I was responding to an acquaintance in a group on LinkedIn called SMB Cyber Security that asked what do I do if I’m hacked and I sent him the following. I’m posting my response here as well…
Our Service gets installed by a lot of SMB’s unfortunately AFTER they have been hacked because many exec teams just don’t understand the risks (more).
The exec will ask–what do I do the next time I’m attacked? Our answer—it’s really about what you do BEFORE you have been attacked that matters. So we start educating them about cyber insurance, cyber training for employees, Incident Response Plans (example), Business continuity plans (more info) &/or Disaster recovery plans (more info) and policies such as the examples I’ve included here:
- Acceptable Use Policy (more info)
- Remote access policy (more info)
- Employee termination and out-processing policy
- Password policy (more info)
- Encryption policy (Great example)… More info on encryption.
- Bring your own device (BYOD) policy (Great example).
More example policies can be found here.
However, if an SMB gets attacked AND the attack appears serious (potential loss of PII &/or crown jewels) AND they are not prepared with the plans/policies above then they may do the following:
- Gather and preserve as much information as possible (server logs, firewall logs, email logs, secure gateway logs, interview people etc.)
- Determine the nature of the attack (point of origin, intent, systems compromised, files taken etc…)
- Contact appropriate management (keep in mind the board of directors are personally liable for company risk)
- Let management determine if FBI, Local Authorities, Forensics, Legal and Insurance contacts should be notified
- Segregate all hardware devices suspected of being compromised from other business critical devices
- Quarantine instead of deleting
- Restrict Internet traffic to only business critical servers and ports.
- Disable remote access capability and wireless access points.
- If authorities are involved, once they give the OK then re-install the affected system(s) from scratch and restore data from backups if necessary
- Make users change passwords. Consider changing passwords on servers/infrastructure if necessary.
- Ensure all systems are fully patched (check WiFI/Routers etc. for necessary firmware upgrades)
- Create and execute a Communications Plan–review both regulatory breach notification laws and state breach notification laws.
- Assesses the damage to the organization and estimates both the damage cost and the cost of the containment efforts
- Last but not least, go into survival mode… as most don’t make it due to loss of reputation.
