More businesses are beginning to realize their vulnerability to cyber-attacks as headlines fill with stories of data breaches. The dropping costs of storage and managed software solutions has resulted in even small companies storing large amounts of personal information that needs to be protected. Employees can also get a company hacked simply by losing a mobile device.
The response to a cyber-attack is composed of the following four phases:
- Identification
- Containment
- Recovery and prevention
- Remediation
Identification
The initial discovery of a security incident may come from a variety of sources, including anti-virus software, system administrators or employees. The head of the IT department should initiate the incident response plan at this point, which will activate an incident response team. Their primary objective should be to determine the nature and extent of the incident, which could be a technical problem rather than an actual attack. An initial assessment should be performed as quickly as possible to determine the best response in the event of an attack. It’s essential to avoid overreacting to an attack by implementing unnecessary and expensive measures, which can cause more damage than the attack itself.
Containment
The response to a cyber-attack should escalate as needed to contain the threat. This step may require an outside consultant, especially for organizations without expertise in information security. A severe attack may require hardware components to be shut down and isolated, so that the infected systems can be identified and forensically copied before restoring them from backups. A forensic copy is an essential part of the containment phase because it preserves the infected system for later analysis to determine the root cause of the breach.
Recovery and Prevention
Recovering from a cyber-attack includes addressing the identified vulnerabilities, which will also prevent similar attacks in the future. Common steps in this phase include changing system passwords, implementing security patches and blocking suspicious IP addresses. The recovery phase is often a cooperative effort between the company’s own IT team and outside security experts. Suspected criminal behavior should be reported to law enforcement agencies such as the FBI, which may already be familiar with the attack.
Remediation
The remediation phase of a cyber-attack should include notification of the appropriate personnel within the organization. A review of the compromised personal data will also be necessary, so that the owners of that data can be notified. Company personnel or an outside vendor will also need to be trained to answer the many questions that affected customers will have regarding the data breach. The most common concerns include the public disclosure of compromised information and the use of that information for unauthorized purposes.
Summary
CCSI provides small business IT security in the San Diego area that protects our clients from hackers, viruses and spam. Our enterprise-level security system includes Unified Threat Management (UTM) on a cloud-based platform, which allows you to defend your company against the latest cyber-threats without downloading updates. Contact us today to find out how we can help you with your security needs.