With ransom and phishing attacks on the rise in 2018, most businesses struck with an attack have no clue what to do to respond to an attack.
Now that we know that lightning strikes twice when it comes to ransom attacks (i.e., once attacked, your chances of a subsequent attack are very likely), it’s more important than ever to be prepared to completely remediate an infection and respond to an attack post-infection.
Since reinfections are becoming the norm rather than the exception, I want to take a few moments to cover how to make sure a cyberattack doesn’t happen again.
5 actions to not overlook after a cyberattack:
Conduct a Root Cause Analysis—on the surface, you might be thinking about a ransomware remediation to specifically address recovering your files and getting your team up and running, what you or your IT team might be seriously overlooking is that your chances of a reinfection (and continued downtime) are higher now than they were before you got hit with a cyberattack the first time.
The clearest way to ensure that attackers don’t get into your system a second time is by evaluating the root cause of the attack. On the surface, you may think you know what happened. Maybe you suspect a user clicked on a link—or maybe someone self-identified themselves as patient zero, but the reality is that there are multiple ways for an attack to have presented itself (the symptoms your users are seeing may not be conclusive to the actual cause of the attack).
Conducting a root cause analysis will help identify what really was wrong on your network and where your IT team should be improving their security ASAP.
To perform a root cause analysis, create a workflow and playbook that goes beyond remediation. You will want to ask a LOT of questions and exploit various forensic resources to get things squared away (all i’s dotted and t’s crossed).
For example, after a phishing attack, ask how the person got targeted. What was the messaging on the email? How did the email get through spam filtering? It may turn out that someone used their corporate email address to sign up for a less-than-reputable website [does your security policy address issues like this? If yes, was the user unaware of your policy?] Maybe a user used their personal email on your network. Do you have a policy for personal email addresses at work? Ask as many questions (and continuing to ask Why’s and How’s until you fully understand what happened and how it happened.
Simply treating the symptoms will get you nowhere when it comes to preventing the next attack. Making sure you and your team learn from their mistakes will pay off enormously in the long term if you take the time to fully and critically evaluate your security problem rather than try to quick-fix patch things up.
Use Metrics To Improve—I’m a big fan of traction and Level 10 meetings to make sure issues get addressed, get addressed properly, and get resolved quickly and satisfactorily. Making sure you at least have metrics to track progress will help you see security issues going away and hold specific people accountable to making sure your security is what it should be.
Note: most IT Support teams try to avoid accountability metrics because they fear the unknown and do not want to be held accountable if their security isn’t sufficient. Most often, instead of taking ownership of security issues, they will pass the buck to specific users they blame for security breaches or ransom attacks rather than finding proactive ways to get to the bottom of a security issue and getting it completely resolved.
I strongly recommend leveraging security metrics as a basis of making process improvements within your IT security and security processes more broadly throughout your organization because they can reveal truths about your system that often get overlooked if not exposed. In addition, having measurable metrics helps you quantify improvements to your board, team, or clients—all of whom are concerned about you and your IT Support keeping their sensitive data safe.
Keep Evidence Of Your Attack And What Was Touched In The Attack—Many IT Support teams cannot figure out how to determine the extent of a breach or attack (unless files are visibly encrypted for ransom). In the post-incident phase of an attack, you should carefully determine what was touched by the attack. This will help you enormously in the event of any litigation or audits down the road from your cyber event. If you don’t satisfactorily document what you did and how you assessed your cyber event, a court may hold you responsible for negligent behaviors and your clients may lose trust in your ability to hold their best interest at heart.
Self-Reflect As An Organization—the organizations that survive cyberattacks are the ones that learn from their mistakes. They perform 3rd party network security assessments and find ways to improve their security to avoid other attacks or loss of client trust (note we will perform a FREE network security assessment simply to help the business community stay secure and free of ransom attacks).
In addition to identifying and strengthening your security weaknesses on your network, evaluate your team’s preparedness for an attack. Make sure you have full awareness and training of your entire staff and to clearly assign roles to key members of your team so that you can easily bounce back from an attack or disaster.
Change Or Implement New Security Policies—I know that red tape is never a good thing, but having meaningful policies that everyone understands is a critical part of IT security. Write or modify your existing security policy so folks know what’s okay in the work place. If there are best practice security policies that conflict with current practices, devise a way to reconcile inconveniences. For instance, if most of your users insist on using their personal cell phones on your network, consider limiting their connection to a guest WiFi to mitigate the risk of devices infecting your network.
Coming up with solid practices and policies that actually are followed and have traction with your staff is critical to keeping your workplace safe. Again, if you need help coming up with these policies, consider consulting our security experts on staff (we understand functional business security).
Bottom line? If you were a victim to any type of cyberattack, you need to prepare your team and network for the next one. Contact us TODAY for a free ransomware vulnerability assessment to start planning your security road map.
