Panda Security

How to act after a cyber-attack

Leave a comment

broken padlock

We hear it every day, experts are always talking about it: preventing cyber-attacks is very complicated, almost impossible, so what organizations should work on is on perfecting the process to follow once they have suffered an attack to regain control as soon as possible, disinfect computers, assess damage and take the appropriate actions. The way an organization acts in a situation like this is key. A quick reaction, efficient, makes a difference and, without a doubt, it reduces the negative effects in the long-term.

Here are the main steps to follow to address this complicated task, which companies like Sony Pictures Entertainment or Home Depot, are some of the most notorious cases, and survive a cyber-attack successfully.

1. Implement a response plan.

Once an attack has been discovered, the first thing to do always should be launching an incident proper response plan, which should be set in advance. So, if your company still doesn’t have one, you should start working on its definition as soon as possible.

Why is it important to have a plan? Because the response will be quicker. These plans should define who in the company has to act and how, which other sections (suppliers, partners) must be involved, the way each department must act, what technologies are needed to respond to the attack and even, how to determine its extent, which company’s information has been compromised or stolen, etc.

The plan implementation involves, firstly, containing the attack, if is still taking place, to avoid it from affecting more systems or devices and cleaning the already infected ones. If necessary, we must stop the systems to ensure that they are perfectly clean. Then analyzing where has occurred the data breach and how, what security measures were in place (encryption, etc.) and did not work and, finally, proceed to the total recovery of the data and systems. In addition, is advisable to monitor these more persistent, especially in the moments and days after the incident to ensure they don’t get infected again.

2. Coordinating the team that will face the cyberattack.

As mentioned in the above response plan, it should be specified who will be in charge of facing the cyberattack. Now, set to work all those professionals together. Of course, not only IT profiles and related to the security of the information are involved. Also will the organization’s team of public relations and communication, the responsible for human resources, the area of ​​business and management directors and the legal department. Among all they must provide an efficient and coordinated response not only towards their own employees but also towards their customers, suppliers and, of course, the public opinion.

3. Contacting with third parties.

The team responsible of responding to the cyberattack should also contact their usual IT and security suppliers and others who can help the team in this case, and report the incident to the national authorities and security forces.

lens

It is also necessary to meet with the company’s legal offices and with external experts to evaluate the possible implications regarding suppliers, customers, shareholders… taking into account, the way of communicating this type of incident may vary depending on the sector and the critical nature of the affected data. For example, if the breach has occurred in the financial or health sectors the communications must be very agile, as there is set already protection regulations which affect these sectors in particular. In this regard, it is important to document the extent of the attack, when it started and when it ended, which information was compromised or stolen, etc.

4. Transparency and communication.

These two requirements are essential after a security incident. Silence only creates uncertainty and mistrust and can have extremely negative effects on the company’s image. Communication with employees, customers and partners must be constant after a cyberattack. They have to know the extent of the incident and if they have to take some actions (for example, changing the passwords to access the service, as indicated Evernote after the suffered attack) and even in cases when emails or other employees’ information was accessed (see the Sony Pictures case) or customers, there are experts who suggest psychological help might be good.

In addition to communicating these issues through the several channels that are relevant (not only email but also by telephone, etc.), if the cyber-attack is powerful a call center may be established to provide information and what are the next steps for the affected individuals. It is even necessary to address a strategy to monitor the social media to analyze how the cyberattack is affecting the company’s image and also answer through this channel showing transparency to build trust.

5. Learn the lesson.

No company wants to experience this type of situation, but if it has been affected by an incident of this magnitude, the best is to look on the bright side, take note and learn the lesson. Every cloud has a silver lining and from an experience like this a company should learn the lesson, apply best practices to avoid a similar situation in the future or improve the reaction capacity if it happens again.

The post How to act after a cyber-attack appeared first on MediaCenter Panda Security.

Leave a Reply