What’s Your Action Plan In Case of Cyberattack?


If your emergency response in case of a breach includes pulling cables and shutting down servers, something is not right. No company regardless of size, activity, or location should resort to this type of action!

Now, whether you work with a cybersecurity company to keep your systems up and running or you keep it in-house, there should be an incident response plan. This way, if key personnel are not available for intervention, other people can take over and solve the problem. In addition, a plan lets you keep track of incidents, identify weaknesses in the system, and improve.

Moreover, the plan must be regularly reviewed and updated so it includes the latest developments in cybersecurity and threats.

Lastly, such a plan must be reviewed and approved by the key decision-makers of the company (CEOs and other executives). This will bring risky scenarios to their Attention and it shows employees and collaborators that the plan is trustworthy since it has support from above.

How to Deal with An Incident?

Start by making sure the right people are always involved in solving the situation as early as possible. This means that the response plan must clearly specify who is in charge of specific situations and who should replace them in case their not available.

In addition, all the employees and executives must know who to call when they first identify a problem with the system. Moreover, each department should have people responsible for assessing the situation and contacting the right people to solve the problem.

Our Recommendations On How To Respond For Common Cyber Incidents

In the past couple of years, our team helped remedy many cyber incidents for both small and medium-sized organisations. As such, we learned that cybercriminals favour several types of attacks which work well if not managed by specialists.

Here are the most common attacks we were called to solve:

#1: Ransomware

Ransomware is the most common form of malware. It is usually delivered via email or unsecured remote desktop connections. Ransomware attacks ensure quite the payback for the attackers as the victim is requested to pay a ransom to get access to their data (for more information on Ransomware, read this article)

How do you know if you’re hit with Ransomware?

A ransomware attack is easy to recognize, as it basically holds your important files or data hostage. This means that your files (on the computer or server) will become inaccessible. For example, if you try to open a word document, it will ask for an encryption key, but you must pay the ransom in order to get it.

In most cases, there’s also a pop-up window, advising you about the infection and how to pay the ransom. What to do?

  1. The first thing to do is to turn off your computer! This can minimise the spread of infection through the network.
  2. The next step would be to report the issue to the designated cyber incident response person as well as the IT team. With small businesses, the designated person is usually the business owner. Also, the IT team is probably outsourced to a Managed Service Provider like Onsite Helper.
  3. If other staff reports that their files or the files on the server are inaccessible, shut down their computers and servers as well. This means the Ransomware is spreading through the network.

The IT team will need to recover data from backups and clean the infected computers and servers before allowing staff to work on those machines again. They also have to perform a security audit on the network to determine how the Ransomware happened and what things need to be done to prevent this from happening in the future.

Related article: IT security best practices

#2: Email hacking

Email hacking is also very common. Most organisations now use Google Workspace or Office 365 and the login credentials for these cloud services can easily be compromised by cybercriminals via Phishing or compromised websites leaking your credentials.

How do you know if your email has been hacked?

Most cybercriminals put a lot of effort into covering their tracks once they have hacked into someone's email account.

They look for opportunities to extort money from your contacts, they will read through your emails and look for opportunities to send emails to your contacts pretending they are you and request a payment to their bank account.

As such, if you’re often emailing your accountant or financial planner to arrange transactions then there will be plenty of opportunity for them here. They will set up email forwarding and filters so when your contact replies to the email, it skips your inbox and goes to them, keeping you blind of whats going on. They also delete emails from the sent items folder and empty the trash so you can’t see their emails. Hopefully, your contact calls you and advises that something doesn’t seem right, this is when you realise you have been hacked.

Other signs that you may have been hacked is you receive an email advising a suspicious login from your account which was done from overseas.

What to do?
  1. First thing you want to do is change your password. This should stop the cybercriminal from accessing your account going forward. Even if you’re not sure if you were hacked or you just received some tricky SPAM, it doesn’t hurt to change your password.
  2. The next step would be to report the issue to the designated cyber incident response person as well as the IT team. Again, for small businesses, the person in charge is probably the owner and the IT team is probably outsourced to a Managed Service Provider like Onsite Helper.
  3. The IT team or Managed Service Provider will need to login to your email account and check for things the cybercriminal may have put in place, such as email forwards & filters. If you’re using an email backup service, then it's a good idea to check the backups to see if emails were deleted and need to be restored.
  4. If you find evidence that the cybercriminal was emailing your contacts, then it’s best you call these people to explain what has happened and limit further damage. Often cybercriminals send Phishing emails to all your contacts to trick them into providing their email login details. If this has happened then you can email all your contacts to advise of this and to delete the Phishing email.

#3: Website Hacking

Website hacking is the 3rd most common hacking we come across.

Often cybercriminals hack websites to use the website hosting service as a platform for them to send out millions of SPAM emails or use your site as a poster board to spread their message.

If your website has an ECommerce or a client portal then the cybercriminal will look for a database of username/passwords & credit card numbers.

Keep in mind: Content Management System (CMS) websites such as WordPress can be easily hacked if they are not constantly updated.

How do you know if your website has been hacked?

Often it's obvious since your website will be replaced with something completely different.

Other times you won’t know until someone informs you. This could be your website hosting provider, which can see a huge spike in email traffic from your site, or someone reporting credit card fraud.

What to do?
  1. If you have access to your website hosting dashboard (CPanel), login and change your password. Do the same for your CMS (e.g WordPress) accounts.
  2. Notify your web developer so they can rectify the issue. The best option is to completely wipe the hosting and reload all the content from a backup.
  3. Have your Webdesigner perform an audit to find out how the hackers got in and put measures in place to prevent this from happening in the future.

Related article: Keeping Your Wordpress Website Safe.

Conclusion

It’s extremely important for organisations to have a Cyber incident response plan and train their staff to prevent incidents from happening. Also, if they do happen, the plan must be acted on as quickly as possible with the correct people involved so the damage can be minimised.

It’s also a good idea to minimise the organisation’s risks as much as possible by making it much harder for cybercriminals to get in. For this, the Australian Government has a list of 8 security practises all organisations should have in place, known as the Essential 8. If this is followed and maintained, then the likeliness of your organisation being attacked is significantly reduced.

You may also want to consider cyber insurance to protect your business. The cost of dealing with a cyber attack can be much more than just repairing databases, strengthening security or replacing laptops. Cyber liability insurance cover can help your business with the costs of recovering from an attack. Of course, just like with all insurance policies, it is very important your business understands what it is covered for.

Finally, if you are the victim of a hacking, you will need to review what data the hacker may have taken as you may need to advise the authorities to make sure your compliant with the Notifiable Data Scheme regulation.

If your organisation would like to know more, Onsite Helper can assist with creating a Cyber incident response plan, training your staff & responding to any cyber incidents. Contact us on 1300 889 839 or email enquiries@onsitehelper.com