What goes on in an organisation during an attack?

What goes on inside an organisation when it is the victim of a cyberattack? If it has happened to you, you already know. But maybe there are things you’d do differently next time if it hasn’t happened to you, congratulations! Your cyber defences are…so far…protecting you. But don’t assume you are invulnerable. Sooner or later, a cyberattack is inevitable. This is because threat actors are professionals, possibly state-sponsored, and willing to invest all their time and resources in stealing your intellectual property. We commonly use the term “hacker”, but that suggests an amateur tapping away at a keyboard in a back room somewhere. The reality is that cybercrime is organised, global, and very sophisticated. Many recent high-profile attacks illustrate that size and stature of a company are no protection against cybercrime. Furthermore, a hacker may have infiltrated your network without your knowledge and caused considerable damage before detecting the breach. In the case of Colonial Pipeline Co., the breach happened fully a week before it was discovered. At that point, the organisation had to respond rapidly and authoritatively. There was no time for rumination. All organisations should be prepared for an attack and have a well-rehearsed incident response plan ready to put into action. Let’s take a behind-the-scenes look at what happens – or what should happen – during a cyberattack.

The initial response – panic!

If your initial instinct is to panic, you’re not alone. It’s a natural human reaction to a stressful and potentially catastrophic event. But you need to quell that panic quickly and channel it into a functional, organised response. Panic is unproductive and, worse, counter-productive; it can cause people to lash out at those around them or behave in uncharacteristic ways. It also causes errors, and you can’t afford mistakes at this time. So acknowledge the fear and uncertainty, and recognise its effect on your teams. Avoid blaming anyone, and make sure your employees don’t blame each other. Reassure them that you have a plan. Keeping the team calm and looking after their mental health is key in recovering quickly from the cyberattack.

Incident response plan

Once you’ve dealt with the primordial reaction, your incident response plan should be implemented. This plan is multi-disciplinary and does not only deal with the immediate ICT impact of the breach. There are other aspects of your business and of the situation to consider and address, such as customer communication and regulatory requirements. Ideally, you should not attempt to do this alone. Having a cybersecurity firm like NEWORDER on speed dial will ensure you respond systematically and thoroughly. Due to deep experience, its team will also think of things that simply don’t occur to you.

Response team

You should have a dedicated response team identified and able to come together at minimal notice and set up a “war room”. The team should include experts from IT management, forensics, legal and communications. They will need access to top management. They will likely have to make decisions that impact many business processes and activities, such as marketing, customer service, logistics, etc. Therefore unfettered access to the C suite is essential, so difficult decisions can be made swiftly and in the context of the overall business context. The job of this team is to analyse the scope of the attack, take relevant defence measures, ensure careful documentation, manage communication, and prepare for recovery. However skilled the composition of the team as individual professionals, effective coordination of these tasks is best done by a partner with expertise and experience who can support your internal efforts. This is where the role of the cybersecurity firm comes in. It may be your first cyberattack, but they will have seen plenty and learned many valuable lessons.

Law and regulation

The United States has made it an offence for victims of ransomware attacks to pay the ransom. The FBI regularly gets involved in investigations of cybercrime. For this reason, it may be tempting to try to handle an attack internally and resolve the situation without involving the authorities. Surely paying the ransom is the quickest and quietest way out? Don’t do that! You must inform the police and the regulator as soon as you discover the breach. It may be necessary to shut down servers unaffected by the attack if they contain sensitive information that could pose a security threat if there is further penetration. The authorities may be on the trail of a threat actor, and your incident could provide useful clues. They may also have insights about the attacker you don’t have, which could be of use in shutting down the attack. There are also regulatory reporting requirements, depending on the jurisdiction(s) in which you operate. For example, from 1 July 2021, the Protection of Personal Information Act, 2013 (POPIA) in South Africa will require all responsible parties that process personal information to notify both the Information Regulator and the affected data subjects of all data breaches. In addition, the General Data Protection Regulation (GDPR) of the European Union also requires notification of data breaches to data subjects and the relevant supervisory authority.

Stakeholder communication

In addition to notifying data subjects, you need to communicate broadly with your stakeholders, who will not necessarily all be data subjects. The breach may not involve personal data, but you must still communicate promptly and transparently. Cybercrime is now so widespread that you are unlikely to lose customers or investors purely because you fall victim to an attack. However, you will be judged on how you handle it. Tell your customers and business partners – suppliers, industry counterparts, trade associations, etc. – about the attack and its consequences honestly and timeously. If customer data has been lost or compromised, or imminent deliveries of goods are likely to be delayed, the sooner your customers are informed, the better. Messaging needs to be carefully handled, as you may not know the full extent of the damage, yet you mustn’t delay the communication process. You will likely need a series of communications as the impact emerges and your recovery strategy becomes clear. This is where communications experts, legal advisers and account managers have to work closely together to craft appropriate and compliant messages.

Plan for the next one

Once you are through the worst of it, it’s understandable your priority will be returning to business as usual. There may be significant losses, and your focus will inevitably be on restoring customer goodwill and ramping up marketing and sales efforts to plug the gaps. But now is precisely the time to review the success or otherwise of your plan. Did you have the right skills on the team? Did you make the right decisions in the heat of the moment? How effective were your communications? How quickly were you able to recover, and how much did it cost? Your cybersecurity partner can assist with this analysis and help you refine your plan. You can review your defences and identify areas of weakness or alternative methods of protection. This is also the time to gather the documentation you have been compiling and translate it into a report. Your board will want one, and your regulator may also request it. Consider this “post mortem” stage part of the response process, not an epilogue. You will thank yourself if you are ever the victim of a cyberattack again.

NEWORDER – your cybersecurity partner

NEWORDER is one of Africa’s leading information security and corporate threat protection services. We provide strategic and tactical insight into your cybersecurity status. We can assess your defences, put suitable systems and measures in place and, if the worst happens, work alongside you to help you take urgent and appropriate remedial action.