It’s a business’s worst nightmare to be hacked or exposed to vicious malware that renders its website ground zero for identity theft and data loss. Small and unprepared companies may buckle under the weight of the digital crisis, going bankrupt as their reputation plummets along with their stock and customer count. Protecting customers from hackers should be a top priority for every enterprise company. A breach doesn’t have to be the end of the world, however. With an incident response plan in place, breaches can be handled quickly and efficiently.
Recommended Read: Data Breach to Affect 1.5 Billion People by 2020, Are You Prepared?
Ideally, businesses should have an incident response plan in place to dictate what actions should be taken in the event of a breach and how that process should be handled from discovery to resolution. Following the steps of this plan should be your first action in the disaster recovery process. Depending on the nature of the cyber attack, and how it was discovered, you may have to take an approach unique to the situation.
Once the intrusion has been discovered, your company has to notify the right people.
Notification is only partly about protecting those affected. If for instance, the FBI contacted you about the data breach, you would need to call the company’s legal officer. Likewise, if the breach involved the loss of trade secrets and other critical corporate data you would have to notify the executive board. Whom you’ll notify about the situation will change according to the severity of the breach and the kind of data that was stolen.
Communication is the key lesson in this stage. Not all breaches require notification, especially if the information was encrypted, there is no belief that the information was misused, or the data did not contain personally identifying information. Pay attention to the notification laws in your state while deliberating on whether it’s in your company’s best interest to disclose the breach.
The first 24-48 hours following a breach are the most critical for gathering information about the infected hardware, the source of the hack, and the quality, quantity, and nature of information that was stolen. Having this knowledge will inform the rest of your response team’s actions, and your decisions will be reactions to evidence as it becomes available.
Once you have information to work with and can start to answer the how, when, and what of the breach, your response team can formulate a plan. This specific plan is separate from the disaster recovery plan as it pertains to the breach and will address repairing the vulnerabilities. The strategy has to include communication and a technical analysis, defining what roles are required to learn more about the affected hardware.
Part of this strategy will also be discussing the recovery process—how business can resume as normal, accessing backups, tweaking network settings, and re-imaging any corrupted machines as necessary.
The first two to four hours are crucial for finding evidence of intrusion, or indicators of compromise. Triaging affected systems consists of tapping any available event log, file system, or piece of data that lets your team create a detailed timeline of how the corruption started and where.
Featured Article: Defend Against Black Hat Hackers
Once the response team has identified these indicators, they can use them to hunt down any other points of intrusion. This lets them build a profile of the vulnerabilities in the network, and understand how a hacker may have gained access to the system, whether through a phishing email or malware hidden in a web link.
Your response team will use the data collected to develop a remediation plan, which defines how they will purge all traces of the hacker’s presence from the network. During this stage, it’s very important to make it as easy as possible for the response team to do their job. The task of managing and handling the breach is their number one priority and everything else should be set aside until the network is secure and stable once more.
Having your business breached and the integrity of your network compromised is never a good thing, but if it ever happens to you, the response team can take it as a lesson learned. Using the data they’ve collected and their experience handling the breach, they can apply that to a revised disaster recovery plan for future security issues.
Your company as a whole can benefit from the information its response team uncovered during their investigation. It could be used to better prepare and safeguard everyone from being unwitting accomplices in any future cyber-attacks.
CEO and Founder at Mighty Shouts.