What you should do if your business is hit with a cyber attack
Cyber attacks against businesses are increasing - so what should you do if you become a victim?
The Covid-19 pandemic has led to a paradigm shift in how businesses operate and the accelerated shift to digital and online operations.
With that shift has come, sadly but inevitably, an increase in the number of businesses that are being targeted by cyber criminals.
The statistics for 2020 make for uncomfortable reading. Last summer at the height of the pandemic, the FBI reported it was now receiving more than 4,000 complaints about cybersecurity attacks each day – up 400% from what they were seeing pre-covid. Interpol, too, reported a huge surge in reports of attack attempts aimed at SMEs, major corporations, governments and critical infrastructure.
The most worrying increase has come in the form of corporate ransomware attacks, where criminals hold your company’s data (including customer data) or network hostage until they get paid money. From Honda to Garmin and Cognizant to Travelex, ransomware attacks have crippled businesses, with Security Boulevard reporting that 58% of businesses ended up paying off the attackers just to get control back of their systems.
Unfortunately, most cybersecurity experts – including DataStream’s own team of analysts – now position corporate cyber attacks as an almost inevitable event that businesses should prepare for. Even with the best and most expensive cyber security technology protecting your systems, the chances are a cyber attack can and will find its way through at some point.
So, what should you do if your business is hit by a cyber attack, what do you need to do to protect your business and its customers, and what steps will you be advised to take?
The good news for customers of DataStream is that we should be your first port of call, and as part of your policy and claim process, what follows in this article is exactly what we will do for you. But not everyone will have this level of cyber insurance – or indeed cyber insurance at all – in place. In which case, these are the steps you need to take.
Call your experts
It sounds like obvious advice, right? But the reality is that when you discover your business has been the victim of a cyber attack, there are a whole heap of actions and steps you need to take to protect yourself, your customers, to minimise damage and financial loss, and to get you back up and running again asap.
A lot of business owners will try and manage the incident response themselves, but as an insurer and one of those businesses dedicated to dealing with the aftermath of an attack, we would always recommend getting the experts in – aside from anything else, it immediately offers you a further level of protection. So, the first step we at DataStream would recommend is, either call your cyber insurance provider straight away – or check to see if your other insurance policies have cover for this type of incident, and if they do, call them. A strong cyber insurance partner will be able to help you bring in the expertise you need to contain and manage the situation and prepare you and your team for the next part of the process.
Get specialist legal advice
Undoubtedly, whether (hopefully) through your insurer, or failing that independently, the next step should be to engage legal advice.
Cyber attacks are not victimless crimes. Individuals and businesses suffer horrendous impact because of the actions of threat actors – from data breaches to financial losses. Accordingly, there are very specific regulatory requirements business must take to both store users sensitive information and to alert and protect the owners of that data in the event of an incident taking place.
Getting these responses right in the aftermath of an attack can be the difference between your business surviving or failing – and a specialist law firm should be engaged immediately to help you navigate through this situation.
The following steps are the actions we would expect a business to need to take in the immediate aftermath of an attack – but (and we cannot stress this enough) these are actions we would advise companies take in collaboration with specialist experts who can direct the response and monitor its effectiveness. In other words, unless you are that expert, don’t try and do this yourself.
Contain the breach
The first step is, working with your cyber security providers, whether in-house or a Managed Service Provider, to try and contain the breach. This doesn’t mean deleting everything on your IT systems or turning all your computers off – quite the opposite as that information will be critical to security analysts to figure out what happened, when and where.
Instead it means they will try to shut down – as much as possible – entry routes for the criminals. So, for example, they will work to disconnect your internet gateways, disable remote access, and check and amend firewall settings. You will also be asked to advise any staff working remotely to do the same for any personal devices they use to access work IT environments.
Password changing is also critical – and ensuring new passwords are as strong and complex as possible.
Assess what happened
The second step to take is usually for the experts to assess the breach – what happened, when, where and how. At this stage – depending on your scale as a business and the amount and sensitivity of data you hold – you will often be asked or required to bring in specialist cyber investigators or forensic data teams. Your MSP or cyber security provider will be able to help you identify providers that can help with this, or if you are part of the DataStream family, we will help.
Eitherway, the key for them is to figure out who has access to the servers that were breached, what was their route in (in other words, which network connections were online and available when the attack occurred) and how was the attack initiated – how did they get in.
Your MSP or internal security team will be able to help with this so all involved can understand this aspect, by checking security data logs, log-ins, flags on intrusion or on cyber protection systems.
Understand the impact of the breach
This aspect is critical. As a business, you need to quickly, and accurately, understand who has been affected by the breach, and what data may have been stolen or copied and if financial damage has been created. Have customers, employees, clients, third-party vendors had their data taken and how sensitive was this data? This last aspect is vital to know the further steps you will have to take as a business – both in terms of reporting this to the right authorities, and to ensure you can effectively communicate with those impacted.
Communicate the breach to the authorities
Now you understand – or are beginning to understand – what has happened, it’s time to start telling other people what has happened. Again, what you should say, and to whom and when, are areas that your legal counsel combined with your cyber security response team, should advise you on. Don’t act without seeking their guidance first.
- Report the incident to the Internet Crime Complaint Centre – ic3 – your response team will help you, and the right pathway is here: https://www.ic3.gov/
- The ic3 will need to know a range of information, which you can find on their website. They will ensure the information you give them will be shared with other authorities
- You should also report the incident to your nearest FBI office or report it centrally to tips.fbi.gov
- Additionally you should inform your local police department as soon as possible, and explain to them to potential risks posed – especially around things like identity theft if personal data has been exposed.
Notifying customers and businesses, and develop a communications plan
The laws pertaining to when, where and how a customer whose data has been stolen should be notified, and what steps you as the guardian of their data, are complex – and again an experienced cyber insurer like DataStream will have the expertise needed to help you get this step right, first time.
The initial thing to remember is that these laws – and they vary by state, although there are currently no federal data breach laws – are designed first and foremost to allow impacted customers and other third parties to take steps themselves to mitigate against the risk posed by criminals having their data. The laws are also there to act as an incentive for companies to strengthen their IT and data security.
Most states have clear policies on creach notification, and what you must tell your customers. But in general people need to know:
- how it happened
- what information was taken
- how the thieves have used the information (if you know)
- what actions you have taken to remedy the situation
- what actions you are taking to protect individuals, such as offering free credit monitoring services
- how to reach the relevant contacts in your organization
Working with law enforcement teams, you should also be looking to tell people information that can help them minimise their exposure and mitigate against threats. For example, what steps they can take if they have had their social security numbers exposed, information on identify theft recovery, filing complaints and how you will contact them in the future.
The Federal Trade Commission has a detailed set of guidance for businesses that have experienced data breaches, including model letters to send to affected customers.
Ultimately, everything you do post-incident is aimed at securing the data that has been stolen, protecting everyone who is impacted, getting your business operating safely again, and ensuring law enforcement agencies have the best opportunity possible to find those responsible and bring them to justice.
Experts like DataStream are ideally placed to help organisations recover in the aftermath of an event – and of course our insurance policies are designed with business continuity in mind from the start.