So, you think (or perhaps you know) you’ve been breached. It’s every organization’s nightmare, and you’re living it, facing local and federal fines, upset customers, public panic, and a loss of intellectual property. A breach can be a harrowing ordeal; if you’re not sure what to do immediately after discovering the breach, your situation can quickly get worse.
Your first instinct may be to brush the threat under a rug and just deal with it. You may want to ignore the ransom, if there is one, and rely on temporary processes to clean up traces of the attack and get back on track.
This was the city of Baltimore’s tactic. A ransomware attack in 2019 became an $18 million consequence when they couldn’t handle the threat on their own. Between not having proper backups, not communicating the attack to the right parties, and not accepting help from qualified IT professionals, the city of Baltimore is still dealing with their nightmare a month after the breach (source: Gov Tech).
If you’ve been hit, whether by ransomware, phishing, malware, or something else, there are several critical steps you should take right out of the gate to make sure the consequences are limited from hour zero into the aftermath even six months later. Here are our DOs and DON’Ts for you to consider when moving from the shock of “I’ve just been breached!” to the action of “Now what do I do?”
Every organization should have a data breach response plan (sometimes called an incident response plan) in place. This is a set of documents that will guide you through the steps you need to take in the event a data breach occurs, and is often specific to your organization’s structure, processes, and considerations. It should tell you what to do when you discover a vulnerability, who needs to be alerted, which parties you’ll need to inform, and more.
Haven't added a data breach response plan to your cybersecurity strategy yet? You’re not alone.
A recent study found that 77% of respondents don’t have one—or haven’t rolled it out to the right teams or departments. In this case, keep reading. You can cobble together a plan now, but once the panic settles down, do consider creating a plan for next time. Unfortunately, companies often experience multiple data breaches after the initial incident—or may not catch every trace of the hacker’s presence in their internal network the first time around.
If you’re amidst a breach and haven't created incident management guidelines or a response plan, you’ll want an expert on your side.
The FTC is exactly that, and their guide will walk you through the actions you should take after discovering traces of a breach in your network. The document linked to below covers what to fix and who to notify. It’s a good starting point in getting things under control.
Ransoms can be stressful. They may come with a strict deadline for payment and threaten you with ruin if you don’t pay up. However, don’t make a decision on whether to pay before talking to your organization’s legal counsel or (if you don’t have one) an industry lawyer. Not every ransom request is legitimate. Sometimes, you can call their bluff—or rely on backups of your system, if you have them.
On the other hand, it’s never a good idea to outright ignore a threat. In the city of Baltimore’s case, they ignored the request for payment and suffered $18 million of damage instead of just paying the $80,000 asked of them. When faced with a decision, legal consultation can help you determine if a) the threat is real and b) if there are other options you can take to get around the request without accruing organizational harm.
The hacker got into your system somehow. Even though you’ve found the threat, it may not be done siphoning sensitive data from your systems. Thus, your first step should be to figure out how they breached your organization and disable the attack.
The most common attack methods are using spear phishing emails, malware, and ransomware. Software can also be compromised if it hasn’t been patched recently with the latest security updates, and if you have old technology, make sure they’re secured behind a firewall and have strong passwords and granular permission controls.
Want to learn to think like a hacker? Check out our guide on how to step inside the shoes of a hacker and secure your organization’s sensitive data.
One of the first things you should determine once the source of the attack is fixed: Was data compromised, and if yes, how many records were touched or stolen? This will help you know how widespread the damage might be, who to inform, and what to tell customers.
A breach is easier to handle if your data is encrypted. Encrypted data is nearly useless to a hacker without the decryption keys. If your data is secure, you may simply need customers and vendors to change their passwords to protect their accounts from future vulnerabilities.
If the data wasn’t encrypted, the situation gets trickier. You’ll want to talk to legal counsel about how to proceed (and refer to the next “DO” below on compliance requirements). You will also want—or may be required, depending on your compliance needs—to put an encryption solution in place as soon as possible to ensure future attacks can’t access sensitive files or personal public information.
Looking for robust encryption technology? Explore GoAnywhere’s secure PGP encryption.
If you’re expected to be compliant with PCI DSS, HIPAA, FISMA, the GDPR, SOX, and so on, you may need to follow strict protocols around when, and under what circumstances, you’re expected to alert the industry and the public about a data breach.
For some regulations, you have 72 hours before you need to notify customers. For others, if the data was encrypted, you may not need to announce the breach. Similarly, depending on the country or state you live in, you may also be beholden to local breach notification laws.
Whatever you do, it’s critical you review this step as soon as possible. Some regulations will impose serious fines if you fail to heed their compliance requirements.
Manual processes, open-source tools, homegrown software, and scripts are all vulnerable to cyberattacks due to their user-based processes. These processes and tools rely on humans to make the right decisions and catch gaps in cybersecurity, and unfortunately, humans aren’t always reliable (or fully awake, or motivated to do a thorough job). If you determine that an internal process was one of the reasons you were breached, it’s probably time to upgrade to a safer, sturdier solution with better security controls and granular permissions.
In fact, even if open-source solutions, homegrown tools, or scripts weren’t the cause of your breach, they could be in the future. Look at your processes carefully and decide with your IT team if it’s time to upgrade your software and invest in a safer, less costly future.
A secure file transfer solution like GoAnywhere MFT can help safeguard your critical data and protect your organization’s prized jewels from compromise. Explore how to prevent data breaches by adding GoAnywhere to your cybersecurity strategy in this on-demand webinar.