So you've been hacked, now what?
The statistics would seem to suggest that it is less a matter of if and more when your enterprise will fall victim to a hack attack of some kind. Once you've been hacked, then what?
One of the problems with disclosure is that there is a huge stigma and negative public reaction associated with computer security incidents according to Pilling. "Few people would blame the victim of an assault or a mugging for the crime, [whereas] computer crimes are generally seen as resulting from incompetence on the part of the victim organisation which leads to huge pressures for organisations to cover them up," he said.
This then prevents visibility of the real extent of the crime and in turn helps the criminals and hinders both law enforcement and network security staff. So the big question remains that when you know you've been hacked who do you need to tell?
Dimension Data's global head of security Neil Campbell used to be a computer crime investigator with the Australian police and doesn't think there is an easy 'one-size-fits-all' answer to that question.
However, Campbell does think that what is consistent is the need to plan disclosure processes beforehand that take into account your business's nature and situation.
"In the case of businesses that aren't bound by regulations to disclose, it's critical to know, before a security incident occurs, who is in charge of deciding if, when and how to disclose information about the breach," Campbell notes.
Giri Sivanesan, senior security consultant at risk management specialists Pentura think sit is more straightforward, suggesting that there are certain people and organisations that should be informed straight away.
"I would usually encourage organisations to notify law enforcement authorities of serious hacking incidents even when the incident is particularly sensitive," Sivanesan said.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"Once the attacks have been identified, contained and eradicated and systems are running without any hiccups, a decision should be made by the board on when to go public," Sivanesan added. "Going public before managing the situation may cause customers to panic and may even benefit competitors." Damage limitation exercises
What about damage limitation in terms of branding and market position if the hack does become public? Preparation is the key if you want to minimise the amount of damage done to your organisation.
"If an organisation doesn't have incident management, business continuity and disaster recovery policies in place then it will become more difficult to minimise the damage caused," Sivanesan warned. By establishing and testing these policies and ensuring there are clear procedures and governance structures in place then responding to hacking incidents becomes much easier.
Sivanesan insists that "the faster you respond to and contain an attack then the less damage it will cause". Most organisations can expect to be attacked by hackers at some point, but by being proactive and ready for the attack beforehand usually reduces the impact attacks will have.
The same holds true when it comes to cleaning up after the attack. It stands to reason that if you know where your information systems and data were beforehand it will be easier to get back there quickly and without undue business interference.
"Backing up regularly will allow you to restore systems and information to an accurate level and with minimal downtime," Sivanesan said, "allowing you to get back to your baseline quickly".
Lessons learned?
Now that everything else has been accomplished, how and when should the 'what really went wrong here' investigation start and how can the lessons learned best be implemented?
Once again, Sivanesan has practical advice insisting that organisations must learn from their mistakes in order to manage the risks from hackers and minimise the impact hacking incidents cause.
"They must understand how the incident happened from the detection of the attack all the way through to the recovery," Sivanesan insists, concluding "how well they responded to the incident and what they should have done better are some of the key questions that need to be asked at a board level and pushed downwards."
Only by having the right knowledge of the risks and vulnerabilities, realising what assets must be protected and understanding the impact future incidents can have on the organisation financially and in terms of reputation, can your business move forward and come out of a hack attack stronger and better prepared should lightning strike twice.
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.