* This article originally appeared in the September edition of PX Community Matters.
This is the second article in a two part series dealing with what businesses should do if they have been the target of a cyberattack. For a link to last month’s article which covered what business can do to reduce the chances of a being a victim of a successful cyberattack, please click here.
Many analysts believe that it’s not a question of “if” but rather “when” a business will be the target of a successful cyberattack. If an organization believes that it has been the victim of a cyber incident, the steps it takes in the moments following this discovery will be crucial in mitigating the legal, business and reputational fallout.
Once a business discovers that it has been the target of a successful cyberattack, the following should be taken:
1. Activate the Response Team
Upon discovering a cyber incident, the business should immediately activate the incident response team which should include representatives from relevant parts of the organization (e.g., legal, IT, human resources, etc.). The incident response team should diligently record all steps taken from the time the incident was discovered (e.g., a description of all incident-related events, details of all communications regarding the incident, a description of each employee's duties in response to the attack, a listing of how each network system was impacted by the cyberattack, etc.).
At this point, the business should seriously consider retaining external legal counsel who will engage outside forensics team to determine the scope of the breach and prepare any written reports. Direction by outside counsel will help protect information and evidence collected under solicitor-client privilege, a key factor should the cyberattack ultimately result in litigation.
2. Containment and Assessment
The cyber incident team should move quickly and take steps to contain the breach, including (i) blocking any authorized access to the network, (ii) implementing steps to recover and/or restore any lost information or data, (iii) considering shutting down the network (or part thereof) that has been compromised, (iv) revoking or changing network access codes, and (v) implementing steps to address any weakness in the network. If the breach appears to involve theft or other criminal activity, the business should notify law enforcement.
Working with the system administrator, the incident response team should survey the network to determine the scope of the breach including which computer systems were impacted, where the incident originated, and what malware may have been installed on the network. Additional information concerning which users were logged onto the network and which programs were running on the network is also useful in determining the source of the attack. Care should be taken not to destroy evidence that may be valuable in determining the cause or to allow the business to take appropriate corrective action.
Gathering accurate information and employing countermeasures as quickly as possible may result in limiting the scope of the cyberattack, defend the system from additional attacks, and provide law enforcement with information to begin its investigation.
3. Preservation of Evidence
Preservation is critical when dealing with a cyber incident, the more evidence that is collected and preserved, the better positioned the organization will be to ascertain how its system was hacked.
After the necessary information and evidence of an attack has been preserved, the business should begin to transfer its information onto a “sanitized” system. When transferring information/data, care should be taken to ensure that the new data is completely free of any documents that were compromised. In order to maintain authenticity of the documents, access to the documents should be restricted and a clear chain of custody should be maintained.
Assuming that the cyber incident has resulted in data being compromised, the business should consider its obligation to notify (i) individuals whose information was compromised, (ii) law enforcement, (iii) the business’ insurer, (iv) financial institutions, credit card companies or credit reporting agencies.
Notification can be an important mitigation strategy that has the potential to benefit both the organization and the individuals affected by a breach – if managed properly. If a cyber incident creates a risk of harm to the individual whose information was compromised, those affected should be notified. Prompt notification to individuals in these cases can help them mitigate the damage by taking steps to protect themselves.
Each incident needs to be considered on a case-by-case basis to determine whether, for example, privacy breach notification is required to the appropriate privacy agency (e.g., office of the federal and/or provincial privacy agency).
A business should not hesitate to contact law enforcement even if it fears that its business operations will be disrupted. In Canada, businesses should also consider reporting the cyber incident to the Canadian Cyber Incident Response Center.
5. Preventing Future Attacks
Once the immediate steps are taken to deal with the immediate consequences of the cyber incident, the business should take the time to investigate the cause of the breach and consider whether to develop and/or refine its existing prevention plan. The level of effort should reflect the significance of the breach and whether it was a systemic breach or an isolated instance. This plan may include the following:
6. Prepare For the Fallout
Depending on the nature and scope of the cyberattack, the business should be prepared to deal with the potential fallout related to the cyber incident. In some instances, the business will need to manage potential reputational harm, deal with litigation and address the financial impact of the cyber incident for several years. In all instances, the key will be to inform management and to have a clear roadmap on how the organization intends to deal with the consequences of the cyberattack.