How to recover from a cyber-attack

How to recover from a cyber-attack

Posted on Posted in Cybersecurity, Insights

Businesses are increasingly becoming dependent on the Internet and Cloud Computing as a critical part of their strategy for internal and external processes. Internally, they use it for business management and as a means of communication between workers.  Externally they use it to communicate with suppliers and customers.  If access to the Internet is lost for any reason a business can be seriously compromised, and potentially may have to shut its doors for good.   Internet Service providers, particularly public Cloud Service providers are particularly vulnerable because of the downstream effects to their customers.

The prudent business has a cybersecurity plan.  It has installed defences against attack with physical devices, antivirus and malware protection software and other mechanisms to hopefully prevent and minimise the effect of malware.  However, at some point, a business is highly likely to suffer a cyber‑attack.   It could come from something as simple as an employee using an infected memory stick.

Cyber Security Plan

How a business recovers from an attack will depend firstly on the severity of an attack and the tools available to assist the recovery.  It will also depend on whether the incident is wholly internal or initiated from outside the organisation.   It could also depend on whether your systems and data backups are up to date and usable.

The first step is to identify that you are actually under attack or have had a malware or security incident.  Daft as it sounds, some attacks, for example, a Denial of Service attack can be written off as “The Internet’s a bit slow today” or the first you hear of a data breach is when a competitor calls to say someone has tried to sell them your confidential information.

The first step is to call in the cavalry.  If you have an inhouse support team, they should be all over the issue by now. If you use an outsourced support service, they need to arrive now.

The next step in an incident is to remain calm, sit with your experts, open the incident procedure document and set out your recovery plan.  Knowing that you have been hacked or suffered a cyberattack is a stressful thing.  It’s happened, so your focus must now be on how you fix things.  A clear mind and focus will deliver a solution more quickly.   The worst thing is to do is to rush in with uncoordinated activities based on incomplete knowledge.

If you are not part of the technical team, it is important now to go away. Keep in touch and have regular updates but allow the technical team to do their work.

Initiate your incident communications protocol.  Let people know that something has happened and services might be disrupted for a while you sort things out.   Move to manual procedures where possible.  Keep people updated about progress, particularly if your business is totally shut-down until the situation is resolved.

Ransomware Attack

If it a ransomware attack, you have a critical decision to make.  Pay or not pay?  Many businesses  in 2016 considered it easier and more cost effective to pay up than face the downtime and uncertainties of trying to fix it themselves.  Like other forms of ransom, there is no guarantee that you will get your data back, and the likelihood of being targeted again just increased.   You should also consider whether to report the incident to the authorities.  You should.

Part of the decision making process will be to find out if you have usable backups to which you can revert and catch-up data.  If you do, the quickest and cheapest recovery might be to reload your systems from the latest backup and re-enter the catch-up data.  However, some backups could already be infected, some might be incomplete as a result of unmonitored and failed backups.   Some critical data can also be lost if the last data snapshot was some time back.

Gather all the data relevant to the incident, user profiles,  systems and web logs, logs and any other form of systems access such as FTP logs.  If it is an internal data breach initiated by an employee, then you will need evidence to support any future actions you might wish to take.

There are steps you must take after the attack is resolved.

  1. A full-on security review.  Look at how the attack was initiated and how it progressed.  Identify the changes you need to make to your cybersecurity environment and implement them.
  2. If there are any personnel issues to be addressed, address them.
  3. Review your policies and procedures concerning cybersecurity and if required your backup and recovery regime.
  4. Review your policies and procedures concerning Business Continuity.
  5. Ensure that all employees are aware of security policies and procedures, particularly concerning removable media.   The most common way in which malware makes its way into business networks is via users bringing contaminated flash drives or DVDs from home and plugging them into their office computer.
  6. Review your Legal Defence systems to ensure that your policies and procedures meet statutory requirements and demonstrate that you have taken all reasonable steps to prevent and recover from the breach.   Check your legal standing and insurance cover against consequential loss.

The need for Cybersecurity will be with us for the foreseeable future.  It is more than just installing a malware and virus protection application. It is an ongoing organisation-wide programme to reduce the probability of encountering malware and user misbehaviour and to mitigate their effects where and when they happen.  The price of cybersecurity is eternal vigilance.


Leave a Reply

Your email address will not be published. Required fields are marked *