What to do after a cyberattack
Having a cyberattack response plan is critical to protecting your customers’ sensitive information. Incidents can still happen even when we take all the necessary precautions. Being prepared to respond thoughtfully and comprehensively will reduce risks to your business and send a positive signal to your customers and employees.
The good news is, preparing to respond to a cyber incident is like preparing for natural disasters. Building your response plan can tap your other operational knowledge and experience.
What is a cyberattack?
What to do after a cyberattack
Below are four steps your company should take after a cyberattack:
1. Disconnect devices from the network
Determine what devices are affected and disconnect them from the network. You can either unplug an Ethernet cable or turn off Wi-Fi. This can stop the progress of cyberattacks. You should also change all passwords immediately.
2. Assess the cyberattack
Connect with IT leadership (whether internal or a third-party vendor), law enforcement, and your legal representation. You need to examine the cyberattack and find the cause, as well as identify those affected. All parties can work together to evaluate the incident and prevent the attack from happening again. It can be tempting to delete everything after a cyberattack or data breach. But, you should preserve any evidence to aid the investigation.
3. Ensure employees abide by security protocols
Notify employees and ensure they continue to abide by your written security procedures. Have processes for operating by paper to keep your business functioning if electronic records become unavailable. Employees should understand how to access key information if systems are down.
4. Notify affected customers
Familiarize yourself with your state’s data breach notification laws. Per Georgia state law, businesses must notify customers about security breaches that compromise their data. Notifications can be written or electronic and must be communicated as soon as possible after the breach (but wait to communicate until after you’ve secured your operations).
It’s important to be transparent regardless of state laws. Communication is key to building relationships and maintaining trust with your customers. Provide as much information as possible about the nature and extent of the breach, and use multiple channels to ensure all affected parties are notified.
How to recover from a cyberattack
The goal of recovery is to return to the full restoration of normal systems and operations. Like the response step, recovery requires planning.
Recovery is not just about fixing the causes and preventing the recurrence of a single incident. It’s about building out your cybersecurity posture across the whole organization and planning for future events.
1. Document lessons learned
Once your business has returned to full operations, evaluate what caused the breach and how it could’ve been prevented. Make any improvements to policies and procedures, and communicate those changes.
2. Establish continuing education opportunities
After the incident, you may need to adjust data access levels to certain employees based on their job roles to avoid future attacks. It’s also crucial to implement regular training about how to prepare for and prevent cybersecurity incidents. For example, you may consider administering phishing tests to employees so they know what to look out for, and you can identify any areas for improvement.
3. Repair your reputation
Acknowledge the data breach and inform customers what steps you’re taking to ensure this won’t happen again. This might require you to engage with a public relations firm. Work together to decide who will handle communicating with external stakeholders and what the message will be.
Cyberattacks are an unfortunate reality of doing business in today’s world. Responding to a cyberattack is a process—there’s no one-size-fits-all solution, and the specific steps you take will vary depending on the nature of the attack. While no organization is immune, following the steps outlined above can reduce the risk of a successful attack and minimize the damage if one occurs.
National Institute for Standards and Technology: Guide for Cybersecurity Incident Recovery
U.S. Department of Homeland Security, Cybersecurity & Infrastructure Security Agency (CISA): Resources for Businesses