This blog post is part of a series of cyber incident top tips, you can view them all here.
So, the worst has happened, you have detected a breach on your IT systems, and you suspect the hacker is still active on your network, lurking and potentially causing further damage.
In the critical moments following a cyber breach, knowing who to call first can make all the difference in your response’s effectiveness and the overall impact on your organisation.
Here’s a quick quiz: Who do you call first?
- The CEO
- Your incident response retainer provider
- Nobody, keep it to yourself as long as possible
- The press
- Your PR team
- Your external IT administrator(s)
- Your cyber insurance
There’s a temptation to choose number three, thinking you can somehow defeat the hacker who has already bypassed your cyber defences. This is a common but dangerous mistake. Let’s explore why.
Why Not Number Three?
Keeping the incident to yourself or even delaying the discovery of a potential breach, hoping you can handle it alone, might seem like a great idea at the time, but it often leads to disastrous outcomes. Without the proper expertise and tools, you may inadvertently worsen the situation, allowing the hacker more time to cause damage.
By not involving experts immediately, you risk missing critical steps in the incident response process, such as properly containing the breach, identifying the extent of the compromise, and securing evidence for forensic analysis. Additionally, your internal team may not have the necessary experience to handle sophisticated attacks, leading to inefficient or incorrect responses that can prolong the downtime and increase the overall impact of the breach. The delay in professional intervention can also result in regulatory non-compliance, increased financial losses, and irreparable harm to your organisation’s reputation – doesn’t seem like such a great idea now, does it?
Why Not Number 7?
Although you’ll need to notify your cyber insurance provider, our experience shows that there is often a 3–5-day delay before you can connect with their technical team. During this period, your business recovery process will be affected, and all investigative and remediation activities may be delayed.
The Right Choices: No.2 and No.6
You can’t go wrong with No.2. Full-time experts in cyber incident response, such as your incident response retainer provider, are equipped to give you the immediate actions necessary for your situation. These experts have extensive experience dealing with cyber incidents and understand the urgency and precision required to mitigate the impact effectively.
Their expertise allows them to swiftly assess the situation, contain the breach, and prevent further damage. They can conduct thorough forensic investigations to understand how the breach occurred, what systems and data were affected, and the extent of the hacker’s activity. This information is crucial for determining the most effective remediation steps and for preventing future incidents.
Furthermore, incident response specialists can help you with the often complex legal and regulatory requirements that follow a cyber incident. They make sure that all actions taken are in compliance with relevant laws and industry standards, helping you avoid potential fines and legal complications. By leveraging their expertise, you not only manage the immediate crisis more effectively but also strengthen your overall cyber security posture for the future.
However, full marks go to those who selected No.6: Your external IT administrator(s).
Why No.6?
If you assume that most breaches are likely to end in a ransomware deployment, you’ll understand the critical importance of your backup system. When it comes to a cyber breach, particularly when ransomware is involved, understanding the role of your backup system is crucial. Ransomware attacks are designed to be as disruptive as possible, and one of the primary targets for hackers is your backup infrastructure. Hackers recognise that by encrypting, wiping, or otherwise disrupting your backups before deploying ransomware, they can increase the pressure on you to pay the ransom.
This is why your external IT administrators are vital. They can help you take immediate action to secure your backups. Here’s what you should do:
- Take your backups offline: When a breach occurs, especially if ransomware is suspected, your first step should be to protect your backup systems. External IT administrators are equipped to act swiftly to secure these backups. They can physically disconnect backup systems from the network to prevent further access by the attackers. This action is crucial in stopping the hackers from encrypting or deleting your backup files, which are often your last line of defence against data loss.
- Have offline copies: It’s essential to maintain a truly offline backup copy, often referred to as an ‘air-gapped’ backup. This backup is not connected to any network and is inaccessible to hackers who might be roaming your systems. External IT administrators can ensure that these offline backups are properly managed and periodically updated. This safeguard helps you avoid data loss so that you have a clean, untouched backup to restore from in the event of a ransomware attack.
Conclusion
In the event of a cyber incident, knowing who to call first is crucial to minimising damage and restoring normal operations swiftly. By combining the expertise of incident response professionals with proactive measures from IT administrators, you protect your organisation against cyber threats and significantly improve your operational resilience.
Need Some Help?
Need help ensuring your cyber incident response plan is robust and effective? Contact us today to discuss your cyber security needs and explore our comprehensive solutions designed to protect your data and ensure a swift, effective recovery in the event of an attack.
This blog post is part of a series of cyber incident top tips, you can view them all below:
- Tip 01: Taking advantage of ransomware’s biggest secret!
- Tip 02: Securing your backups from vulnerabilities
- Tip 03: Beware of automated response dangers!
- Tip 04: The importance of disconnecting yourself during a breach
- Tip 05: How to integrate your anti-virus protection with SIEM
- Tip 06: Ensure that your insurance covers cyber incidents
- Tip 07: Preparing for the worst – rebuilding after a major ransomware attack
- Tip 08: Who you should call first during a cyber breach
- Tip 09: Hold onto the evidence – why securing system logs is essential for cyber incident response
- Tip 10: What you need to know to make sure your penetration testing is effective
- Tip 11: Why tabletop exercises are crucial for incident response
- Tip 12: Famous last words – misconceptions before a major cyber breach