A technology startup or a small business typically runs on a lean budget. Where possible, you’d like things to be free. Unfortunately, if you suffer a cyber incident (e.g. data breach, ransomware attack), it’s not going to be. But responding to a cyber incident doesn’t need to be expensive. And it’s also going to cost much less if you’ve proactively taken care of your foundational cybersecurity capabilities.
The best responses to a cyber incident rely on a well-prepared response team (e.g. they carry out regular cyber incident response drills), sufficient tools to detect and stop an attack in its tracks (or to limit the damage), and some automation in the incident response process.
Whether you have all the state-of-the-art capability in the world or nothing at all, the key steps to take in the event of a cyber incident are:
- Try to limit the damage – If you have technology that limited the damage for you, consider yourself fortunate. Otherwise, you are likely going to need to take manual actions. The most common initial reaction to any incident is to disconnect every digital asset from the network. The reason why we do this is to limit the spread of any malware and/or to cut an attacker off from continuing to traverse your network and getting access to critical data or systems.
- Use your “Batphone” – Even if you have knowledgeable internal people, you will likely need external assistance to at least sense-check your diagnosis and response. It helps to have someone independent and calm on your side as you frantically attempt to deal with the situation. While you can set up formal commercial arrangements to do this, it doesn’t necessarily need to cost money. For example, I’ve received a few of these calls from friends and acquaintances. Of course, once the situation went beyond my expertise or the amount of time I was able to dedicate, I recommended other experts to connect with for more formal assistance.
- Understand the impact to your ability to operate normally – Figure out if you’re still able to do business as per usual. There’s typically going to be a level of disruption. What do you need to do to work around that disruption to ensure you can still operate? For example, is your website available? Are you able to provide the services you offer? Can you communicate and transact with your customers and suppliers? During the infamous ransomware attack that shipping giant Maersk was subject to in 2017, they had to revert to doing everything on paper because their whole digital infrastructure was rendered inoperable.
- Determine the type of incident – The most common types of attacks today are a data breach, ransomware, and fraud. There are other types of incidents that will take your business offline, but these tend to be the most impactful and common ones. If you know what you’re dealing with, you can focus on addressing what’s important.
- Determine the affected systems and data – Ultimately, it’s about the affected data first, and the systems second. The type of data dictates the regulations that you must comply with as part of your response, as well as the parties you need to notify. If the affected system is within your control, you need to stop the attack (if possible), and then correct the problem within that system. If it’s a third-party system, you may have a responsibility to notify its owner.
- Determine the steps you need to take to recover – Once you have determined all affected data and systems, you must go about restoring services to a known good state. This is why at the very least, you must have your critical data backed up. If you determine that the systems and data are in an unrecoverable state, the only way forward is to restore everything from backups.
- Notify all affected groups – External notification of cyber incidents happen most often in the event of a data breach. In general, any person or organisation that has had their data compromised because of the cyber incident needs to know sooner rather than later. If you are a service provider to other businesses, you likely have a contractual obligation to notify them. The key to reducing the impact on your brand and erosion of trust is transparency, honesty, and speed. Even if you don’t have all the answers, some information is better than none. It’s better to deliver multiple short updates consistently than wait a long time to have all the information before telling anyone about it.
- Conduct a post-incident review – As with any negative event, one of the most important things that you can take is the lessons learnt. What you’re attempting to do is figure out how the incident started and all the events that resulted in the negative consequence (e.g. data being stolen, data being encrypted and held for ransom).
- Fix the weaknesses in your cyber defences – Once your post-incident review has shown how the incident unfolded from start to finish, it should be clear what actions could have prevented certain things from happening, and which key cybersecurity controls could have stopped the attack at each stage. Implement the cyber protections in order of priority to reduce the risk of reoccurrence.
- Report the incident to the authorities – In Australia, this can be done via the Australian Cyber Security Centre. Authorities aren’t necessarily there to discipline or fine you during an incident. They are there to help. Note that you may still be liable to regulators after the fact depending on the type of incident and the level of your cyber hygiene prior to it. This isn’t official advice but in general, if you’ve done your homework and can prove you have a track record of being proactive about your cyber defences, the regulators are more likely to look favourably upon you during their investigation. In financial terms, companies that are found to have been negligent are more likely to be hit with large fines in the wake of cyber incidents.
Most cybersecurity professionals will tell you that you need to have an incident response plan. In the event of a cyber incident, you should follow it. If you’re on a limited budget however, you may not yet have one.
If you have the budget, there are many consulting firms that can help you. Naturally, a more cost-effective approach is to do it yourself. You should be able to write one using this blog post as a starting point. Each step above should be a section in your plan; you just need to fill in the specific details that are relevant for your business.
At Avertro, we are working on something that is due to launch in 2022 which will help businesses like you for little to no cost. Stay tuned for updates by following our social media accounts on LinkedIn and Twitter.