What to Do After a Cyberattack

Written By Tibby Fielding

If your organization experiences a cyberattack, it is vital to react quickly and immediately enable your incident response plan. Your response plan should include the following tasks which help ensure the incident is suppressed to reduce a loss in data. You will need to access and contain the attack, remove the threat, restore data and services, report the incident, and revise your incident response plan. Read the following to learn about the steps that should be taken after a cyberattack.

1. 1. Assess the attack: Your security team needs to determine the extent of the attack and identify which systems, users, and data have been affected. 
   2. Determine the type of attack: Phishing attacks, ransomware, Denial of Service attacks, and malware are common cyberattacks. If malware is downloaded, identify the type to glean a better understanding of the scope of the attack. 
   3. Identify the source of the attack: Understanding the source of the attack will allow your organization to improve its response and security. Threat actors may have breached other areas of your network that have yet to be discovered. 
   4. Assess the damage: determine which systems and data have been compromised. What is the impact of this attack? Evaluating this information will aid in future prevention. 
   5. Contain the attack: Isolate any systems or devices that have been compromised from the network to prevent spreading.
   6. Disconnect from the network: turn off your wifi/disconnect from the network from affected devices, and shut down affected devices and services (email, web servers).
   7. Remove the threat: remove malware and any other malicious software. 
   8. Patch exploited vulnerabilities: This may require downtime from business operations, but it is essential to prevent further damage from future attackers. You may need to update software, reconfigure network settings or replace outdated software and systems. 
   9. Reset passwords and turn on Multifactor Authentication (MFA): If any user accounts have been compromised, reset passwords and ensure the use of MFA. 
   10. Restore data and service: after the attack has been alleviated, damaged/lost data needs to be restored from clean backups and systems need to be manually rebuilt or restored using recovery software. 
   11. Report the incident: Create an incident report that outlines the damages and how the attack was handled and alleviated. Follow state laws or regulations that are legally mandated to report cyberattacks and data breaches. If you manage, store or transmit personal information, you are required by HIPAA and PCI-DSS to notify all accepted individuals. 
   12. Update your Response plan: learn from the attack and create an updated response plan that improved company security. Identify any mistakes or lessons learned front the attack.

The growing risk of cyber attacks from threat actors is affecting businesses of all sizes and in all industries. Ensuring you have a plan in place to respond to cyber threats that fit your business’s needs is vital. While cyber risk cannot be eliminated completely, enterprises can manage risk effectively with the right people, processes, and technology.

Do you need help advancing your existing incident response plan into one that is more secure and advanced? Contact ADVYON today for a lasting partnership and see how we can help identify your organization’s risks and resolve them quickly and efficiently. ADVYON is more than just an IT company, we are great at assessing, identifying, and aligning business and technology solutions to complement our client’s strategic objectives, growth, project goals, culture, people, and processes.