We hear it every day, experts are always talking about it: preventing cyber-attacks is very complicated, almost impossible, so what organizations should do is work on perfecting the process to follow, once they have suffered an attack, in order to regain control as soon as possible, disinfect computers, assess damage and take the appropriate actions. The way an organization acts in a situation like this is crucial. A quick efficient reaction makes a difference and, doubtless reduces the negative effects in the long-term.
Here are the main steps to follow to address this complicated task, which companies like Sony Pictures Entertainment or Home Depot, are some of the most notorious cases, and survive a cyber-attack successfully.
1. Implement a response plan.
Once an attack has been discovered, the first thing should always be to launch a suitable response plan, which should have been put in place in advance. So, if your company still doesn’t have one, you should start working on its definition as soon as possible.
Why is it important to have a plan? Because the response will be quicker. These plans should define who in the company has to act and how, which other sections (suppliers, partners) should be involved, the way each department must act, what technologies are needed to respond to the attack and even how to determine its extent, which company’s information has been compromised or stolen, etc.
The implementation of the plan involves, first of all, containing the attack, if it is still taking place, to stop it from affecting more systems or devices and cleaning the ones which have already been infected. If necessary, we must stop the systems to ensure that they are perfectly clean. We should then analyze where the data breach has occurred and how, what security measures were in place (encryption, etc.) and did not work and, finally, proceed to the total recovery of the data and systems.
In addition, it is advisable to monitor these more insistently in the moments and days after the incident, to ensure they don’t get infected again.
2. Coordinating the team that will face the cyberattack.
As mentioned in the above response plan, it should be specified who will be responsible for dealing with the cyberattack. Now all these professionals should be set to work together. Of course, not only IT profiles and those related to information security are involved. Also involved will be the organization’s public relations and communication team, those responsible for human resources, the area of business and also the directors of operations and the legal department. Above all they must provide an efficient and coordinated response not only towards their own employees but also towards their customers, suppliers and, of course, public opinion.
3. Contacting third parties.
The team responsible for responding to the cyberattack should also contact their usual IT and security suppliers and others who can help them in this case, and report the incident to the national authorities and security forces.
It is also necessary to meet with the company’s legal representatives and with external experts to evaluate the possible implications regarding suppliers, customers, shareholders… On the other hand it should be taken into account that the way in which this type of incident is communicated may vary depending on the sector and the critical nature of the affected data. For example, if the breach has occurred in the financial or health sectors the communications must be very agile, as regulations which affect these sectors in particular are already in existence. In this regard, it is extremely important to document the extent of the attack, when it started and when it ended, which information was compromised or stolen, etc.
4. Transparency and communication.
These two requirements are essential after a security incident. Silence only creates uncertainty and mistrust and can have extremely negative effects on the company’s image. Communication with employees, customers and partners must be constant after a cyberattack. They have to know the extent of the incident and whether they have to take any action (for example, changing the passwords to access the service, as Evernote did after they suffered an attack) and even in cases when emails or other employees’ information was accessed (see the Sony Pictures case) or that belonging to customers. There are experts who suggest psychological help might be beneficial.
In addition to communicating these issues through the relevant channels (not only by email but also by telephone, etc.), if the cyber-attack is powerful a call center may be established to provide information and indicate what steps should be followed by the individuals affected. It is even necessary to devise a strategy to monitor the social media in order to analyze how the cyberattack is affecting the company’s image and also use this channel to give an answer showing transparency in order to build trust.
5. Learn the lesson.
No company wants to experience this type of situation, but if it has been affected by an incident of this magnitude, it is best is to look on the bright side, take note and learn the lesson. Every cloud has a silver lining and from an experience like this a company should learn from it, apply best practices to avoid a similar situation in the future and improve its capacity to react should it happen again.