Cybersecurity best practices – how should companies respond to a cyberattack?

The first order of business is essential – don't panic

Cybersecurity best practices – how should companies respond to a cyberattack?


By Mark Rosanes

Businesses have seen a massive spike in cyberattacks since the pandemic began, with weekly numbers reaching an all-time by the end of last year, the latest report from cyber intelligence firm Check Point Research has revealed.

Globally, the volume of attacks jumped by 50%, peaking at 925 per week in December, which the study largely attributed to the Log4J vulnerability exploit attempts.

“We saw cyberattack numbers peak towards the end of the year,” Omer Dembinsky, the firm’s data research manager said in a Press release last December. “I expect these numbers to increase going into 2022, as hackers will continue to innovate and find new methods to execute cyberattacks, especially ransomware. We’re in a cyber pandemic if you will.”

In terms of industry, the education and research sector logged the highest number of weekly attacks in 2021 at 1,605 per organization, increasing 75% from the previous year. This was followed by military and government agencies, which experienced 1,136 weekly incidents for a 47% rise, and communications companies reported 1,079 attacks per organization every week, climbing 51%.

Although North American businesses registered the least number of weekly attacks at 502, the figure still represented a 61% yearly ascent, the second biggest spike among all regions, trailing only Europe.

Given the current threat environment, it is only a matter of time before an organization suffers a major cyberattack. The situation highlights the need for every business to have a clear understanding of what steps to take when crisis strikes as their survival often depend on how effective their cyber response strategies are.

A step-by-step guide on how businesses should respond to a cyberattack

To find out the best practices for responding to a cyberattack, Insurance Business checked the websites of several industry specialists for tips and strategies. Here are the steps that companies should take if they fall victim to an attack, according to experts.

1. Engage a data forensics investigation team

The first thing that businesses should do once they detect a cyberattack is to quickly secure their IT infrastructure and immediately mobilize a cybersecurity response team to identify the source of the attack and its cause. This involves mobilizing their own cybersecurity team or enlisting the services of third party if they do not have one and instructing them to start work while the evidence is still fresh.

“This should be a team of cross-discipline professionals trained in protecting your business from such attacks,” explained New York-based software company Wickr. “It’s important that each team member has been properly trained in his or her role and knows precisely what to do in the event of an attack.”

According to global information security services provider ITSEC, an incident response team can include forensics specialists, information security professionals, and the company’s senior management and legal council.

“Working together, this team will deliver your initial response to the crisis,” the firm said.

2. Determine the type of attack

Identifying the type of attack enables the cybersecurity response team to implement the appropriate measures, according to experts.

“Once you know what type of attack is occurring, you can know where to focus your attention on and how best to contain and recover from the attack,” Wickr wrote on its website. “You need to know not just the type of attack but also the likely source, the extent of the attack, and its probable impact.”

Global consulting giant EY noted how “knowledge of the enterprise network environment is critical” at this stage as the response team “isolates the incident and zeroes in on the affected systems and data.”

“Depending on the severity, complexity, and urgency of the incident, appropriate escalation procedures are enacted based on pre-established criteria,” the firm explained. “The triage guidelines should be continuously fine-tuned to stay current with the organization’s risk environment so that critical risks are not missed, and low-level risks don’t take up precious resources.”

3. Contain the threat

Once the type of attack has been identified and confirmed, the next step is preventing the threat from causing further damage.

“Most passive attacks are designed to provide the attackers with a persistent backdoor into your systems, so that data can continue to be extracted over time,” Wickr warned. “It’s important to identify and shut down all access the attackers may have to your system. The same is true, obviously, if your company is the victim of a more active attack.”

4. Assess and repair the damage

After the cyberattack has been contained, businesses need to assess the extent of the damage and take the necessary steps to strengthen their systems.

“The compromised organization should identify and address vulnerabilities in the environment, sufficiently strengthen the environment to complicate the attacker’s effort to get back in, enhance its ability to detect, and respond to future attacks, and prepare for eradication events,” EY advised.

California-based software company Delinea added that to restore the systems to a “pre-incident state,” businesses need to take some necessary steps.

“Collect as much evidence as possible and maintain a solid chain of custody,” the firm said. “Gather logs, memory dumps, audits, network traffic, and disk images. Without proper evidence gathering, digital forensics is limited so a follow-up investigation will not occur. Eliminate the security risk to ensure the attacker cannot regain access. This includes patching systems, closing network access, and resetting passwords of compromised accounts.

“During the eradication step, create a root cause identification to help determine the attack path used so that security controls can be improved to prevent similar attacks in the future. Perform vulnerability analysis to check whether any other vulnerabilities may exist.”

5. Notify the proper authorities

Experts also pointed out the importance of notifying the proper authorities as soon as possible.

“Report the incident to your local law enforcement if recommended by your legal counsel,” ITSEC said. “The quicker they know, the more they can do to help.”

“Immediately contact the FBI and state and local law enforcement offices,” Wickr added. “You’ll also want to report the attack to the Secret Service’s Electronic Crimes Task Force, as well as the Internet Crime Complaint Center and the Federal Trade Commission. If your company has cyber liability insurance, contact your insurance carrier for advice and support.”

6. Communicate with affected parties

A cyberattack can result in major reputational damage. Because of this, experts advise businesses to work with public relations specialists to determine how to best manage the impact of the incident. 

“Your customers will need to be notified, especially if the attack impacted any customer data,” Wickr explained. “It’s also important to issue a press release regarding the incident. You need to be upfront and transparent about the attack in order to maintain public trust.”

“If any other businesses have been affected, notify them,” ITSEC added. “This includes your bank, financial services partners, and the credit bureaus that can monitor your accounts for fraud resulting from the breach.

“Designate a contact from your organization to release the notifications when appropriate. That person should have all the latest news on the breach, those affected, and your current response activities.”

7. Learn from the experience

Surviving a cyberattack should be a learning experience for businesses and help them better prepare for future incidents.

“It is also important for the organization to turn a reactive crisis management case into lessons for proactive cyber risk management,” EY noted. “The cyber response team should summarize information security improvement measures based on the investigation’s outcome.”

“[Assess] what went well and what did not go well,” Delinea advised. “Plan how it can be improved in the future. Write up an incident response report and include all areas of the business that were affected by the incident.”

The firm added that businesses should also evaluate whether management was satisfied with the response and determine if they need to invest further in staff, training, or technology to improve their security stature.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!