What to do in the first 24 hours after a cyber-attack
As you will no doubt have seen in the news, there has recently been a global outbreak of ransomware which has hit more than 200,000 victims in 150 countries, with the NHS being the most high-profile victim in the UK.
A common prevention method taken against ransomware and cyber-attacks, is to focus on the IT systems alone. For example by ensuring that IT systems are regularly updated by the deployment of security patches and ensuring antivirus software is installed on all your computers. Whilst this approach will prevent the majority of attempts to breach security, the first line of defence will always sit with your staff.
Whilst not wanting to create more anxiety and panic we recommend that you alert your staff and warn them to:
- Avoid clicking on links, opening attachments or emails from people they don’t know or companies they don’t do business with; and
- Be aware of email spoofing, where an email arrives from someone they believe that they know (for example with a similar name and/or email address), but has unexpected and potentially dangerous links or attachments.
No doubt you will already have stringent back-up systems in place, but if this is not the case, without wishing to state the obvious, a company cannot be held to ransom if it can still access the data it needs to continue to do business.
Next steps
If your company or organisation is unfortunate enough to be hit by this recent or any other cyber-attack you may be tempted to pay the ransom. We often see that ransom demands are deliberately set at a relatively low level, for example in this case it was around $300 or €300. This is to make it less expensive (and therefore more lucrative) to pay the ransom than it would be to, say, pay for outside IT security consultants to come in to fix the problem.
There are a few reasons why you should think twice before paying any ransom:
- Quite often these types of cyber-attacks are a form of advertisement for the hacker to show off their abilities and be hired or procured to undertake more damaging attacks in the future;
- Hackers often communicate with each other in chat rooms and the so called 'dark web' and share information about vulnerabilities they have discovered. If you pay a ransom for one type of cyber-attack, you may leave your organisation open to further attacks by other hackers as well; and
- If your company is in a regulated industry such as financial services you may have to report any security breach to the Financial Conduct Authority. Paying a ransom may instigate further regulatory scrutiny.
What to do in the first 24 hours after a cyber-attack
Your IT department will advise on the best way to ensure any patches, software fixes or updates are applied in a safe manner.
Whilst this insight is essential, below are our recommended steps to include alongside IT as part of your 24 hour response plan.
- Mobilise crisis management team with support from communications and legal advisers, as appropriate
- Record the date and time when the breach was discovered, as well as the current date and time when response efforts begin, i.e. when someone on the response team is alerted to the breach
- Alert and activate everyone on the response team, including external resources, to begin executing your incident response plan
- Secure the IT systems affected by the cyber-attack to help preserve evidence
- Stop additional data loss. Take affected equipment offline but do not turn them off or start probing into the computer until your forensics team arrives
- Document everything known thus far about the attack
- Interview those involved in discovering the breach and anyone else who may know about it. Document your investigation
- Review protocols regarding disseminating information about the breach for everyone involved in this early stage.
- Assess priorities and risks based on what you know about the breach
- Bring in your forensics team to begin an in-depth investigation
- Protect your reputation with an internal and external communications strategy, supported as necessary by crisis communications specialists and/or reputation lawyers
- Report to police, if/when considered appropriate
- Notify regulators, if needed, after consulting with legal counsel and upper management.
- Notify insurance broker(s) to ensure compliance with policy terms.
Damage to reputation and retrieving your data
This recent attack appears to be focussed on encrypting the data where it is located and then unlocking it once the ransom is paid, rather than any loss of data. Other types of cyber-attacks we have seen have involved data being taken, damages, destroyed or extracted and then held to ransom. AG have specialist lawyers with experience in reputation protection, retrieval of stolen data and financial crime who can provide advice and make recommendations. While it may not be possible to prevent an attack, how you respond once it hits will be key to ensuring your business - and its reputation – recover as quickly as possible.