What to do when you have a breach

Author: Gary Hibberd

Date: 30th July 2020

 

Imagine you’re awoken to find that your servers are all down. Clients have begun emailing you to ask why they can’t access the system you provide, and you have a voice message asking you to call your IT Manager, because “We’ve been hacked and all our Data is encrypted.”

The next email you open is from the Hackers.

“Hi… As you are possibly aware, the lack of security on your systems has allowed us to gain access to your systems and services. All files are encrypted and require a unique to access the information. The cost of this key is just 2 bitcoins. You can purchase bitcoins by visiting this site [Name]. Once purchased, please click on the following link to complete the transaction and receive the key.  [LINK]”

This scenario is something that I, and the team at Cyberfort have had relayed to us on several occasions over the years. And is a scenario we have increasingly heard over recent months.

 

Rise of Cybercrime

It’s a fact of life that our use and of, and reliance on technology is leaving us open to attack from criminals. They see gaps in our knowledge as windows of opportunity. But if you’re still thinking that the likelihood of being a victim of Cybercrime is low, could I ask how likely do you think it is that someone in your business makes a mistake?

Imagine receiving a call from an angry client who tells you that they’ve received an invoice which has other client details on it. Not only are they concerned who might have received THEIR data, but they want to know what this client is receiving a lower rate for services than they are. 

How did this happen? It transpires that a clerical error has meant that your finance team sent the invoices to the wrong clients.  According to a survey conducted by ‘Information Security Magazine’, Human error was the cause of 90% of breaches in 2019.

 

Data breach; What do you do?

 

So if the risk of a Cyberattack has increased, and there is a strong likelihood that someone could cause a Data breach; What do you do when it happens?

Most organisations have considered Business Continuity in the past, but many of the contingency plans focus on recovery measures, rather than incident response.  Incident Response Plans (IRP) can be a part of your BC Plans, and they don’t have to be complicated. Here are our five steps to help you respond to a Cyberattack or Data Breach.

 

Stop; Don’t Panic

This may sound obvious, but it’s important to try and not panic or rush into action. We are no longer facing the risk of being eaten by a T-Rex, but our reptilian brain still responds to danger in the same way. If something is threatening our business, it is understandable that our brains will leap to ‘fight’, ‘flight’ ‘freeze’ modes of thinking.

We have seen organisations make decisions at the outset of a Cyberattack which has led to the damage increased, as their reactions prompted the criminals to take further action. 

 

Gather Intel

When faced with an email or call that claims to be from an attacker, or from an angry client, your job is to find out as much as possible about what has happened. Remember that this is about gathering intelligence on what has occurred, that led you to this situation.

Situational Awareness is the term used in risk management, but I believe before taking any action, it’s important to be fully aware of the current situation. You need to establish;

– What has happened

– When it happened

– What has been affected

– Who is involved

– Who is at risk

– What is the risk and impact

– What is the impact on clients

– What is the impact on your team and business

Notice we aren’t (at this stage) interested on who is to blame. Don’t play the ‘blame game’. Mistakes happen but should be fully understood so that you can reduce the likelihood of a repeat event in the future. But discovering the root cause is for later.

When faced with a call or email stating that an incident has happened, simply running through these eight questions will give you full situational awareness. 

 

Build a team

Once you have a full understanding of what has happened, you need to know who to gather around you and who you need to speak to. Of course this depends on what has happened, but managing through a major incident can often include these groups. 

 

Internal;

– IT support

– Cybersecurity support

– Operations

– Communication specialists

 

External

– Action Fraud

– Bank

– Insurer

– Information Commissioners Office (ICO)

One person can’t know everything, so bringing a team of people together to help you navigate this event means that you can get the best from everyone. Of course it’s better to have all the above people/organisations identified first, and then you can ensure they are trained (where necessary), and you have their contact details to hand.

 

Build your Action plan

Now you have good situational awareness, and you have a team around you, you can decide on the most appropriate action to take. This does not replace your BC plan, but now you are faced with more certainty, you can identify critical actions to take, and the order in which they should be carried out. 

You may rely on your BC Plans, but you may also find that actions you need to take now are completely different.

Agree what the priorities are, and what resources you need.

 

Go back to step 1

Now that you’ve started to take action, you should return to step 1 – Stop; Don’t panic. Keeping a cool head will ensure the actions taken are measured and proportionate. By cycling through these steps, you are more likely to respond effectively to a Cyberattack or Data breach.

 

Conclusion

When you have a breach, or there is a Cyberattack, it can be tempting to leap into action, but of all the steps outlined above, I would suggest the most important is ‘Don’t Panic’. But it’s not only ‘Don’t panic’; It’s “Stop”.

Before you leap into action, you need to stop and thinking carefully about the steps you’re about to take. I have seen a bad situation turn into a nightmare because the head of the business took actions without thinking deeply about the impact of their actions.

Finally, it’s worth remembering that this is all about Incident Response’, not ‘Incident Reaction’. When we react to a situation, it tends to come from an emotional mode of thinking. However, a well-thought-through response to a situation is likely to result in a much more favourable outcome for everyone.