What to Do After a Cyber Attack or Data Breach: 7 Step Plan
There has been a Cyber Attack on your business – now what?
“Cyber Attack” is such a broad term these days; it can include anything from a virus shutting down your entire system, to an attacker threatening to steal and release confidential information if you don’t pay their ransom. The results can also vary – privacy breaches that lead to lawsuits and fines, loss of important files or information, and financial loss due to fraud or theft are only some of the losses that can result from a cyber event.
What is a Cyber Attack or Data Breach?
A cyber attack is usually associated with some sort of event that causes a loss, such as the outbreak of malware or other invasive software, cyber extortion or ransomware, and social engineering. A cyber event can also cause a data breach, which is defined as when personal information an organisation holds is lost or subjected to unauthorised access or disclosure.
Companies are encouraged to do everything in their power to prevent a cyber attack from ever occurring, but these are inevitably going to happen to most companies at some point – 1 in 4 companies experience a cyber attack at least once according to recent statistics. This is why it is necessary to have some kind of cyber incident response plan; or at least an idea of what to do if you experience a cyber attack or data breach.
7 Step Plan on What to Do Following a Cyber Event
1. Identify The Breach
This may seem like an obvious step, but cyber breaches often occur without the victim even noticing – sometimes sitting in your system or on your computer for months before an actual attack occurs. Identifying the breach can be as simple as training staff to recognise a breach when it happens, to implementing sophisticated breach prevention software. No matter how this is done, it is important to identify a breach quickly, so you can respond to it right away. Once you’ve realised that a breach has occurred, you’ll need to identify what has happened and proceed to the next step – at this point you can contact your incident response team.
2. Contact Incident Response Hotline
Who do you call in the event of a cyber attack?
One of the main reasons we recommend purchasing a Cyber Insurance policy is because it gives you immediate access to a 24/7 emergency hotline, so you have somebody to call in the event of a breach. This puts you in touch with experts who can sort out the problem efficiently and effectively – and the policy will pay for their services if the claim goes through.
3. Contain The Breach
At this point you have identified the breach, and if you have a cyber insurance policy, contacted the nominated incident response team; now you need to contain the breach, so it doesn’t get any worse. This step is typically handled by the incident response team or your internal/external IT team.
There will be certain steps the IT team (yours or the one nominated by the emergency response team) will take to restore your system’s security and resolve the breach; this can include:
- Removing access to internal systems or changing passwords if a user’s account details have been compromised;
- Taking parts of or your entire system offline;
- Implementing temporary firewalls;
- Blocking traffic to your website; or
- Transferring important files to a secure location.
This can be a complicated process, which is why it’s important to have access to the specialists who can handle the situation appropriately and mitigate the problem before it potentially gets too severe.
4. Investigate The Breach & Assess The Impact
You have contained the breach, but still don’t know what exactly happened and the extent of the damages. This is when you would typically utilise a forensic IT specialist to dig into the cause and effect of the cyber event. Once the forensic IT has identified what occurred and the scope of the breach, you’ll be able to plan from there on how to respond to the event.
5. Recover Data & Systems
Once you have contained and eradicated the breach, you can begin the process to recover your IT networks, systems, and data to continue operating. Companies with a business continuity or disaster recovery plan would likely have a specific recovery plan incorporated for these types of situations. However, even if you don’t have a formal plan, your process should include the following:
- A plan to restore systems to normal operation
- A process of continual monitoring to confirm that the affected systems are functioning normally
- A plan (if applicable) to remediate vulnerabilities to prevent similar incidents.
This is something your IT team should be able to assist with.
6. Communication & Notification
This step relies heavily on timing – it is important to hold off on certain communication (i.e. with clients, service providers, or those affected by the breach) until you know what exactly happened and the scope of the damages. In addition, you may also have specific notification requirements that will have associated timelines – we recommend you are aware of these in advance, to avoid missing deadlines and getting hit with fines and penalties.
- Communicating with Clients & Service Providers:
This depends on the impact of the cyber incident – sometimes the event doesn’t warrant communication with these parties, in which case it is usually best practice to skip this step. Alternatively, communicating with these parties can be mandatory in certain scenarios and/or vital to your business. It is important to identify which of these options apply to your business, which is where your emergency response/crisis management team can assist.
If you are going to communicate with these parties, we recommend you wait until you have enough information to pass on a complete message to help avoid miscommunications and misunderstandings.
Consider these key messages when communicating with clients and service providers:
- What happened and why did it happen?
- What systems/services are affected?
- What steps are being taken to resolve the situation?
- Is it possible to say when the situation will be resolved?
- What are external stakeholders expected to do?
- Who can external stakeholders contact if they have questions/concerns?
Depending on the size of the cyber event and your business, it may be worth appointing a public relations firm to assist with the communication step.
- Communicating with Regulators:
Certain rules & regulations around mandatory notification of privacy breaches may apply to your company. We recommend you know when to notify before any breach occurs, as you could face fines & penalties if you don’t notify within a specified time period.
7. Evaluation & Improvement
Use the information gathered in the previous steps to improve your cyber security measures. Not only will this strengthen your defence against future cyber attacks, but it will help your case with insurers when it is time to renew your policy.
See our Top 10 Tips to Prevent A Cyber Attack here for more information on how to prevent a cyber event.
Tips & Tricks for a Cyber Incident Response Plan
Consider some of the below when establishing your breach response plan:
Have any questions?
Talk to one of our Cyber Experts today!
We are a specialist insurance brokerage with an emphasis on adding value to our clients by helping them make an informed decision. Our approach combines that of an insurance broker and consultant, where we focus on providing expert advice to our clients while customising their insurance program and risk management solutions.
Since starting in 2013, KBI is constantly growing and becoming a leader in the Australian market. Our primary point of difference is that we don’t try to be all things to all people. We work in niche areas, where we can tailor an offering, advice and broker support to meet the specific area’s needs.
By Tyler Speers
Tyler Speers is an Account Manager at KBI with a focus on Cyber insurance.