We recently took a look at how you can guide your business through a cyber security incident, with the preparation of a response plan, the detection of an attack, eradicating the problem and following up on the event, so after discussing what you should do, here’s a list of seven things you shouldn’t do.
When faced with a cyber security incident, it’s natural that you will want to act quickly to detect and remove the threat to your systems and networks as quickly as possible, but it’s wise to remember the old saying: Act in haste, repent at leisure.
As this article from the Digital Guardian notes, a panicked reaction to a cyberattack can lead to rash decisions being made about what to do in the interest of business continuity and to recover full operational processes as soon as possible, and rash decisions are what cyber threats want.
The best way to avoid such panic is to have an effective cyber security incident response plan already in place, so everybody knows exactly what they need to do, and when. If you have brought in external expertise from an IT support service to create that response plan, you are in a very strong position. If not, it is worth considering whether one is needed to handle the event, if there is any chance it could be more than your existing IT team can handle.
Hiring an outsourced IT partner with expertise in cyber security shouldn’t be looked at as an extra expense, but as an investment in your IT infrastructure and overall business security.
2: Destroy the Evidence
In the face of a cyberattack such as malware or ransomware, it can be tempting to immediately try to shut off any further access to your systems and server, but this is not always possible if a business wants to continue operating as much as it can, and is also not advisable if you want to find out more about the attack so that you can better tackle it, and even pursue the culprit.
Compromising evidence by shutting down, removing or changing your files, systems, logs, etc, means it can’t be relied upon as evidence if you want to press charges, but it also means you may be missing out on fully understanding the depth of the attack and the improvements you need to implement in order to avoid further events.
Shutting down your server as soon as you detect a cyberattack means you are clearing the memory on that server, eliminating your ability to perform valuable forensics and analysis that will help you gather information on the level and depth of the attack.
Similarly, shutting down all systems, while the most effective way to stop a cyber security incident, does mean that you lose data containing information outlining what happened and when, leaving you in the dark regarding what data was lost, stolen or compromised.
You won’t be able to discover how the cyber threat gained access to your systems, what it attacked, how long the threat has been present, and whether it is still lurking somewhere within your network.
Before shutting down the server and systems, store them on an external drive that is not connected in any way to your main network.
3: Patch Mid-Incident
While trying to detect the entry point or vulnerability that enabled a cyber threat to get into your system or network, it can be tempting to patch any that you find, but doing this in the middle of the event means that you are essentially wiping evidence from the scene of the crime, thus reducing the amount if information your response team has to work with to eliminate the threat.
4: Restore Your System from a Back-Up that Has Not Been Checked for Cyber Threats
In order to run a business efficiently, back-ups are usually as up to date as possible, but with many cyber attacks sitting dormant on your system for a long time before they strike, this can mean that the back-up contains the same infected files as your main server and systems.
This is why it is so important to ensure that your back-up is clean, before you use it to get back to business.
5: Simply Rebuild
Not only will rebuilding your system mean you lose all data about the cyber security incident, you are also likely to include the very same security vulnerabilities that got your business in hot water in the first place. If you do this, the cyberattack is likely to rear its ugly head over and over, until you implement new and improved levels of security, and upgrade your IT infrastructure.
Hiring an IT consultant is again a very wise move here. They can advise on what you need to do to safely and securely return to business as usual.
It is also advisable to save a forensic copy of your entire system before reinstalling on your server, so that you retain all of the information about the attack, but can also get back to normal operations once things are back up and running.
6: Point Fingers
Whether the source of your cyber security incident was down to human error, such as with a team member inappropriately using their own mobile device and infecting the network, or opening a malware or ransomware file, or if it was simply down to a lack of cyber security, there is little point in trying to lay the blame at anybody’s feet. At least, not until after the event has been dealt with.
Keeping your entire team on-side in order to deal with the threat is important, as is acknowledging that cyberattacks are inevitable, and more often than not, come from experienced sources who would be likely to find a way into your system at some stage. What’s more important is being able to handle the cyber threat first, and ask questions later, having performed your post-incident report and review.
After the event, you can assess and act on any weaknesses or lack of education in your cyber security culture.
7: Assume It Is All Over
Having detected and eradicated a threat, it is natural to feel like you can breathe as sigh of relief, but often a cyber attacker will move laterally through your network and systems, with their real intentions not immediately obvious. If you detected their intrusion and eradicated the threat, it is worth considering that perhaps they meant for this to happen, in order to lure you into a false sense of security.
This is why it is important to keep running security and penetration tests, and to assess what the attack could have done – where might they have gone, what might they really have been after, etc – and to act upon these possibilities by testing repeatedly in these areas.
You should also follow-up by carrying out a full report and review of how the incident was handled so that you can learn from any mistakes, and improve upon them before the next attack occurs.
Again, an outsourced IT partner can help you assess any cyber security weaknesses by running an independent security audit of your IT infrastructure, and can advise on and implement the upgrades you need to keep your business secure.
In short, while a cyber security incident does require a quick response, it is often best to hold off on immediately taking drastic action that may destroy the information you need to effectively detect and eradicate the threat. Knowing what not to do will help you better handle a cyber attack if and when it happens, and by following your response plan and availing of the help of an IT support service, you will be able to get back to business in a much more efficient manner.
Find out how the team at Optimity can help your business implement an effective cyber security incident response plan by getting in touch with us, and get started by downloading our Cyber Security Checklist below: