A cyber breach is no small matter. According to the 2019 Cost of a Data Breach Report by IBM, the average cost of a breach in IT security is about USD $3.9 million, or €3.5 million. The consequences of such an attack can last years, with the same IBM report stating that 11% of the costs continue to occur even after two years from the incident.
With so much at stake, the importance of handling a cyber breach correctly cannot be overstated. So how are companies meant to respond to cyber attacks?
Short-term responses – do immediately
1. Assemble an incident response team
A well-organized incident response team could make a significant difference to the next few weeks of your company’s life. In fact, IBM found such a team can reduce the cost of a breach by an average USD $360,000, or €330,500.
Your incident response team must bring together different types of experience. IT experts who understand technical systems and methods of cyber attack are of the utmost importance, but you must also include a strong leader to steer the ship, legal council for legislative advice, and PR experts to help craft the company’s response message.
Don’t forget: It’s never too early to form an incident response team, so they can work and train together prior to a breach.
2. Contain the breach
The breach must be filled before it can do any further harm, so quick action is crucial. Answer these questions:
- Where was the breach?
- How did the criminals access your system?
- What was compromised, and was anything stolen?
As your team hones in on the answers to these questions, you’ll know which short-term measures must be taken immediately, for example resetting passwords, disconnecting certain machines or third-party systems, installing patch updates, and so on.
Mid-term responses – do within the next few days
3. Investigate the incident more thoroughly
You have a team, they’ve contained the breach and isolated the infection – now you can begin a more thorough investigation. Ask yourself these questions. The more you know, the better you can react.
- Again, how did the criminals gain access and why did they choose that entry point?
- What was their objective? Who has been impacted by this breach?
- Who will you need to notify of the breach?
- What was the underlying root cause of this incident? Don’t just look at the symptoms, but the cause (i.e. a computer that wasn’t updated is a symptom, not a cause. The cause could be outdated company processes that put little emphasis on keeping security up to date).
4. Document everything
You will need evidence of everything that has taken place. Note everything down – relevant systems and files, timeframes, people who had access. Everything.
5. Notify your supervisory authority
In Germany, under the General Data Protection Regulation (GDPR) you may be required to notify your state supervisory data protection authority of this breach.
You must do so, where feasible, within 72 hours of becoming aware of the attack. Your notification must describe the breach, including information on how many people were impacted, the type of data impacted, the consequences of such a breach, and measures you have taken (or propose) to mitigate the effects.
However, if your cyber breach is unlikely to result in a risk to individuals’ rights and freedoms, you may not be required to notify the authorities. Ask your legal team for more advice on this front.
6. Notify affected individuals
Under the GDPR, you may also be required to notify the individuals whose data has been compromised.
Your response team must put together a message that describes the breach in layman’s terms, and includes the information that you provided to your state protection authority.
However, there are exceptions. These are slightly more complex than the exceptions for notifying the state authorities, so we would advise you ask your legal team to determine whether or not your customers need to know this event took place.
7. Prepare your teams
Company staff, particularly those on the front lines, are likely to field hard questions in the coming days. Ensure your team members have been trained to handle these types of queries so that your customers receive a satisfactory, on-message response, and your staff aren’t assailed by undue stress in a complex time.
Long-term responses – do forever
8. Always keep your systems up to date
An out of date system is a key vulnerability in your network. As part of their investigation, your response team should put together a plan to keep systems better protected in future – this may likely require staff training, or perhaps a complete company culture overhaul to create a better, more cyber-safe culture.
But know that it’ll be worth it. IBM found the average lifecycle of a malicious attack (from breach to containment) is about 314 days. However, companies that can bring that down to 200 or fewer days could cut costs by USD $1.2 million, or €1.1 million.
9. Be aware of threats
As part of your ongoing cyber security strategy, your company should remain aware of potential future threats. This could become part of your response team’s ongoing mandate – to actively monitor potential threats and implement security measures prior to a breach occurring.
About dig8ital
Not every organization is capable of making the changes required to ensure they are cyber-safe, and that’s where dig8ital comes in.
We take a tailored approach to all of our clients. Out-of-the-box solutions don’t work for everyone, so we work closely with organizations to help ensure that our solutions are a perfect fit for their unique needs.
To find out more, or book a free consultation with our team, contact us today.