VBS staff have been alarmed and dismayed by how common hacking has become with small and mid-size businesses, but not surprised. It’s upsetting to see businesses who do such great work for their community having to worry and shift their focus to cybersecurity concerns.
Do you know what to do if you get hacked? Most people don’t. Small businesses are especially easy targets for hacking because they often have little IT security knowledge or technology and few resources to manage them. And since 95% of cyber-attacks are caused by human error, all a hacker would need in an insecure organization is one staff member who didn’t understand the risk and bam your company is hacked. In addition, small businesses rarely know what is the first thing you do when you get hacked.
We’ve put together a checklist of vital steps to take when you’ve been hacked to minimize the damage and help you get ready to take quick action. Knowing what to do after a cybersecurity breach is key to reducing downtime, costs and recovering quickly.
Understanding what are the first signs of being hacked and taking immediate response to cyber-attacks is the best way to stop a cyber breach in your business. The first step is to understand the type of risks how these cyber-attacks impact your business.
What is Ransomware?
Ransomware is a type of malware that encrypts the data on your devices, making it inaccessible, and holds it for ransom. For example, threatening to leak sensitive information to the public, until you pay to get it back.
If it sounds like something that only banks and big corporations have to deal with, think again. And remember that big companies have more resources to deal with those kinds of problems, so they can typically recover quicker.
What is Phishing?
What do you do if your email gets hacked? Have you ever opened up a link that appears to be from a website or business you know and sometime after that your colleagues or friends tell you they’ve received a mysterious email from you under your business’s domain name, but you didn’t send it?
That’s just one form of phishing and hackers have become very clever at making their emails look legitimate enough that a lot of even tech-savvy people make the mistake of clicking on malicious links in the email, either as an inline hyperlink or as a button. But once you do, you get infected.
Has your Business Been hit with a Cyber-Attack?
If your business has been compromised with a cyber breach, how you respond and the action you take may help or hinder your recovery. It’s best practice to prepare a cybersecurity incident response plan in advance, to clearly identify the necessary steps to recovery and also understand who is responsible to take action. If you do not have an incident response plan, see below to learn what is the first thing you do when you get hacked:
Been Hacked? What you need to do fast, here are the 10 steps to take
- Turn off internet access, servers, workstations and ask for professional help
- Communicate the incident with staff to stop all computing activities immediately
- Communicate with data owners and stakeholders to relay your recovery plan
- Contact your cybersecurity insurance and/or lawyer to advise of the incident
- Work with professionals to detect/analyze the cause/damage of the breach and prepare a report
- Recovery/remediation – clean up, restore, and take control of your data
- Change all passwords on devices, network and all apps, including cloud logins
- Lessons learned – recovering from a breach will make you stronger, when you take action to improve your cybersecurity posture
- Conduct a cybersecurity and network assessment to identify gaps
- Prepare an “Incident Response Plan”.
Download the key actions in our PDF cyber attack checklist and keep copies of it on your desktop and printed in your office. No registration necessary to sign-up.
Note: Just because you’ve determined that ransomware or phishing is the cause of a hack, you could also have other viruses or vulnerabilities attacking other parts of your system, such as missing security software updates. Routine IT management and threat monitoring can identify cybersecurity issues before they become disasters, running in the background so you can focus on your business.
So until you’ve ruled out other viruses and vulnerabilities, assume everything is at risk and test thoroughly.
If your system has been hacked, any activity on the hardware (router, server, hard drives, computer, USB sticks) or software applications (Microsoft Office Suite) can feed the virus and make it spread even further. You need to prevent that.
Here we explain in detail the 10 steps to take if you get hacked and why:
1. Turn off internet access, servers, workstations and ask for professional help
Just like with a flesh-eating bacteria, you need to starve the infection of opportunities to spread. Turn off employee access to the internet, servers and workstations and ask a cybersecurity professional for help with the next steps.
To help shield your business from future attacks, it’s very important that staff change their passwords, log out of secure sign-ons and set up added layers of security such as 2-factor authentication and a stronger firewall.
2- Communicate the incident with staff to stop all computing activities
It’s very important that staff get an official account from management right away about what is going on and what staff need to do, otherwise if they get the news second-hand, rumours can spread or the message can become distorted as staff relay the events to each other.
The key message in the official account must be that all staff must stop all computing activities, effective immediately. Because successfully dealing with cybersecurity incidents is a time sensitive matter, it is wise to have a message pre-written. This way you can immediately deliver it via the necessary channels.
Below is a sample message we’ve created that you can use to relay your message and next steps.
Note: This is just a generic example not meant to be copied and pasted wholesale. You must get an opinion from a legal professional to ensure your message is suitable for your case before moving forward.
Hi Team,
We are investigating a potential hacking of our systems.
Please stop all computer use immediately and until further notice. We have closed access to our servers, your workstations and internet access while we address this incident and will keep you keep you up-to-date when the situation changes.
We will update you soon with a notice in the kitchen (or over the PA). Thank you for your patience and cooperation.
Do not log back in until we give the go-ahead.
We may shut down early for the day. We’ll let you know soon.
In the meantime, enjoy the complimentary snacks in the kitchen.
3- Communicate with data owners and other stakeholders to relay your recovery plan
Your business will probably not be operating normally while you’re dealing with the virus, so you need to explain that and emphasize that you’re taking action on stopping the hack and working diligently on the recovery process.
Communicating what is happening and what you’re doing about it is vital to maintaining your credibility with customers, shareholders, sponsors and anyone else who could be affected by a cybersecurity incident either through having their data breached or through the incident’s potential impact on their reputation.
Then once you update them that the recovery has been successful, they will see you made good on your word and were honest and up-front with them.
4- Contact your cybersecurity insurance and/or lawyer to advise of the incident
Always seek legal advice on how and what you should comment and what else you should and shouldn’t do in managing the incident.
If sensitive data seems to have been compromised or at risk and your company hasn’t done its due diligence, it can pose serious legal and financial consequences for your business.
You don’t want to make the problem worse.
Read our post on the Digital Privacy Act (link to: https://www.vbsitservices.com/2018/11/law-requires-canadian-companies-disclose-information-data-breaches/) and how this Canadian legislation requires you to inform people of data breaches.
5- Work with professionals to detect/analyze the cause/damage of the breach and prepare a report
Your IT cybersecurity team will ask you for background on the incident. Giving them the information, they need when they need it can support a faster recovery process.
This may also mean you can get information on the impact of the incident sooner, potentially speeding up the launch of your response plan.
The report will give you direction on preventing future incidents and advise on what went wrong and what the consequences could be, enabling immediate response to attacks. Questions the cybersecurity response team may ask you from you to support the data breach response:
A) Which applications, servers and/or devices do you know for sure are affected?
They’ll look for all traces of the of threat(s), but the more information you can provide up front, the faster they can get to work to fix the problem.
B) What are the consequences of the breach so far (that you can see)?
C) Server information including, credentials, who has access, backup details, etc.
D) Do staff use devices not owned or managed by the company and if so, how and when?
E) Recovery/remediation – clean up, restore, and take control of your data
6- Recovering from a cybersecurity incident requires a sufficient clean-up of the data on your system to remove the malware or threat and put safeguards in place to prevent future incidents, but, just like with the previous steps, trying to do this on your own is fraught with risk.
While the previous steps will give IT an idea of what went wrong, how it happened and what the impact was, there may be more information to glean on the incident in later steps of the recovery. Cleaning up the data removes this information, so it’s best to hire cybersecurity professionals to clean up, as they will collect important intelligence on the incident before erasing it.
Restoring your data after the clean-up is a lot simpler and faster if you have it backed up securely, which means your business can get back up and running sooner. Another benefit is that if your data is held for ransom during an incident, you have less to lose if you can’t get it back because you have a backup copy.
Backing up your data regularly is vital to your recovery from cybersecurity incidents. You not only want to back up your applications and documents. Ideally you should also back up the settings and tools of your business’s operations, as these take time and resources to re-enable. In addition, backup your cloud data such as Office 365 or Google WorkSpace with a secure cloud to cloud backup, with built in ransomware protection.
If you haven’t backed up your system, your data and systems will have to be found from other sources and set once the operating system is re-installed. This process is easier if you work with a cybersecurity expert and your operations manager.
As you’ll no doubt conclude from this step in the process, keeping a comprehensive back-up is key to get back up and running. Contact us today to start the process.
7- Change all passwords on devices, network and all apps, including cloud logins
Preventing another cybersecurity incident requires preventing unauthorized entry into your systems.
If it seems far-fetched that a hacker could figure out your password, think again. Hackers often use brute force attacks to guess passwords. This involves a computer using a bot attempting many different passwords in a very short period of time until they find the right one that works. They are more likely to get lucky if your passwords are short and simple with real words and/or common sequences in your passwords. If an account with administrator privilege gets a brute force attack, the results are often devastating.
So you not only need to change the passwords, you need better password hygiene. Your staff should be trained on password best practices, (another service we provide). It’s important to mix lower case, small case letters, numbers and special characters and having at least 11 characters in a password.
Other Password tips:
-Require 2-step MFA (multi factor authentication) verification, where in order to sign-in, the user gets a code texted or phoned to them and they enter the code into the designated field in the sign-in page.
-Set up a notification to the administrator if an account password is attempted more than 5 times. This can signal an attempted brute force attack or manual breach attempt.
8- Lessons Learned – recovering from a breach will make you stronger when you take action to improve your cybersecurity posture
There is a saying in the airline industry that every crash makes flying safer because of the auditing and safeguards that take place afterward. The same is true of cybersecurity breaches if you do your due diligence and work with professionals
Lessons learned include:
-Weaknesses in your system that allowed the cybersecurity breach to infiltrate deeply and devastatingly
– Communication lapses that lengthened the recovery process
– How a strong response plan can speed up your uptime.
– What parts of your system need to be manually restored and how to do that
9- Conduct a cybersecurity and network assessment to identify gaps
A common misconception is that data is all that needs to be protected and recovered, but there are many nuances of your system and settings that are often also compromised during a cybersecurity breach and this can have even greater consequences of a data breach, for example, in the event that those systems are leaked to competitors. In any case, manually setting things up is a huge undertaking and you want to prevent that in the future.
Having your cybersecurity and network assessed illuminates those vulnerabilities and identifies ways to protect and recover them. You can communicate network safeguards to your stakeholders to instill their trust, which can prompt referrals, good publicity and other benefits from a strengthened reputation.
10- Prepare an “Incident Response Plan” (to help you restore faster in the event of re-occurrence)
The best defense against an incident is preparation.
The speed of a business’s recovery after a cybersecurity incident depends on the speed and quality of the response to it. Without it, your business will likely face huge costs, including longer downtime.
This can only happen with a well-prepared incident response plan. All parties affected need to learn and understand their roles in the plan, so it can move smoothly and swiftly.
This means the administrator is only one person who needs to understand. Cybersecurity incidents affect the whole company. Do your staff know what to do after a security breach, how and to whom they are supposed to report a cyber incident and what exactly needs to be reported? This requires training.
We’ve given you a lot to think about and it’s easy to become overwhelmed.
Cybersecurity Attack Breach Response Investigation
Identify and resolve cybersecurity incidents quickly with VBS’ responsive breach investigation team.
Click here to learn more.
Working with VBS IT Services is an excellent way to get quick cyber attack aid. Contact us with any of your questions at 416-900-6852 or TF 1-877-709-2656 or click here.
Stay safe and secure.
Related Articles
Why do small businesses need a cybersecurity?
How do hackers choose their targets?