SOC as a service (SOCaaS) is one of the most effective ways for businesses to protect...
Cyber attacks can have a devastating impact on your business, a successful attack can lead to financial repercussions like theft of money/information, disruption of operations, and loss of business due to the reputational damage that comes with falling victim to a cyber-criminal. Post a cyber attack businesses have to deal with the cost of recovering and reporting the attack to the authorities, as well as any legal proceedings. It is important that your business knows what to do in the event of a cyber-attack or data breach.
According to the ACSC Cyber Threat Report 2020-2021, during the last financial year, self-reported financial losses due to cybercrime in Australia-based cybercrime reports totalled more than $33 billion (AUD). These costs can be greatly reduced or even avoided if your business has an Incident Response Plan (IRP) in place.
What is Incident Response?
The term Incident Response refers to the processes and policies an organisation utilises in response to a cyber incident such as an attack or data breach. The goal of Incident Response is to mitigate the damage of an attack i.e. reduce the recovery time, effort, costs and reputational damage associated with a cyber-attack or data breach.
What is an Incident Response Plan?
Every organisation should have an Incident Response or IR plan that helps them identify, contain and eliminate cyberattacks. IR plans outline what constitutes an attack and provide organisations with a clear guide on what steps should be taken if an incident were to occur.
Although all cyber attacks aren’t the same and need to be handled differently there are a number of general steps that your business or information security team need to take in the event of a cyber attack.
Below are six key steps to consider when facing a cyber-attack or data breach:
1. Identify the type of cyber threat
The first step of dealing with a cyber attack is to identify what kind of attack it is, and the extent and origin of the attack. By doing this your information security team can implement the appropriate strategy to limit the damage the attack has on your business.
For example, if your business was dealing with a ransomware attack, employees might be seeing pop-up messages demanding payment to unlock files on their systems, employees might have their access to their devices revoked or might be unable to log in to their accounts. On the other hand, if performance on computers is heavily degraded and servers are extremely slow to respond or even down, you might be dealing with a DDoS attack.
Each type of cyber attack requires a unique solution, therefore it is essential to identify the threat as a first step. Once this is identified, your information security team needs to determine if the problem is isolated or spreading, if it is spreading, how it is happening, and how to best neutralise it.
2. Prevent the breach from spreading and neutralise it
The next step should be to contain the breach, many attacks are designed to provide attackers with a backdoor into an organisation’s systems and networks so that they can extract valuable data unnoticed over time or even carry out additional cyber-attacks from within. In fact, according to the IBM’s Cost Of A Data Breach Report 2020, it took businesses up to nine months to discover a data breach, in that time cybercriminals can carry out irrevocable damage.
This is why it is important for information security teams to identify what has been accessed, how it has been accessed and shut all access down to prevent malicious actors from carrying out any further harm. This may involve, disconnecting affected systems or networks from the internet, changing login credentials of users, disabling any remote access and even rerouting the network traffic. By quarantining the attack as much as possible, security professionals can work towards neutralising the threat.
3. Assess and repair the damage
Once the threat has been neutralised, it is important to review systems and networks to determine how to best reduce any further risks. This involves checking all data to determine if any of it is affected, if any data is missing or affected, and finding out if it is recoverable. It is essential to ensure that data being restored doesn’t lead to reinfection, therefore it is best to provide access to only critical personnel who have the ability to approve functionality.
Infrastructure may also need to be reconfigured, i.e. operating systems and programs might need to be reinstalled or hardware replaced. In addition as part of the review, information security teams need to patch all vulnerabilities, especially the ones that resulted in the data breach or attack. Before the affected systems are brought fully online and reconnected to the network, it is important that the information security team tests that everything is functioning properly and the cyber threat is fully neutralised.
4. Report the attack to the authorities
It is important to notify the authorities of any cyber-attack or data breach, in Australia the Australian Cyber Security Centre (ACSC) leads the Australian Government’s efforts to improve cyber security. Their role is to help make Australia the most secure place to connect online.
The ACSC uses the cyber security incident reports it receives as the basis for providing assistance to organisations. They also use reported incidents as a basis for identifying trends and maintaining an accurate picture of the threat environment. Which helps them develop new and updated cyber security advice, capabilities and techniques to better prevent and respond to evolving cyber threats.
5. Communicate with customers
One of the final steps to handling a cyber attack is to inform customers of a data breach or security incident. It is important to maintain public trust and one way to do that is to maintain transparency during an attack. Under the Notifiable Data Breaches scheme, by the OAIC (Office of the Australian Information Commission) an organisation or agency that must comply with Australian privacy law has to tell its customers if a data breach is likely to cause them any serious harm. Identity theft, which can affect a customer's finances and credit report, financial loss through fraud or any reputational damage are all considered of serious harm to an organisation’s customers.
Generally, an organisation or agency has 30 days to assess whether a data breach is likely to result in serious harm. However, if an organisation is successful in reducing any chance of serious harm post a data breach they don’t need to inform any customers.
6. Reflect and learn
The final step is to conduct a thorough investigation of the security incident to ensure that it doesn’t happen again. What was done well in your information security team’s response to this security incident and what can be done better if another attack happens. It is important to identify the areas of your cybersecurity strategy that need to be improved so that, future attacks can be avoided.
How can StickmanCyber help?
Let StickmanCyber help you get a plan in place to ensure the safety of sensitive business assets, and minimize damage, disruption, and data loss. Learn more and contact us today.