So, you've discovered something nasty on your network. You've been hacked, and you're facing some critical questions: Who is inside your computer systems? What are they doing? How far have they spread, and how do you get them out?
You're not alone. According to the 2019 Cyber Security Breaches Survey from the UK Government's Department for Digital, Culture, Media & Sport, 32% of businesses in the UK identified cybersecurity breaches or attacks in the last 12 months. Here are some things you can do to minimize the damage.
The first step happens before the attack hits. Good preparation involves at least two steps. First, ensure that you have completed your network and computer systems to be resilient to an attack internally. Even when an attack has already breached your endpoints or firewall, it doesn't mean you have to let them move laterally through your network. Use tools and techniques such as network segmentation and identity and access management (IAM) on your network to stop attackers leaping from system to system.
Second, have an incident response (IR) plan. This gives you a predefined set of rules for tackling a cybersecurity incident quickly as soon as you discover it. It includes not only a flowchart of actions, but a list of the people responsible for each and how they should interact with each other.
Assess and preserve
This IR plan will help you during the initial phases of a cybersecurity incident. Having detected a hacker, move quickly to assess the situation, using internal technology staff and/or consulting help to find out what the attacker has done and how far they have penetrated your systems. Work with legal experts to preserve the evidence, which could become part of a criminal case.
Contain and mitigate
Then, work quickly to contain the attack. Disconnect affected equipment and software from the network. This cuts off both the attacker's ability to penetrate further into your infrastructure and also prevents them from controlling what they have already infected.
Mitigation involves more than just shutting down computer systems. It also means mobilizing the rest of the company to minimise the potential damage from the attack. Legal experts must calculate your liability in partnership with the finance department and must also in many cases inform the Information Commissioner's Office (ICO) of the breach under GDPR rules. Customer support operatives must have a plan for informing customers of the breach. Public relations must manage the flow of public information to keep the company's reputation intact. For any of this to happen, your company must have established a list of responsible stakeholders and clear communication channels between them.
Recover and learn
Finally comes the learning and recovery. After freezing the attack, you must eradicate the attacker from your systems by reinstalling operating systems and applications. Ideally, you'll have predefined images that you can use to quickly reset your computers. The backup you made will easily replace any data that you lost. After verifying that the reinstalls removed the attacker's tools, ensure that all appropriate passwords have been changed, and ideally update your applications with multi-factor authentication to avoid account hijacking in the future.
Even though it may sound counterintuitive, try and gain something positive from the attack. Learning from the mistakes that allow the attackers into your network can help you strengthen your infrastructure against future threats. Document gaps in your security that led to this situation and ensure that you plug them.
There is nothing fun about dealing with a hack, but how you react will determine the impact on your business. A sensible, organized response can deflect digital disaster.