While there are many things you can do to prevent and prepare for them, Cyber-attacks may seem unavoidable. Making sure you have a Cyber Security Strategy in place can help reduce the risk and severity of breaches and help you navigate the fallout after an attack occurs.
What to do before a cyber breach
If anything, the recent string of data breaches and hacks has shown that no business is safe from cyber-attacks. However, having a Cyber Security strategy can go a long way in increasing your company’s preparedness.
One of the best starting points for your cyber security strategy is to follow the Australian Cyber Security Centre’s Essential Eight. According to the ACSC:
“While no set of mitigation strategies is guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems.”
You can read more about how to implement this framework via our article why the Essential Eight is vital for your business or by referring to the ACSC’s Essential Eight guidelines. Every business needs cyber security protection, especially those dealing with sensitive personal data. Some companies may also need to consider the need for cyber security insurance, also known as cyber liability insurance or cyber insurance.
Signs that you may have had a Cyber Attack or breach
A cyber-attack or leak can happen anytime and involves attempts to steal or destroy data, money, or intellectual property or disrupt and cause system outages. Some of the signs of a potential cyber security incident include the following:
- Unauthorised access to a system or attempts to access a system
- Emails with suspicious attachments or links
- Questionable network or system activity
- Suspected tampering of electronic and computer devices
Shortly after a cyber security incident, you may experience unusual activity on your systems, including:
- Data is missing or appears altered.
- Noticeably increased start-up times of computer hardware or starting up incorrectly
- Computer systems are running slower than usual
- Frequent crashes of computers on previously working devices
- Company email accounts sending spam to contacts
- Your internet browser automatically directs you to unsafe or suspicious websites
- Computer hardware running low on storage space, where they were no issues previously
- Being unable to access system and network accounts
If these issues occur, immediately contact your IT provider or Managed Service Provider (MSP) and enact your cybersecurity incident response plan.
After a breach
Sometimes breaches happen. No cyber security plan is entirely impassable, but your response to a leak or hack will have significant ramifications for the future of your business and your customers. Therefore, a company should have a cybersecurity incident response plan (CIRP).
A well-designed CIRP helps you mount an effective and swift response to cyber incidents. The following steps will help get your business up and running as quickly as possible.
Limiting the damage wherever possible is essential if you suspect a cybersecurity incident has occurred. First, turn off all computers and disconnect them entirely from the internet and wall power. This removes the chance for a hacker to continue accessing your devices or spreading the attack across your network. At this point, it’s important not to connect any backup systems or portable devices, such as laptops, to your network as you want to keep the integrity of your backups to prevent data loss and decrease the chance of spreading the cyber-attack.
Enact your Cyber Security Incident Response Plan (CIRP) and Seek Help
Your business should have a cyber security incident response plan as outlined above. Now is the time to use it. Ensure all staff members know their responsibilities and the tasks they must perform. If your business still needs a CIRP, contact your managed service provider (MSP) or contact us for help. One of the best resources for Australian Businesses is the Australian Cyber Security Centre (ACCC). Their website provides guidance to help businesses identify cyber-attacks and incidents – and for immediate assistance, you can call the Australia Cyber Security Hotline: 1300 Cyber1 (1300 292 371).
Contact your IT provider or MSP so they can identify the cause of the cybersecurity incident and can limit the damage caused. In many cases, your MSP can contain and eliminate the threat and repair and restore your crucial business systems. Make sure to consider the best way to contact your MSP as attackers may have already compromised methods such as email; instead, phone them directly via their support line. At GCIT, our clients can contact us directly via 1300 369 111.
Report the Cyber Security Incident to the authorities
Another consideration is whether you need to contact the police, the Office of the Australian Information Commissioner (OAIC) or your insurance company if you have cyber security or business insurance.
A Cyber Security incident can result in a data breach, and personal information can be compromised. In such an event, you may have an obligation to notify authorities, including the OAIC and the Australian police.
The Australian Cyber Security Centre (ACSC) also have a tool called ReportCyber for reporting cybersecurity incidents. Reporting assists the ACSC in developing advice, techniques, and capability to respond to and prevent cyber-attacks and threats.
It is vitally important to report any instances of cyber attacks resulting in data breaches. Per the Privacy Act 1988, notifications to the OAIC must be made within 30 days or as soon as practicable.
Entities responsible for certain critical infrastructure assets are now obligated to notify the Australian Cyber Security Centre (ACSC) of the cyber security incident within strict timeframes, as little as 12 hours for highly critical incidents. This reduced time frame is due to amendments made to the Security of Critical Infrastructure Act 2018 (Cth) (SoCl Act) on the 8th of July, 2022. To learn more about these changes, HWL Ebsworth Lawyers wrote a great article describing how this effect businesses and to whom it applies.
Investigate the Breach
Once the cyber-attack has been contained and all affected devices are quarantined, it’s essential to identify how exactly the breach occurred and what the damage is. To do this, you may employ the skills of a forensic IT specialist who investigates the causes and effects of the cyber security event. This is important for three reasons:
- It allows you to identify what occurred and the scope of the breach.
- It enables you to formulate an effective plan to respond to the cyber security event, and it will determine the gaps and vulnerabilities in your company’s cyber security.
- It’ll allow you to perform fixes so the same occurrence doesn’t happen again.
Notify Customers and Clients
After your team members are informed, and you have alerted the relevant authorises about the cyber-attack, it is time to notify your customers or clients. If the cyber security breach falls under the Privacy Act (1988), you must promptly notify the individual at likely risk of serious harm. In addition, under the Notifiable Data Breach (NDB) scheme, you must inform the affected individuals and the OAIC when an eligible data breach occurs.
According to the OAIC, an eligible data breach occurs when:
- There is unauthorised access to or unauthorised disclosure of personal information or a loss of personal data that an organisation or agency holds
- This is likely to result in serious harm to one or more individuals, and
- The organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.
This notification to individuals must include recommendations about the steps they should take in response to the data breach. When communicating with customers and clients, it is vital to be transparent and open about how the data breach affects them and what you are doing to improve the situation. Some key things to communicate are:
- When did the breach happen, and why?
- What systems/services have been affected?
- What steps are you taking to resolve the situation?
- Is the breach ongoing, and can you say when you will fix it?
- Who can customers contact if they have questions or concerns?
Depending on the extent of the data breach or cyber-attack, it may be worth hiring a public relations firm for the duration of the incident. This can help improve communication between you and your customers.
Restore and Recover Data and Systems
Once the breach has been isolated and eradicated from your systems, recovering and restoring your IT systems, networks, and devices can begin. Many organisations will have a business continuity plan or disaster recovery plan. This plan details how your company will ensure its ability to continue providing services to your customers or continue operations. However, even if no plan was implemented, this process should include restoring systems to normal operations, monitoring to confirm that any previously affected systems are operating normally, and making plans to remediate vulnerabilities to prevent similar incidents.
Evaluate and Improve
When the cyber security incident is resolved, it’s essential to reflect on the actions that occurred and improve your cyber security in the future using the information gained during the event. This will not only strengthen your defensive capabilities into the future but strengthening your cyber security can also improve your standing when it is time to renew your Cyber Security Insurance.
Some Considerations when creating a Cyber Incident Response Plan
Below are some tips for creating an effective CIRP:
- Keep a hard copy of your response plan and include important contacts such as your MSP, Insurance provider and the Australian Cyber Security Centre. During a cyber-attack, you may be unable to rely on Digital copies.
- Prepare and train your staff to respond when a cyber security incident occurs. Ensuring staff act quickly to an incident is integral to preventing or reducing data losses and breaches.
- Educate employees on identifying a cyber event and provide training on preventative measures such as the Essential Eight for your staff to decrease your risk.
At GCIT, we specialise in providing Cyber Security peace of mind to our clients using best practice security measures and customised support. Our services help industry-specific occupations utilise the best security practices without interfering with your business’s daily operations or productivity. To find out how GCIT can help your business contact us at 1300 369 111.