Cyber Security Agency of Singapore, every business of any size could be potentially targeted, so strong defences are always warranted.
Overall, companies that are prepared may still be attacked but having a security plan can help your respond faster and help your reputation.
About the Author
Wincom IT Services is a Singapore-based Manage IT Service Provider. Serving more than 400 local clients, they had more than 20 years of experience in IT infrastructure.