“Time is of the essence when recovering from a cyber attack and an organized and carefully planned reaction is the best recipe for success,” says Embroker. However, does your organization know what to do after a cyberattack? Or what not to do?
Knowing what to do after a cyberattack is fundamental to containing and mitigating the attack; however, knowing what not to do can be equally beneficial, thus preventing matters from getting worse.
Do not panic
When faced with a cyberattack, it's natural to feel a surge of fear and urgency. However, panic can lead to hasty decisions that may exacerbate the situation. Instead of reacting impulsively, take a deep breath and focus on following your organization's incident response plan. A calm and methodical approach will help you make better decisions and manage the situation more effectively.
Do not shut down systems immediately
Your first instinct might be to shut down the affected systems to stop the attack, but this can turn out to be a mistake. Shutting down systems can destroy valuable evidence that is crucial for understanding the nature of the attack and identifying the perpetrators. Instead, isolate the compromised systems from the network to prevent further spread of the attack while preserving the evidence for investigation.
See also: HIPAA Compliant Email: The Definitive Guide
Do not immediately communicate details publicly
It's tempting to share details about the attack; however, publicly disclosing information about the breach can do more harm than good. It could alert the attackers that you are aware of the breach, leading them to take further damaging actions. Moreover, it can cause unnecessary panic among stakeholders and customers. All communications should be handled through a designated incident response team and should be consistent, controlled, and in line with legal obligations.
Do not ignore the problem
Ignoring a cyberattack and hoping it will go away is not the solution. Even if the attack seems to have subsided, you must conduct a thorough investigation to ensure that no residual threats remain. Cyber attackers often leave backdoors or dormant malware that can be activated later. Comprehensive post-incident analysis is essential to understand the full scope of the attack and to prevent future breaches.
Do not make unauthorized changes
Unauthorized changes to systems or data can interfere with the investigation, complicate the recovery process, and potentially cause more damage. Leave the technical response to the experts who have the necessary skills and knowledge to handle the situation.
Do not bypass security procedures
Organizations often have established security protocols and incident response plans, but bypassing them can create additional vulnerabilities and may result in a more severe security breach. Stick to the plan, and ensure that all actions are aligned with your organization's security policies.
See also: Developing a HIPAA compliant incident response plan for data breaches
Do not delete logs or evidence
One of the most common mistakes made during a cyber attack is the deletion of logs or other evidence. Even if you believe that the information is unimportant, it may prove critical in understanding the attack's origin, methods, and impact. Preserving all evidence is essential for conducting a thorough investigation and for legal or regulatory compliance.
Do not attempt to retaliate
The idea of "hacking back" or retaliating against the attackers might cross your mind, but this is highly discouraged. Retaliation can escalate the situation and may have legal ramifications. Instead, focus on securing your systems, preserving evidence, and working with law enforcement and cybersecurity experts to address the attack legally and ethically.
Do not neglect legal obligations
Cyber attacks often come with specific legal and regulatory requirements, such as reporting the breach to authorities or notifying affected individuals. Failing to meet these obligations can result in fines, legal actions, and damage to your organization's reputation. Ensure that you are aware of and comply with all relevant laws and regulations related to the breach.
Related: How to notify affected individuals of a breach
Do not assume it won’t happen again
Finally, never assume that just because the attack is over, your systems are now secure. Cyber attackers are persistent, and the same vulnerabilities that allowed the first breach may still exist. Use the incident as a learning experience to strengthen your defenses, update your security protocols, and continuously monitor for potential threats.
See also: Recovering from a cyberattack
FAQs
Can I assume that an attack was unsuccessful if no data appears to be stolen or damaged?
No, just because there is no immediate evidence of data theft or damage doesn't mean the attack was unsuccessful. Attackers may have gained access to sensitive information without your knowledge, or they may have left vulnerabilities that could be exploited later.
Should I rely solely on my in-house IT team to handle the attack?
While your in-house IT team plays a vital role, it's often beneficial to involve external cybersecurity experts, especially for complex or large-scale attacks. External experts can provide specialized knowledge, tools, and a fresh perspective that may be crucial for a thorough response.
Is it okay to pay a ransom if the attack involves ransomware?
Generally, paying a ransom is discouraged as it doesn't guarantee you'll regain access to your data and may encourage further attacks. Consult with legal counsel, law enforcement, and cybersecurity experts before making any decisions regarding ransom payments.
Go deeper: To pay or not to pay: Cyberattack ransoms in healthcare
Tshedimoso Makhene
