So you've been hacked, now what?

hacked

According to the latest global State of Enterprise Security study from Symantec, some 75 per cent of organisations have experienced cyber attacks in the past year, at an average cost of more than 1 million over the course of the year for each hacked business.

If that were not shocking enough, the same study reveals that 100 per cent of the enterprises questioned admitted to some form of 'cyber loss' last year.

This comes as no great surprise to Keith Crosley, a director at security vendor Proofpoint following its own study of the data loss risk to large enterprises of more than 1,000 employees.

Crosley told IT PRO that of the 220 companies taking part, 27.4 per cent had been impacted by the improper exposure or loss of intellectual property in the last year, 32.8 per cent regarding customer information and perhaps most worryingly 33.8 per cent when it came to sensitive data.

So you've been hacked, now what?

So let's start at the very beginning. The fateful day your business discovers it has been hacked. What should you do and in what order?

Rafe Pilling, an information assurance consultant at SecureWorks, recommends that the very first task needs to be attempting to quantify the extent and impact of the compromise, without which it's almost impossible to determine what follow-up activity needs to take place or the priorities to be assigned to this To Do list.

"From an early stage, consideration should be given as to whether the business simply wants to restore a service or perform an investigation that yields evidence that could be presented in court," Pilling told IT PRO, adding "it's best to involve incident response experts early on as they can advise on how to verify the incident, restore service and collect the data in a forensically sound manner that can later be investigated and used as evidence".

The incident management process

As Neil O'Connor, principal consultant at independent IT security consultancy Activity IM says, this means invoking your incident management process.

This should define what to do next, in particular: who to involve, how to grade the seriousness of the attack and how far to escalate the incident.

"The first stage in the incident management process should be to decide if you actually have been hacked," O'Connor said. A false positive from an intrusion detection system or anti-virus software should, of course, be ruled out.

"Assuming that you have been hacked," O'Connor continues, "you need to assess the seriousness of the incident, and in particular if any information has been compromised."

This step is somewhat easier if you have undertaken forensic readiness planning beforehand and are aware what data is held in what location.

Your incident management process should define levels of seriousness and escalation, and if there has been a potentially serious breach then your crisis management plan should be invoked.

This will involve "functions such as marketing and PR as well as senior executives in deciding who to inform, what to say and what assurances to give, as well as what internal briefings to give," O'Connor recommends. Ah yes, the dreaded 'D' word: disclosure.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.