5 Factors Companies Should Consider Before Responding to a Cyber Incident

Media Division | March 27, 2017

Chances are nearly 100% that a company will deal with a cyber incident at some point in time, likely more than one.  That’s because cyber incidents have become more varied, more sophisticated, more wide-spread and more accessible (with hackers-for-hire and prepackaged attacks available on the cyber black market).

Responding to a cyber incident is not a “one size fits all” prospect.  There are as many possibilities as there are companies in the global marketplace.  Here are 5 key points to consider before responding, effectively, to a cyber incident.

1. The Type of Attack

The 4 most common types of cyber incidents are:

  • Phishing scams: attempts (usually be email) to obtain sensitive information, such as username and passwords, employee identification information, credit card information or social security numbers. These can be as obvious as the fun James Veitch has had with scammers or so subtle they fool nearly half of all recipients.
  • Distributed denial of service (DDoS) attacks: these annoying and malicious attacks may just be designed to slow down your company site or the internet in general. Like phishing scams, DDoS attackers do not even have to create their own code anymore, since packaged hacks are readily available on the cyber black market, payable in BitCoin and potentially untraceable on platforms like Tor.
  • Ransomware: an increasingly popular form of attack, ransomware is just like the computer viruses that have been around for cyber time immemorial, ransomware bugs your system. Only ransomware is specifically designed to hold your corporate information hostage.
  • Intentional internal data leaks.

The response to these or any other types of attacks can vary, and perhaps surprise you: you may actually want to pay that ransom! (Since the cost of operations, overall, may be less if paid than trying to restore or otherwise repair your system).

DDoS attacks may just require some rerouting, depending on your service set-up.

Phishing scams may require internal training programs, to protect your system in the future from what is most commonly “user malfunction” (employees fell for that scam in the first place!).

Naming exactly what type of cyber incident you are experiencing is the first step in gaging a response, including the likely origin of the incident.  Internal actors may require delicate investigation, whereas an externally-originating incident can be acted upon more swiftly.

2. Existing Policy and Precedent

The next step in response to a cyber incident is to consider existing company policy and precedent.  If you’ve done your homework, you have SOP’s for response to common types of cyber incidents.  You may even have internal precedent, where you have learned what to do (or not do!) from similar incidents in the past.

If you do not already have an existing policy, consider it part of your current cyber incident response to draft policy for future.  Too little too late, perhaps, but you can survive a cyber incident and emerge that much the wiser.

If you do not already, it is also important to have a corporate whistle-blower policy that includes cyber incidents in its scope.

3. The Goal of Your Response

Naming specific objectives of your response should also be clearly stated as part of your cyber threat assessment.  Are you just trying to mitigate an internal threat? Return to operation as quickly as possible?  Prevent such future incidents (such as in the event of a phishing scam that compromises sensitive data)?

You may have more than one objective, but as clearly as possible you should state the goal(s) of your response.

4. The Potential PR Situation

Public relations is an interesting beast: hide a cyber incident and data may leak anyway, worsening the impact.  Broadcast a cyber incident and you may damage your reputation or even be held fiscally responsible for the data breach.

Sometimes the best move is to make a public statement, sometimes it is not.  The best PR moves are based on the three previous steps: you need to understand the attack, your policy, and your incident objectives before you can determine what the best possible PR move is, which is why this is the fourth step in your response.

Companies have lost money over a cyber incident; others have had no detectable impact on the bottom line whatsoever.  Consider the possibilities and the PR outcomes before responding to a cyber incident.

5. What Resources to Employ

The final factor to consider before responding to a cyber incident is the resources you wish to employ.  Depending on the nature of your business, or in the event of a deliberate internal or corporate spying attack, you may wish to involve law enforcement.  You certainly want to employ resources that have familiarity with investigating cyber incidents: unfortunately, sometimes even accessing data can alter the data and thereby tamper evidence.  A rush response, though promisingly able to get you “back online” quickly, may do further damage.

An element of caution about what internal resources to involve may also be an important part of the response.  Automatically involving execs or IT professionals may unintentionally cause further leaking of the incident: a controlled response is best.

When you use an external resource to help with the cyber threat assessment (CTA) and response mitigation, ideally you already have a relationship with such a company.  If you do not, access their level of familiarity with your business and procure that resource.

If you consider these 5 factors, you should be able to respond swiftly and effectively to a cyber incident.

Want to see how a CTA would impact your business?  Call us at 813-434-0922 and request a live demo.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.