Small Business Cybersecurity – The Basics (Part 2)
By Vince Mazza and Scott Saxe
February 7, 2022
In Part 1 of “The Basics” article series, we covered the proactive steps a small business should take to harden cyber defenses. In this Part 2, we’ll discuss what happens to your digital systems and data in a cyber-attack and the steps to take if your organization is breached.
What happens to digital systems and data in a cyber-attack?
Your business might have a disaster recovery plan, but does it cover your digital systems and valuable data? In a cyber-attack, you could lose your business’s network access and data. A basic recovery plan should detail the steps to get you running:
- Stay calm and assess damage. What was stolen, lost, or held ransom?
There are few things that can cause more panic than the realization the enterprise has been compromised.
Reacting impulsively in the face of internal panic could do more harm than good. Focus instead on minimizing the consequences by taking a measured, thoughtful response to the problem at hand.
Keep in mind also that just as you wouldn’t want anyone to disturb the crime scene in a television drama, the evidence of a breach should also remain intact. The team investigating the compromise shouldn’t erase or alter any logs in a hurried attempt to “do something.” This forensic evidence may be needed later by investigators or in a court of law.
- Respond immediately
The sooner you respond, the more money you can save and quicker your business can recover. According to an IBM & Ponemon Institute study, “leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach – saving companies nearly $400,000 on average (or $16 per record).”
Audit your systems to figure out what happened. A professional security analyst can help determine the scope of the attack and recommend actions to plug security gaps. Verifying the attack involves:
- Identifying which systems and data have been compromised. Is it just names and addresses or more serious data such as passwords or credit card numbers?
- Determining which IP addresses were used in the attack.
- Confirming the type of attack (Virus? Malware? Unauthorized remote access? Something else?).
- Quarantine the Offender and Restore/Recover
Much like you keep a sick child away from siblings, isolate infected computers. By acting quickly to take the source computer or impacted applications off the network, you can better contain the cyber-attack by preventing any virus or malware from spreading.
While the initial reaction may be to take down your entire network, this could actually hurt you more than the hacker even dreamed by disrupting your operations and causing reputation damage with customers and in the marketplace.
Your cybersecurity specialist should identify the damage done and check for backdoors which hackers may have set up to enable future access to your system. It may also be that a trusted supplier was hacked, and the compromise originated there. In that case, be sure to block connected accounts until they resolve the issue on their end.
It’s not enough to quarantine the offender and then restore/recover. There should be vulnerability scans, patching, hardening, etc. before systems come back online (assuming a good backup). The idea is to stop the attack, harden against further attacks, and then restore/recover. Otherwise, it’s just a repetitive cycle.
“The average time to identify a breach was estimated at 201 days, and the average time to contain a breach was estimated at 70 days.” — Ponemon Institute
4. Allow Recovery Time
The attacked computers or servers will need some recovery time, just like a sick child does. Prioritize the order for cleaning and restoring based on how critical each component is to the business. You’ll want to install your most recent clean backup and change logins and passwords for all impacted systems. Use completely different random passwords. Take this opportunity to confirm that there aren’t any systems still using default passwords or something obvious like “admin or password.”
This step requires you to actually have a backup of your important files. We hope you’ve been following our regular advice to consistently back up and verify sensitive and critical information to an offsite device that is not connected to the network.
5. Disclose the Breach to Necessary Parties
Stemming the internal damage from cyber-attack is only part of the process. Once a threat or vulnerability is detected, have a protocol in place for immediately informing users on the network. For instance, warning other users on the network or customers to discard rather than download an email ostensibly from someone in your company can help stop the spread of a well-crafted social engineering attack. If the cybercriminal discovered your banking information, call your bank and ask to cancel cards and issue new ones. If financial information is compromised, you should regularly monitor/audit transactions to ensure validity.
Companies must also share their information with law enforcement and/or regulatory officials. There may be regulatory mandates to follow and even fines to pay but resolving these quickly can help alleviate industry concerns on hearing of the attack.
Plus, your company may need to go public with the information to customers and stakeholders. In weighing the public relations cost of admitting a breach, consider how much worse things are for the company that tries to keep the attack secret and is later discovered to have withheld information. Remember: from a PR standpoint, it’s always better to be in control of the message rather than have a journalist break the story for you.
6. Plan Against the Next Attack
It’s a tough pill to swallow, but this could happen again. It’s the last thing you want to hear when your company is already dealing with an attack, but it’s true.
Try to learn as much as possible about how the attack came about in the first place and why you may have been a target. Was the attacker trying to gain access to certain information, disrupt business, or take over systems to enact a larger attack? Better understanding the motivation for the breach can help you in formulating the updated, and improved security plan.
If you didn’t already have an incident response plan in place, consider this experience as the wakeup call you needed. Further, a cyber security review to determine the gaps in your cyber posture and a disaster recovery plan should also be established. Given the average cost of a cyber-attack highlighted above, it should be easier to justify the expenditure to establish a response team and plan proactively.
Your company is not too small to worry about a cyber-attack and having cybersecurity processes in place can save your business money and time and potentially save your business.
It is critical for your IT staff to develop and maintain strategies, enforce policies, and remain vigilant with essential cyber protocols. For those companies without the internal expertise, we recommend finding a trusted partner to help with your security posture.
If you want to protect your business or think it’s already been compromised, reach out to our team at Guard Street to learn more about how we can help protect all that you’ve built.
About Guard Street
Guard Street, headquartered in Wheaton, IL is a high-tech cybersecurity and protection company arming businesses and consumers with world-class products built to protect what matters most. Guard Street products, Cyber Attack Protection Plan and Remote Workforce Cybersecurity, provide a full range of vulnerability alerts, incident response, email security and cyber liability insurance that empower our customers to be less vulnerable to cyber risk and help ensure that organizations recover when they are a victim of a cyber-attack.
Learn more at www.guardstreet.com or engage with us on our social media pages below.
© 2022 Guard Street Partners, LLC.