How to survive a cyber-attack!

In this guide we discuss what steps you should take to prepare for or respond to a cyber-attack.

How do you deal with a cyber-attack?

1. Don’t panic.

Whilst it can be a devastating time for a company who’ll inevitably be worrying about what they’re going to say to their customers or regulators, it’s really important to deal with it head on and in the best way possible.

Lots of businesses suffer cyber-attacks, so don’t take it personally.

Although you might have been targeted, this might also be a random attack.

2. Bring in your team.

Responding to a potential cyber breach is a team sport, so make sure you get your people involved and engaged.

Make sure to bring in your legal advisers to help you too.

See the next section for more info about who to involve to help combat a cyber-attack.

3. Notify your insurers.

Your insurance provider may be able to offer help and support if you notify them of a potential breach.

Do this early on because if you notify them too late, you risk taking actions that might invalidate a future claim on your insurance policy.

4. Notify law enforcement

Make law enforcement aware of what has happened.

They will often have a set of resources available in order to understand the extent of the attack, what’s happened, who’s been impacted and where its happened.

From this, you might be able to ascertain your next steps on how to best move forward.

5. Assess the impact of the attack

Companies have a 72-hour window to contact the Data Protection Commission (DPC) and report a data breach that involves personal information.

If the attack has exposed healthcare information or financial data such as credit card numbers, you will need to notify the relevant regulatory bodies within 72 hours.

The clock starts ticking when you become aware of the breach.

Also, look into how many records have been lost.

Even if you’re only a small business, you may still hold a lot of sensitive or valuable data.

6. Inform any relevant regulatory bodies of the cyber-attack

Let them know that you’re aware that there may have been a breach and that you’re taking the necessary actions to protect the rights of the individuals whose data has been lost.

It’s important for that notification to happen quickly so that if they face any potential harm from that information being disclosed, they can take the necessary actions, such as changing credit card numbers or checking online banking for fraud.

N.B. We recommend notifying regulators prematurely rather than wait until it’s too late.

You can always follow up if your investigations subsequently find that there was no breach, and you may have overreacted.

Sometimes it might take some time to understand the nature and depth of the breach so remember that you don’t need to necessarily provide all the answers to the regulator within those 72 hours.

You should, at a minimum tell them that something has happened and that you’re taking appropriate action and advice to deal with that.

7. Gather the facts.

Try to get to grips quickly with the extent of the breach and the impact on your business and then look to resolve the issues.

Who’s help do you need to handle a cyber-attack?

We mentioned above that handling a breach is a team sport.

It shouldn’t be up to any one individual to be responsible for this…

1. Law enforcement:

Engage with law enforcement if you believe a cyber-crime has taken place.

You can contact Crime Victims if you feel you’re a victim of a cyber-attack.

They operate a telephone line that you can call to lodge incidents.

They’ll give you a case number and may even allocate someone to come and assist you on that investigation depending on the nature of the incident.

2. Insurance provider

Notify your insurance provider early on.

It’s probably in your policy to do so and you might be provided with a lot of support in helping to investigate and respond to the breach.

3. Regulator

Inform any relevant regulators, specifically the Irish regulator if European data might be at risk within 72 hours.

Let them know that an attack has taken place and that your response is underway.

4. Internal response

Engaging with senior management and the board is critical to deciding which steps to follow.

Your IT team, legal department, risk teams etc. will likely all need to be involved too.

It might be useful to keep all this information including phone numbers on who to contact, in one place just in case you’re ever hit by a cyber-attack again.

This can be done ahead of time to make it easier to deal with a breach.

How to avoid cyber-attacks

Understanding your risk

In order to manage your cyber security risk, you first need to understand where your own risks and vulnerabilities might lie.

What kind of data do you hold?

Where do you hold it?

All of these things are within your own control and every company can do this if they want to be proactive.

Understanding the ‘enemy’

It’s equally important to understand the threats that are out there.

There may be different types of hacks and attacks that people might want to use to harm your business, perhaps because of the type of business you’re in.

To help keep up to date, there’s a number of different security surveys out there that regularly update the world on the state of security threats.

The DPC are constantly monitoring security incidents that have been reported to them and you can find a list of the most common security attacks and incidents related to data privacy on their website.

VeriSign publish an industry data breach report once a year which identifies the different types of security attack that have impacted organisations over the last 12 months.

Net Diligence produce their own report on data breaches and claims in the sub-insurance industry.

Many insurance providers and vendors of security products will also publish data breach information about the breaches or claims they have received.

There’s also a lot of knowledge sharing groups within particular industries e.g. financial or pharmaceutical, where people come together to discuss security threats and that can be useful for businesses to tune in to as well.

Having awareness of the risks facing certain industries will be especially useful if you’re looking to work with clients in those industries as they’ll likely hold you in good stead when doing their due diligence exercises and procurements.