So your company systems have been hacked! Visions of legal liability, lack of customer confidence, and brutal social media commentary jumble together. However you look at it, it’s not a pretty picture. But what will you do to recover from this unpredictable situation.
One thing to be aware of is that you’re not alone. According to The Guardian, 81% of all large businesses have been hacked. And according to “The Global State of Information Security Survey 2015, a worldwide survey by CIO, CSO and PwC.”, large companies with US $1 billion in revenues saw a 44 percent increase in hacking attempts in 2014 as compared with 2013, while medium-sized companies, those with revenues between US $100K to US $1 billion, saw a 64% increase over the same period of time. Successful hacking results in downtime ranging from several hours to a full business week as well as in financial losses that can total well over US $10 million. Types of breaches include compromise of customer and employee privacy & information, identity theft, loss or manipulation of data, and theft of internal company knowledge, planning, and information.
As bad as this news is, it gets even worse. According to the above report, companies are typically investing less money in security as they cut costs all around, losing an average of 4% from their security budgets in 2014. Some types of breaches can result in legal action. And worse news yet: if you have been hacked, you may be the last to hear about it. In 2010, Verizon reports that 86% of breaches were discovered by people outside the organization.
Companies could do much more to stay alert to potential breaches. Requiring SSL certificates – especially EV SSL can help secure your systems. Ensure all the latest security patches are installed, and that security settings are properly configured. Consider hiring a security expert if you don’t have one in-house. Intrusion Detection Systems (IDS) and Data Loss Prevention systems (DLP) could and should be employed. Anti-malware programs should be deployed on company systems just as one would on one’s home system. Security Information and Event Management (SIEM) systems should be analyzing system logs and sending results to security monitors on a constant basis. Monitoring these logs for unusual data transfer activity can give you the earliest warning of an incident. Even so, it’s possible that the evidence will not be on your own network, but will come to you through reports of identity theft, or chatter in the Twitterverse. One website has been set up to check if your email address has been hacked (http://www.haveibeenpwned.com) by Australian security expert Troy Hunt). We have performed a random search of several email addresses, and about 30% of tested emails came back positive for a security breach.
So what do you do when you have been hacked? While you can minimize the likelihood of a successful attack, you cannot eliminate it, and it’s critical to gauge earlier with current active incident response plan. The faster you act, the faster you can minimize the impact of the breach, re-secure your systems, and reassure your clients and customers. A good response plan should include the following:
1. Verify that an attack has occurred:
One of the oldest tricks for any scammer is to convince the victim that a scam has already occurred, and that they, the scammer, can help you out of the mess. Confirm that a breach has occurred, identify the affected systems and data, list the IP addresses used in the attack, and determine what type of attack was used. Was it malware or a virus? Unauthorized remote access? If you have been following good practices and running an IDS and SIEM, you should be able to determine this information by analyzing your logs. If you don’t have these systems, your service provider may have these or similar systems in place, and they may be able to provide useful information. Hiring a security expert, even after the fact, can help you confirm what, if any, damage has been done. Whatever you have in place – or don’t have in place – strive to act as quickly as possible. Minimizing the damage depends on the speed of your response.
2. Close the breach:
That means you must identify how the breach occurred. If you haven’t already done so, this is a good time to hire a security expert. You need to make sure your investigation is completed, identified every type of breach, every system affected, and that you have successfully closed down every vulnerability so you can repair the damage and get back up and running as quickly as possible.
3. Determine your legal liability:
A breach may place you at risk legally. Your compliance with government regulations may be compromised, or you may have placed others at risk by an apparent failure to safeguard their privacy. As of 2011, 46 states had laws requiring disclosure to your customers if their data has been compromised. Laws governing how you must respond to a data breach vary from state to state as well, so a legal expert team in such matters is significant. The law may have requirements for disclosure, or it may require that you hire a security expert or investigator to be involved with navigating the consequences of the breach. Your response plan should include a list of people who must be contacted for various types of invasions – and your legal team should be on each of those lists. Do not even consider communicating without input from your legal team.
4. Craft the right communications to the right people:
This must be attended to as early as is feasible. You want to be sure you’ve closed the gaps and know what the damage is before communicating, but some kind of early communication is essential. You will certainly need some kind of internal discussion, and you may need outside help in addition to your legal team. Depending on what has happened, government agencies may need to be apprised of the problem, and if clients and customers have been affected, it’s crucial that you communicate as much as you can to minimize the impact on your business immediately. People are fairly understanding when a company has been a victim of a malicious attack, as long as the company appears to be doing the right thing to remedy the situation. Your communications should be meaningful, giving real, usable information; or they should give a timetable on which you will be able to communicate more fully.
5. Minimize the damage:
You want to minimize the damage, but you don’t want to do it while you’re in panic mode. Follow your response plan, even if what you most want to do is shut everything off and go underground. If you take all your systems offline immediately, you may cause additional negative impact to your business operations and damage relationships with your clients. The instinctive response to do so is much like the instinctive response to pull the knife out of a stab wound: you must resist the impulse until a doctor or expert is present, so the attempt to stop the damage doesn’t result in the victim bleeding to death. If you have successfully identified the affected systems in your initial response, you can then strategically isolate those systems. Besides minimizing downtime and its attendant financial impact, keeping some kind of access to those systems may help a security expert identify the source of the breach. Remember that a crime has been committed against your company, and some of the unsavory evidence left behind by hackers may help identify them.
Minimizing the damage may require different strategies, depending on the kind of breach that has occurred. Your response plan should take as many of these possibilities into account as possible – though remember that hackers are exceptionally innovative, and there are some things you just can’t plan for. But within the realm of probabilities, you may need to consider the following: deleting offensive content from your public or internal websites, revising or rebuilding access lists and processes, or removing malware and viruses from your system. The APWG (Anti-Phishing Working Group) recommends as a best practice making copies of unauthorized installations and intranet activity before deleting anything – but be aware that some kinds of unauthorized activity, such as the placing of child porn on your site, is so illegal that you must contact law enforcement before taking any action on your own.
6. Restore the affected systems:
Your response plan should include a priority list for your systems, in case more than one becomes compromised in an attack. Which systems cost you the most in dollars, downtime, and public image? Which systems are most essential to your day by day operations? Once a breach has occurred, you don’t want to have your financial team competing with your operations team to get their systems back online first. Put the priorities in your response plan, get agreement in advance, and follow your plan. It’s easy to get derailed when you’ve been hacked – it’s nothing less than an invasion, and it’s easy to lose sight of what is critical at a time like this. Your internal website, for instance, can be shut down while you restore business-critical systems, even if it means internal resources are harder to contact. You’ll need to replace the compromised data, applications, and systems from your most recent backup, and ensure that critical passwords, including the root password, are changed. You’ll also need to make sure that no secure passwords were replaced with “open” passwords like “admin” or any other defaults.
7. Determine where the security gap was and close it up:
This might mean fixing a faulty configuration, installing SSL, and/or educating and re-educating your employees. If you are running anti-malware or other security software, you should share details with the manufacturer so they can close the gaps in their software as well. Response to a successful attack can be expensive, so consider buying data security breach insurance – your existing liability insurance covers damage to people and property, but not data. As with other kinds of insurance, to qualify you must have certain safeguards in place to minimize your risk. If you did not have an incident response plan in place before the attack, create one now so you can be prepared for the next one. Most companies that have been hacked report multiple attempts and more than one success. Don’t be caught without a plan twice!
An ounce of prevention is worth a pound of cure. Plan ahead for a breach, and be prepared to navigate through it, knowing you have a well-thought-out road-map to follow. Most of all, do what you can to prevent a breach, whether it’s investing in tracking software, engaging a security expert, or increasing your systems and security budget. The cost of a successful attack will almost certainly cost you more than an investment in prevention.