Responding to a Breach

Cyber crime: Just like real crime

Cyber crime is in many respects no different to traditional crime. We can be cautious and risk-averse, take all known precautions and follow best practice. But there will always be a criminal somewhere who is more determined, smarter, or simply one step ahead of even the latest and greatest security features we’ve put in place.

One of the last and weakest links in any security system will be the humans; an unlocked door, or open handbag. This is what makes social engineering attacks particularly successful. They enable cyber criminals to enlist the help of unsuspecting employees in their exploits. All it takes is for a staff member to click on an enticing link to a spoofed website, or open an official-looking, yet malicious, attachment.

Unlike traditional criminals who wander the streets in person, cyber criminals hide away behind virtual rocks. They are notoriously difficult to track down, and are rarely brought to justice. But the havoc they wreak is just as, if not more, damaging than that caused by the criminals sneaking around your back yard or store front.

However, the response required of the victims themselves in the aftermath of a cyber crime can be more important than the response required of victims of traditional crime. A victim of cyber crime needs to move quickly and in a planned and (ideally) rehearsed way to ensure that the fall out of an attack is contained and mitigated as effectively as possible, and that the growing regulatory obligations are complied with.

So what should you do following a cyber attack?

If you’ve suffered a monetary loss

In the unfortunate event that you suffer monetary loss due to an attack, you should contact your cyber insurer to let them know what happened and what you’re doing about it.  You will also want to contact the police to ensure you have your insurance paper trail underway. Do this via a non-emergency channel, unless of course you are facing an immediate and considerable threat.

You will also want to contact your bank immediately. The quicker you do so then the more chance you have of the bank helping to minimise the damage.

Wait, do you have cyber insurance?  If your answer is no, you should probably call your broker.

What about a cyber attack involving data?

If any third party information or data has been compromised, you need to quickly assess the severity of the potential or actual impact of the breach. Depending on the level of impact, you will need to contact the other parties involved as soon as possible to enable them to put any mitigating processes into place.  Don’t fudge over the issue or wait until it is raised by a third party.

When the new Privacy Act comes into force next year this will place various obligations on any entities which handle data. For example, your specially appointed privacy officer will need to notify both the Privacy Commissioner and the affected parties. Fines will be payable for any non-compliance.

Helpful tips if a hacker has sent a load of emails from your company

Don’t waste any time picking up the phone or answering every query from concerned recipients. Try putting a message on your phone system and website home page letting people know what has happened and telling them to delete the email.

Some best practice ways to help keep your business protected day-to-day:

• Use security threat detection and prevention controls, and keep them up-to-date.
• Install updates and patches for OS, software and firmware.
• Put in place (and keep updated and rehearsed) a security incident response policy and procedure.
• Invest in security awareness education for staff: remember that they are both your weakest security link and your last line of defence.
• Put in place robust processes (for example for verifying bank accounts numbers prior to transferring any funds) and dual-person checking of funds transfers.

In the unfortunate event of a breach, make sure that you:

• Are able to know as soon as possible that the breach has occurred (requires sufficient and well-configured monitoring across all key systems).
• Stop additional data loss by identifying and isolating infected machines from public and internal networks.
• Collect and retain any evidence (such as logs and emails) as you go, to show what happened and how you dealt with it.
• Inform appropriate parties such as your insurer, bank, the police and CERT NZ.
• Thoroughly investigate your IT systems to see how the attack occurred and what exactly has been compromised.
• Consider the lessons learned, and take active steps to avoid a repeat, both in the short term and as things change over time.
• Be proactive, not reactive, in dealing with affected third parties.  Increasingly the risk to your business will come from reputational damage, and front-footing the problem with your customers and stakeholders will be key to controlling this.

Speak to phew! today about protecting your business from a cyber attack, and how we can assist with your response to a breach, should one happen to you.