Most recent

You just discovered that your firm has been hacked… Now what?

By Tom Skeen

Given the current state of cyber intrusions and extreme information loss, this isn’t an unlikely scenario that you could find yourself in if you are in any type of IT, risk or security role.

In fact, you might not even know that your environment has been compromised. Recent research suggests that it takes about eight months or longer from the time the cyber criminal has gained unauthorized access to your infrastructure and information for you to realize there is even a problem. In most cases hackers are good at disguising their intentions, means of access and how they are stealing your information. This is primarily due to the fact that businesses conduct many legitimate transactions, send thousands of email messages and have a significant number of authorized credentials that can perform privileged tasks.

I’m certain that this type of undesirable event will make even the strongest leader worried and concerned about what the future will hold. From legal issues, financial loss, reputational impact and most of all - can the company survive the event? There are many things that have to happen once this is discovered. Some of the actions must occur immediately, others need to run in parallel and some of them within the first several hours or days.

Outlined below are some of the most critical actions that must occur.

  1. Communicate to your leadership team what you have discovered
  2. Engage the legal team
  3. Engage the proper technical & security resources
  4. Assess the situation and gain all of the facts that lead you to believe that there has been an unauthorized intrusion or information loss
  5. Determine a communication strategy: internal or external or both
  6. Assess if there are multiple events occurring simultaneously
  7. Put a tactical strategy together to mitigate the situation(s)
  8. Determine a plan to capture and preserve the forensic data: system logs, events, actions taken, keystrokes and credentials used. This information is critical and must be retained for proper analysis and identification of the cyber criminals
  9. Engage law enforcement officials
  10. Communicate often
  11. Implement the tactical strategy
  12. Validate the condition(s) has stopped
  13. Communicate often
  14. Evaluate the impact: financial, reputational, systems affected
  15. Communicate often
  16. Develop a permanent fix to prevent in the future
  17. Update your security strategy

This list is not inclusive or in exact order of everything that must occur, as each business is different and have unique types of risk points, but rather the high-level basics that are a must. It’s equally important to check with your vendors (many types) early on in the event to determine if you have the best security technology deployed for the use cases that are being utilized by your staff and customers. They can also assist you in triaging the situation and with tactical and permanent solutions.

It’s also critical to determine why the breach occurred, why it took so long to realize it and are there multiple unrelated sources involved in the same or different capacity. It would not be surprising to determine that multiple criminals have infiltrated your firm. The point is, don’t assume anything when analyzing the situation – you might think you have solved the issue to later realize you only fixed part of the condition.

Unfortunately, these are the difficult times we are all in today and for the unforeseeable future. It’s a time of massive amounts of data being retained, mobile communications, bring your own device, complicated systems and applications, the growing demand for information for marketing and expanding ones market share and knowledgeable hackers and criminals willing to sell your information to the highest bidder without regard for anyone or any company.

To once again quote the founder of Safe-T Data, Amir Mizhar, when asked is any system or application bullet proof: “Everything is possible… the impossible just takes longer”.

In most cases we say don’t “assume” anything, but in this case it’s safe to “assume” that you are being hacked by one or more criminals and your data is being sold!

All posts