First Response: What Your Business Should Do Right After a Cyber Attack

In our previous post, we highlighted the often-subtle warning signs of a cyber attack. But what happens when the unthinkable becomes reality and you realise your business has been targeted? The moments immediately following the discovery of a cyber attack are critical. Every second counts, and a swift, organised response can be the deciding factor in minimising damage, accelerating recovery, and ultimately safeguarding your business's future.
At CommuniCloud, we understand that facing a cyber attack can be overwhelming. That's why we've outlined the essential steps you must take immediately upon detection. Acting decisively in these initial moments can significantly reduce the attacker's foothold and pave the way for effective remediation.

Immediate Actions: Your First Line of Defence

1. Isolate Affected Systems: Contain the Contagion
Think of a cyber attack like a rapidly spreading virus within your digital ecosystem. Your immediate priority is to contain it:

• Disconnect Devices Ruthlessly: Identify any systems that you suspect are compromised – computers, servers, laptops, even mobile devices connected to your network. Physically disconnect them from the internet and your internal network cables.
• Don't rely solely on Wi-Fi disconnection, as persistent threats might maintain a local connection. This prevents the attacker from moving laterally across your network, accessing more sensitive data, or deploying further malicious payloads.
• Resist the Urge to Power Down: While your instinct might be to shut everything off, do not power down affected devices unless specifically advised to do so by your incident response team. The volatile memory (RAM) of a running machine can contain crucial forensic evidence that disappears when the power is cut. This data can be invaluable in understanding the attack vector, the extent of the compromise, and the attacker's methods.

2. Assess the Situation: Understand the Battlefield
Before you can formulate a comprehensive recovery plan, you need to understand the scope and nature of the attack:

• Identify the Compromised Assets: Pinpoint exactly what has been affected. Is it a single employee workstation? A critical server? A specific database containing customer information? Understanding the "what" is crucial for prioritizing your response efforts.
• Determine the Scope of the Breach: Is this an isolated incident, or does it appear to be a widespread network intrusion? Are multiple systems showing signs of compromise? Understanding the "how far" the attack has reached will dictate the scale of your containment and remediation efforts.

3. Follow Your Incident Response Plan (IRP): Your Emergency Protocol
A well-defined Incident Response Plan is your playbook for navigating a cyber crisis. If you have one:

• Execute Your Plan Methodically: Now is the time to put your pre-defined procedures into action. Your IRP should outline specific steps, roles, and communication protocols to ensure a coordinated response.
• Adapt if Necessary: While your plan provides a framework, be prepared to adapt based on the specifics of the attack. The situation might evolve rapidly.
• If You Don't Have a Plan (Act Now for the Future): Create a basic response procedure immediately, even a rudimentary plan is better than chaos. Designate who will be responsible for initial communication, who will liaise with IT (internal or external), and who will begin documenting the event. This initial structure will provide much-needed order. This experience should also serve as a critical catalyst for developing a comprehensive IRP for future incidents.

4. Preserve Evidence: Secure the Crime Scene
Think of your compromised systems as a crime scene. Preserving evidence is paramount for understanding the attack and potentially pursuing legal action:

• Document Everything Meticulously: Record timestamps of when suspicious activity was first noticed, the specific symptoms observed, any error messages, screenshots of unusual activity, and all communication related to the incident. This detailed log will be invaluable for forensic analysis.
• Maintain a Chain of Custody: If physical devices need to be handled, document who accessed them and when. This ensures the integrity of the evidence.

5. Notify Necessary Parties: Transparency and Compliance
Depending on the nature and scope of the cyber attack, you may have legal and ethical obligations to notify external parties:• Customers and Clients: If their personal or financial data has been compromised, prompt and transparent notification is crucial for maintaining trust and allowing them to take protective measures.

• Business Partners and Suppliers: If the attack has impacted shared systems or data, informing your partners is essential for their awareness and potential collaborative response.
• Regulatory Bodies: Depending on your industry and the type of data breached, you may be legally required to notify specific regulatory agencies (e.g., data protection authorities). Failure to do so can result in significant fines and penalties.
• Law Enforcement: In cases of significant data theft or malicious damage, consider involving law enforcement agencies.
• Transparency is Key: While it can be difficult, being transparent about a cyber incident can help maintain trust with your stakeholders in the long run. Attempting to conceal a breach can lead to more severe reputational damage.

6. Bring in Experts: Don't Go It Alone
Unless you have a highly specialised in-house cybersecurity team with incident response expertise:

• Contact Cybersecurity Specialists or MSSPS immediately: These professionals have the experience, tools, and knowledge to effectively analyse the attack, contain the damage, eradicate the threat, and guide your recovery efforts. Engaging them early can significantly expedite the process and minimise long-term impact.
• Consult Legal Counsel Experienced in Cyber Law: A lawyer specialising in cyber law can advise you on your legal obligations regarding data breach notification, potential liabilities, and the legal implications of the incident.

Pro Tip: Preparation is Paramount
Our Pro Tip from the previous article bears repeating, but with even greater emphasis in this context: Prearrange partnerships with incident response teams and legal advisors before an attack happens. When a crisis strikes, you don't have the luxury of time to research and vet potential partners. Having established relationships in place ensures a much faster and more efficient response when every second truly counts.

Responding effectively to a cyber attack requires a calm, methodical, and decisive approach. By taking these immediate actions, you can significantly limit the damage, protect your critical assets, and begin the process of recovery. Remember, preparation and a swift, informed response are your most powerful tools in the face of a cyber threat.