team of employees responding to a cybersecurity incident

How to respond when your business encounters a cybersecurity incident

You’ve discovered an anomaly in your network. Maybe your electricity usage has spiked or an employee fell for a phishing scam. What is the first thing you should do?

Don’t panic, advises Peter Enko, a partner at the law firm Husch Blackwell. Enko is an expert in information management, privacy, and security matters. He recommends that you should take a deep breath and then follow these key steps:

  1. Contain the incident
  2. Execute your incident response plan

“When the bad guys get your credentials they’ll act instantaneously,” said Enko. “It’s like a smash and grab—they’ll get in and out as soon as they can.”

Contain the incident

The first step to containment is to isolate what has happened and take the affected system offline. This could mean disconnecting a device from the network, freezing an Office 365 account, or even taking your entire server offline.

What you don’t want to do, according to Enko, is turn your system off completely. If you turn your system off, it can delete evidence and make it more difficult to figure out later on exactly what happened. Think of your network as a crime scene on television—your job is to seal it off, then bring in the CSI team to figure out what happened.

Related: NIST Computer Security Incident Handling Guide

Execute your incident response plan

Once the incident is contained, it’s time to execute your incident response plan. The purpose of a good plan is not only to respond to an incident but to make sure your business is able to resume normal business operations as soon as possible.

Key players in the containment and recovery process should already have been identified in advance. Now is the time to contact these people and let them know that an incident has occurred. It’s important, Enko noted, to make sure your incident response team is not made up only of people within your organization. You need independent third parties on your team, typically in the form of outside legal counsel and an outside forensics team.

“The most important thing you can do when you have a cybersecurity incident is to make sure that you are contacting the folks who have done this regularly,” said Enko.

Outside legal counsel and forensic teams who specialize in cybersecurity are experts at handling these type of incidents. They understand things about the investigation process and reporting obligations that someone who is going through this for the first time would not know. You’ll want to contact them as soon as possible so they can make sure the law is being followed and the proper recovery steps are being taken.

Your legal counsel can also make sure you don’t take unnecessary steps that could damage your reputation for no reason. There are many different types of breaches and how you respond to them depends on what exactly has occurred.

Not sure how to find legal counsel or cybersecurity forensic teams? If you have cyber insurance, you can contact your insurance company to see if they have recommendations for your area. Most cyber insurance plans will require that you have outside legal counsel engaged.

Final thoughts

Enko provided this checklist of steps you should take within the first 24 hours of discovering an incident.

Consider contacting your managed IT services provider to make sure your incident response plan is ready to go should an incident occur. Don’t wait until it’s too late. Take the steps you need today, to protect your business.