WHAT TO DO WHEN YOU GET HACKED
You will get hacked. Sooner or later, one way or another, someone will penetrate your defenses and gain access to your network and potentially to your most sensitive information. It may be a traditional hacker, who seeks a trophy by breaching your defenses and emerging with your valued code to show off to their buddies. It may be a hired-gun hacker, that is, someone who is paid by a competitor or adversary to penetrate your defenses to steal your information or damage your ability to compete in the market-place.
In Nutshell Hacked means "It may be a nation-state that is gathering intelligence by seeking access to your intellectual property or trade secrets to give them an advantage. It may even be one of your own employees, acting deliberately or accidentally to circumvent your security systems with the resulting unauthorized exposure, tampering, or destruction of your vital information". The threat is real and you face it right now.
Hackers are an enemy. They engage in criminal activity. They will seek as much information about you as they can before they even attempt to attack you. They have a game plan when they seek to breach your defenses, and it is important that you know as much about their plan so that you can best posture your organization to defend against it, to detect them when they try to execute it, and to recover in the event they are successful. You must “Know Your Enemy and Know Yourself.”
Hackers know that the goal of Cybersecurity is to protect the confidentiality, availability, and integrity of your information. Most will have knowledge equal to or better than your own Cybersecurity staff. They will make an effort to understand your security policies and programs in an effort to find weaknesses or deficiencies they can leverage in order to gain unauthorized access to your systems. They always will seek the path of least resistance to your vital information.
Their first steps usually have nothing to do with probes or scans of your networks. Before they even attempt to penetrate your defenses to gain access to your information, many hackers will analyze your physical security to see how tightly you control physical access to your facilities and the devices that contain your information.
They know that if they can gain physical access to your computer, they can gain complete control of the system and bypass all security measures. Weak physical security usually is an indicator of an overall weak security program and is considered an encouraging sign for hackers. On the other hand, a strong physical security program often is a potent deterrent as it is assumed such a program is an indicator that the organization has similarly invested in a strong Cybersecurity program.
While some dedicated hackers will take that as a challenge, the vast majority will move on to less secure and easier targets. Potential foes are observing how your facilities are secured (guarded), such as seeing (1) if you permit uncontrolled physical access to your computers and networks, (2) if your employees are lax in enforcing your physical security controls, or (3) if they can gain access to your information through weaker defenses at your off-site data storage facilities. They are watching.
Hackers are analyzing your network security. They know that if your computers are connected to the Internet, they have the potential to communicate with that device, gain control of it, and access your information. They know that if they are able to gain physical access to your network, they can install software or equipment to sniff all unencrypted network traffic, potentially giving them the ability to capture passwords they can use to gain control of your systems.
They are looking to see if you allow dial-in access to your systems, which could permit them to use the phone system to gain access to your network. They are trying to map your attack surface by seeing how many potential access points you have. They will systematically probe each one to find the weakest link for their future planned attacks.
Hackers are trying to find what type of computers you have and how they are configured. They want to know what types of computers you operate, what operating systems and versions you employ, what skill levels your IT personnel have, who are your vendors, who do your maintenance, and what applications you use.
They diligently do their homework to compare your profile against known vulnerabilities to help them identify weaknesses and craft their attack plans, many of which start by testing to see if you are using default passwords or even bother to activate many of the security features available in your systems.
Finally, hackers are watching you and your personnel. They know that people are both the strongest and weakest links in your Cybersecurity program. They know that personnel weaknesses can negate great physical, network, and computer security programs. They are looking to see if you and your people follow your promulgated policies in a reliable and predictable manner.
They will look to see when and how you make exceptions to policy and will look to exploit those circumstances when they can. They will look for opportunities to socially engineer your organization through your people. In a customer-focused organization, personnel is trained to be helpful.
A hacker will plan to use this sense of helpfulness to their advantage as they seek to gain access to your information. They will gamble on the fact that your customer-focused workforce will be fixated on the customer aspects of their job and lose sight of the need to maintain a strong Cybersecurity posture. They are watching what your people do and how they do it.
Chances are fairly good that sooner or later you will get hacked, but that does not necessarily mean that your business will face catastrophe and potential collapse. You should minimize the effects of hacking incidents by preparing in advance. Your best defense against hacking is not only to defend against it with a cyber-hardened environment and workforce but also to prepare for what to do when you do get hacked.
THINGS TO DO BEFORE IT’S TOO LATE: PREPARING FOR THE HACK
You likely have a last will and testament that details to your heirs, the government, lawyers, and other interested parties what you want to be done with your estate when you die. You don’t prepare a will because you think you eventually will die; you prepare it because you know you will.
While preparing for a hacking incident does not have the moribund sense of finality typical of a last will and testament, preparing for a potential hacking incident is a prudent investment that will protect you, your organization, and your vital information.
Back Up Your Information
A startling number of people and businesses do not back up their vital information properly. Despite calls from industry experts to make regular backups of critical information an important business ritual, even the most clever individuals and powerful companies stumble when it comes to maintaining adequate backups.
Your information has value and should be protected through the practice of regular and comprehensive backups, at work and at home.
A best practice in data backups involves analyzing and prioritizing your information. Not all of your information is of equal value. Not all of your information is collected at the same rate or in the same volume. It pays to understand what information you have, who needs it, how it is collected, and what its value is.
Sometimes, it does not pay to back up every bit of information you have; you should only store and back up what you need. When you have a thorough understanding of your information, you are best prepared to make a cost-benefit analysis to decide what gets backed up, when it gets backed up, where the backups are stored, how you will recover backed-up information, and who is responsible to execute these tasks.
With the costs of data storage continuing to fall, some companies and individuals are finding they can afford to back up all of their information, especially when they use cloud storage services. This is a very attractive option for many. To protect their information that is under the control of third-party providers, most opt to employ the best practice of encrypting all the data they have in storage. This is a great idea and a prudent Cybersecurity practice yet key management needs special attention.
Imagine what would happen if you back up all your information into the cloud and encrypt it. Then, you are subject to a Cybersecurity incident that corrupts or destroys your primary computer databases and storage. How do you recover from backup if the key to unlocking the backup was destroyed or corrupted in the attack? Smart organizations and individuals place their decryption keys in a form of key escrow, where they will have access to the keys in the event of a disaster.
As an executive, you should understand the value of your information and how that information is protected. Make sure that your important information is adequately backed up in a timely, effective, efficient, and secure manner. Have a plan on how to recover from a cyber incident using your backed-up information through scheduled testing of the plan. Include regular audits of your backup and recovery plan as part of your overall business continuity planning.
Baseline and Define What is Normal
People who specialize in computer forensics often are called in to assist investigators looking into suspected hacking and other Cybersecurity incidents. One of the first questions the investigators will ask you and your IT team is for the documented baseline of your computers and network devices so they can compare the current presumed hacked state against the presumed pristine state of your computers and network devices. Sadly, not everyone or every organization maintains a documented baseline, but they should. You should too.
Your IT staff should maintain documentation that shows how your computer systems are configured and controlled. Your baseline documents should contain information including details on the type of equipment used and version control documents that indicate what authorized software and patches were installed.
Proper maintenance and control of this documentation are expected of professionally managed information systems functions. You should make it a requirement for your IT staff, and your auditing function should be checking to make sure it is done properly.
Having an accurate and well-maintained baseline will make it a lot easier to determine whether you have been hacked or not. It will aid in diagnosing and troubleshooting problems. In the event that you have been the victim of a hacking incident, it can prove to be extremely helpful in recovering and returning your systems to full operational capability faster and more reliably. Maintaining your baseline is a great investment to protect you and your information in the event you are attacked.
Protect Yourself with Insurance
The author recalls a commercial on television whose tagline was, “The best time to ensure for an accident is before it happens.” That is good advice, especially when it comes to Cybersecurity.
Cybersecurity insurance is a rapidly growing discipline within the insurance industry. Many brokers now offer a wide range of insurance options that cover many Cybersecurity incidents including hacking and other forms of malicious activities all the way to inadvertent self-induced data loss.
Not everyone needs Cybersecurity insurance nor does everyone want it. Like any other insurance, deciding whether to invest in Cybersecurity insurance is a best-value business decision. Individuals and organizations that possess highly valued information such as intellectual property and trade secrets, personally identifiable information for a large number of clients, prized financial records, or medical records are typical investors in Cybersecurity insurance.
So are those businesses that rely on information systems to generate or promote their income; they can’t afford losses associated with hacking and other activities that take their information systems off-line. Businesses that operate in critical infrastructure sectors are investing in Cybersecurity insurance in ever-increasing numbers.
They do so because their expected loss due to Cybersecurity incidents could be significant due to incident damages and remediation, anticipated regulatory fines, and expected litigation. To them, insurance is a good investment (perhaps mandatory).
Regardless of your type of operation or business sector, evaluating your options regarding Cybersecurity insurance is a worthy activity. Your decision whether to invest in Cybersecurity insurance should be based on a cost-benefit analysis congruent with your organization’s risk appetite, just as you would decide for any other insurance option.
Because Cybersecurity insurance is relatively new to the marketplace and actuarial tables influencing rates still are maturing, noticeable variations in rate structures exist between different firms. You should be a discerning shopper when considering Cybersecurity insurance. Compare plans and rates from many brokers and don’t be afraid to tailor your own package based on your requirements rather than accept a generic package that may not cover all your needs or may provide more coverage than you need.
If you and your business determine that you are at high risk of being hacked or are similarly susceptible to Cybersecurity incidents, Cybersecurity insurance may be an indispensable investment. Wishing that you had insurance after you’ve been hacked is unacceptable. Anticipate what will happen if you get hacked, what the likelihood of being hacked is, how much it will cost you, and compare that cost to the cost of insurance. You may find that you cannot afford not to have Cybersecurity insurance.
Create Your Disaster Recovery and Business Continuity Plan
While serving in the military, I was exposed to and created countless plans. From the moment I became an officer, the importance of having a plan was continually reinforced. My units would create comprehensive plans that addressed what we would do in every conceivable situation.
We would train everyone in the unit on what to do and would test the strength of the plans, our training, and our personnel through rigorous exercises where inspectors would deliberately throw us curveballs by introducing situations we didn’t originally envision when we created the plan.
These curveballs introduced stress but also promoted creativity. We would take our lessons learned from these training exercises and update our plans and training to make us even better prepared in the event we had to implement the plan for real. We always looked to be prepared for any contingency.
When we had to implement our plans, we had confidence that we were well prepared. We knew what our objectives were. We knew what everyone on the team was doing, from the commanding general down to the junior airmen. We knew that there were very few scenarios we had not anticipated, but if we were confronted by something new, we knew we could adapt because we had our eyes on the ball and knew what was important to our mission.
We had confidence in each other, our leaders, and in our planning. As an example, as we concluded Operation DESERT STORM, where the author served as a squadron commander, one of my senior noncommissioned officers commented, “We weren’t confronted by anything we hadn’t been trained to do and that made what we did easier than we thought it would be.
In fact, our training was more difficult than actually going out and doing it for real!” Despite being thrown numerous curveballs that weren’t in our plans, we were prepared to hit them out of the park because we had a master plan that was flexible and accommodated changes. We were confident because we all knew our goals and objectives, we trained to handle multiple contingencies, and we worked as a team. You need to do the same with your Disaster Recovery and Business Continuity Planning.
Having a comprehensive disaster recovery and business continuity plan is essential for every organization, regardless of the business sector. It is a crucial part of your business continuity planning. You and your organization need to plan for what you will do to maintain the continuity of your business when disaster strikes regardless of whether they are acts of nature or man-made.
Natural disasters are a very real and unpredictable threat. For example, the earthquake and tsunami that pounded the coast of Japan in March 2011 had global effects as it interrupted numerous supply chains, including that of IT manufacturers; introduced harmful radiation into the atmosphere and the Pacific Ocean; severed numerous undersea cables providing key Internet connectivity; and sent debris across the Pacific.
Every geographic location around the world is susceptible to one or more potential natural disasters. Often a disaster in one area will have an effect elsewhere, as did the 2011 earthquake and tsunami in Japan. Although nobody knows when natural disasters will hit, you need to be prepared.
Cybersecurity events can be a disaster for you and your business if you don’t have a plan to address them. Planning in advance better prepares you to address all possible courses of action so that you are not distracted by the fog of war typically found during disasters or crises.
When you are confronted by crises, you are easily distracted by heightened emotions, confusion, spotty information, and angst. So are your people. Making it up as you go along is a losing proposition too as you increase your chances of increasing confusion, losing unity of effort, and making mistakes.
WHAT TO DO WHEN BAD THINGS HAPPEN: IMPLEMENTING YOUR PLAN
The plan you create to address a Cybersecurity incident may not be perfect. In fact, you may find that it does not adequately address every facet of the incident you face. It is neither unusual nor unexpected to see plans go through several iterations and updates over its life span as new technologies are introduced, as new threats and vulnerabilities emerge, and as exercises of the plan illuminate new and better ways to address situations.
You should consider your plan a living document and prepare to update it regularly. While your plan may not be perfect, it is a rallying point upon which you and your team can begin the process of assessing the situation, determining your next steps, and working together in a well-coordinated manner congruent with your strategy to minimize risk and put you firmly in control.
We recommend that you adopt the following ten things to do checklist items to guide your activities when you are hacked. Incorporate these items into your cyber disaster response checklists that are part of your organization’s Cybersecurity incident disaster recovery and business continuity plan.
You may find that your corporate culture, type of organization and products, and other factors may spur you to add to this list of things to do with additional steps tailored to your organization. You should consider writing the items down on a sheet of paper and store it in your wallet for quick reference as you may use them at home as part of your personal disaster recovery and business continuity plan.
You are going to be hacked. Here is our 10-item checklist indicating what you should do when a hacker breaches your defenses:
Item 1: Don’t Panic
Nobody wants to follow a leader who panics at the first sign of trouble. When it comes to cyber incidents, your first step is to remain calm and not to panic.
Many people lose their cool when they detect telltale signs of hacking or are informed they have been hacked. Hacking is a crime and suddenly people feel the full weight of being a victim. For most, they feel violated as identities may be compromised, monies stolen, secrets revealed, or treasures destroyed. Some will feel personally responsible and professionally embarrassed. The emotional impact can be crushing to some and devastating to others.
As an executive, you have a leadership responsibility to remain calm and not panic. The crisis is the time when your calm and deliberate leadership is most crucial. You must be the leader to calm people down and focus them on the task at hand, which is to gather the facts and resolve the situation according to plan.
You can’t do that if you aren’t calm yourself. Be like Stonewall Jackson. Don’t panic and be the leader your people can rally around to resolve the situation properly. Ride to the sound of the guns and prove yourself worthy.
Item 2: Make Sure You’ve Been Hacked
Brace yourself for the day you get a report that you’ve been hacked. Such reports can come from various sources. They may come from one of your own people who has detected anomalous behavior on your network or devices. It may come from your personal observation of poor system or network performance.
It may even come from the hacker himself, who has advertised their supposed success. Regardless of your source, verify that you actually were hacked and what you are seeing is not the result of an accident, system or software misconfiguration, or malfunction.
There is a popular military saying, “First reports are always wrong.” Verifying you actually have been hacked is critically important because you likely will expend significant resources in the event it’s true that you have been hacked. You don’t want to waste your precious resources chasing a bogus report or overreacting.
Some people have learned the hard way the importance of verifying whether they indeed were hacked, many with embarrassing results. Take, for example, the case of the U.S. Department of Commerce’s Economic Development Administration. In early 2012, it was alerted that malicious code was detected on its network.
In January, employees were disconnected from email and websites when the chase for the malware was launched. By April, the employees finally were reconnected using alternative means while the hunt continued and agency incident responders destroyed numerous desktops, printers, cameras, mice, keyboards, and other devices believed to be infected.
The agency then went on to spend more than half of its IT budget, over US $2.7 million dollars, chasing down what appeared to be a major malware infection. By August, they “had exhausted their funds and halted the destruction of its remaining IT components, valued at $3 million,” wrote inspector general auditors assigned to investigate the facts and circumstances surrounding the incident.
The auditors found that the person put in charge of the incident response was unqualified and untrained for the task and only after they ran out of money did they find that the infection was limited to just two devices.
There are many other similar examples of similar target fixations and overreaction across each business sector, but not everyone is as forthcoming and transparent as the U.S. Department of Commerce in publicly admitting their mistakes. Nonetheless, there is a valuable lesson to be learned from the fiasco at the Economic Development Administration: verify that you have indeed been hacked before you commit yourself to some expensive and potentially irreversible steps.
Item 3: Gain Control
Once you confirm that you indeed have been hacked, it is essential that you gain control of your computer or device. This is critical so that you can assess the situation and determine the next best steps for you and your organization.
Hackers may have control of your computers and are quietly using them to do such things as monitor your online activity, steal your information or that of your clients and partners, or even use your computers as tools in criminal activities. As an example, hackers continue to develop sophisticated programs that secretly are installed on as many computers as possible through the use of poisoned email attachments, websites, and other surreptitious means.
These infected computers then are banded together like zombies, unwittingly committing criminal activity such as distributed denial of service attacks, fraud, and information theft. These bands of zombie computers, called botnets, are increasing in size, number, and severity on a daily basis and may expose individuals and businesses to liability concerns and damages.
Disconnecting your infected device from the Internet is a technique commonly referred to as isolation. Similar to techniques used in medicine, the infected device is isolated or quarantined from other devices. This ostensibly reduces the likelihood that any suspected infection will spread to other devices.
Many businesses find they need to have their systems online in order to generate revenue; thus, downtime to study suspected hacking activity is unacceptable. Firms like these often will do whatever they need to in order to restore their services to full operational capability as fast as they can, even when it means they accept the risk of destroying the potential evidence law enforcement personnel can use to track the perpetrators and bring them to justice.
While many firms have redundant capabilities that allow them to switch to back up systems to preserve evidence on their infected systems, these cases are relatively rare. Some firms now attempt to take a snapshot or full copy of the computer’s now-infected hard drive to preserve evidence for law enforcement and forensic investigators and then wipe and reload the device to return it to service as fast as possible. What actions you take depends on the level of risk you are willing to accept.
Regardless of which avenue of approach you take, you should recognize that once your computers and network devices become victimized by a hacker, they may be considered evidence in the commission of a crime. As such, any action that you take may contaminate or erase potential evidence.
The computer or devices are evidence that may be helpful to investigators from law enforcement, regulators, computer forensic professionals, and auditors. You should maintain detailed and accurate chain of custody records of every action that you take. They should document everything including who touched what device, why they did so, what they did, and how they did it.
Maintaining a snapshot copy is very helpful to preserve the crime scene, especially the computer logs. You should be prepared to justify to your board, shareholders, regulators, and law enforcement officials every action you’ve taken in response to a hacking incident.
The best time to evaluate and decide what course of action to take to gain control in a hacking incident is before it happens. Think ahead and include in your plan of action what you would do to regain control of your systems in the event that a hacker successfully attacks you and when you would do it.
Item 4: Reset All Passwords
This may appear to be a no-brainer; however, we continually find instances where individuals and organizations fail to change their passwords on a regular basis, let alone in the aftermath of a hacking incident.
If your business is the victim of hacking, change every password on every computer and device, especially system administrator passwords. We caution that you should be on heightened alert to the appearance of any new and unauthorized accounts during this period as they may be evidence that the hacker has established their own account (or accounts) on your network to permit them continued access.
Hackers who have established what appear to be legitimate accounts will comply with your calls for all personnel to conduct mandatory password changes to retain their access. Therefore, you should combine your mandatory password resets with a 100% validation of accounts to ensure you deny hackers access to conduct further damage.
In the event that your business suffers a hacking incident, you should change your passwords on your home systems. Many people exchange information between their home and work computers. While this often increases productivity, it also increases exposure to cross-contamination; you may inadvertently bring a virus home from work that could open your home system to the hacker who attacked your work environment.
Hence, you should change your password and thoroughly scan all your personal and home devices with current antivirus and antimalware software products to verify the integrity of your home systems.
When your home system is the victim of a hacker, you should move quickly to change all your passwords. Despite recommendations from security professionals to make sure your passwords aren’t all the same, many people continue to recycle the same password, using it on multiple accounts because it is easy for them to remember.
Hackers love this as it permits them to not only gain control of your computer but also of your bank accounts, web-based email, stock funds, Internet shopping accounts, and other sources that rely on your username and password. Don’t make it easy for the bad guys. Change all your passwords whenever you find evidence that you have been hacked!
Item 5: Verify and Lock Down All Your External Links
Many people use applications that share information with other applications through various plug-ins and application programming interfaces (APIs). These relationships improve the user experience and permit information to flow seamlessly between different applications without you having to manually move files around to share them. It also provides a great capability for hackers to gain access to your information and exfiltrate it through these links.
As an example, you may use your phone to help you navigate while you drive. The application you use has to continually swap information with multiple servers. First, the phone has to determine where it is. This typically is managed by the operating system that uses telemetry from multiple satellite sources (such as the Global Positioning System [GPS]) or even cell phone towers to fix your position.
Your phone then shares this information with an application server that calculates your optimum routing based on your current position and target destination. This information is continually updated based on a predetermined data exchange rate managed by the application. There are many background processes quietly executing and exchanging information while you drive toward your destination.
What makes all these information exchanges works are the APIs. Their importance and capabilities make them inviting targets for hackers who see them as a means to both enter your system and take information from it. Many applications such as games, social media, and productivity tools (such as your online schedule) use this capability, so it pays to be cautious in the aftermath of a hacking incident to verify and lock down these pathways.
Item 6: Update and Scan
When someone like a hacker owns your computer, you should consider wiping it (such as reformatting the hard drive several times), reloading it with up-to-date security software, scanning for any residual threats, and returning it to service as appropriate.
It is difficult to determine whether a hacker has left behind capabilities that will enable them to reenter your computer at another time of their choosing. Some hackers have the capability to even thwart reformatting of hard drives and maintain a persistent presence on computers.
For example, a technique used by highly sophisticated hackers is to create what often is called a stealth drive. Using this method, the hacker segments a portion of your drive, tells your operating system to not consider it part of the working disk yet accept any commands emanating from it.
This allows the hacker to maintain a persistent backdoor presence on the machine, even if you reformat the hard drive and reload the software, as the operating system will not reformat the segment created as the stealth drive. While this is a possible worst-case scenario of which you should be aware, the cost to detect a stealth drive and remediate it is noteworthy (i.e., expensive). Your risk appetite may lead you to accept the residual risk after wiping and reloading your computer.
Scanning the computer and device with current and updated antivirus and antimalware software should be a mandatory control on your checklist before permitting the infected device to return to operation on your network. We have seen many schools of thought on this with many companies changing their antivirus and antimalware software after incidents.
Those who make the change state they lose confidence in their original vendor when they are the victim of an incident and believe that another vendor’s product may provide better protection. While scanning for any residual risk should be a mandatory control, switching software packages may not be the right answer. Make your changes based on a capabilities-based cost-benefit analysis comparing candidate products.
Item 7: Assess the Damage
Not all hacking incidents will ruin your day because not all hacking and Cybersecurity incidents have the same effects. You will allocate resources based on the type and severity of damage you face so it is important to assess the damage to provide you the information you need to best align your precious resources to the incident response.
As an example, one of the most common hacking incidents prevalent today is a web site defacement. Defacement is similar to someone spray-painting graffiti onto the front windows of your business and may have similar effects. In this type of hack, the hacker gains access to your web server and changes or adds content to your web pages.
The list of organizations that have fallen victim to this type of hack is long and includes the United Nations, Fox News, and even the NSA. If your website gets hacked and is defaced, the damage depends on several factors including what the defacement says, how long it is posted before it is cleaned up, and who reads it.
If someone hacks into your website and defaces your page with a sign that says, “You’ve been pawned by Hacker Z,”10 very few people visit the site before it is restored to its proper (baseline) configuration, and very little resources are expended to fix it, and then the damage from the hack may be considered negligible.
In contrast, if your website is used for electronic commerce and a hacker gains control of your site to change pricing, post comments critical of your business or products, or revealing customer information, the damage could be severe not only to remediate but also to your brand reputation.
The severity of damage drives how you respond, governing the velocity of response actions, the expenditure of resources, the assignment of personnel, interaction with law enforcement and regulators, and public disclosures. You need to know how bad things really are (or aren’t) so you know what resources to commit to the problem.
Assessing damage is part of your risk management program and should be measured in monetary terms. Understanding the cost to repair the damage and restore to the desired baseline is only one factor that ought to be considered. Damage to brand reputation is not to be ignored and must be addressed.
Your disaster recovery and business continuity plan should include defining who will assess potential damage, what damage they should assess (e.g., physical damages, data integrity, brand reputation, legal and regulatory action exposure, and other monetary expenditures), and what timelines you expect for reporting.
Assessing damage should not be limited to organic in-house personnel. Consider as part of your plan bringing in third-party experts to help assess and define the damage wrought by hacking and other malicious activity. For example, many companies retain PR firms to help them rebuild to retain their brand reputation in times of crises or disasters.
You may find that a major cyber incident calls for reinforcements to protect your brand reputation. Likewise, the hacker may have employed techniques that are beyond the capabilities of your in-house technical team. You should consider hiring a specialist such as a certified ethical hacker or certified information systems auditor with computer forensics experience to augment your team to find and fix the root cause of the incident.
Third-party experts can be extremely helpful in determining the extent of damage and in recommending appropriate next steps to reduce your risk profile. They are an investment worth considering.
Item 8: Make Appropriate Notifications
When you find out you have been hacked, one of the things you have to do is determine who needs to know. Many organizations do not want it known that they have been hacked. There are many very good reasons they want to keep notifications to a minimum including the fact that once it is public knowledge that an organization has been hacked, such information often attracts other hackers to attempt copycat attacks.
Also, public disclosure that an organization has been hacked often is viewed negatively by prospective clients, partners, and investors, harming brand reputation and value. Hacking incidents also increase risk exposure to litigation as lawsuits alleging misconduct or malfeasance associated with insufficient due care and due diligence have increasingly been seen in the aftermath of major cyber incidents.
With these reasons in mind, while you should retain an open and honest approach to your notification process, you should keep your notifications to a minimum; only notify those with a need to know.
Your leadership should be notified when you are the victim of hacking incidents. As an example, many boards of directors and their risk committees issue guidance directing what critical information they require and when they need it. Hacking and other Cybersecurity incidents are increasingly finding their way to the top of their reporting requirements.
Bad news does not get better with time, so make sure you keep your leadership informed with fact-based information in a timely manner. Be prepared to answer the 5 Ws: Who, What, When, Where, and how. Recognize that initial reports may be incomplete, so plan for regular updates and status reports. Always make sure that your boss is informed!
Besides your leadership team, there are several entities within your organization that need to know when you’ve been hacked or had a similar Cybersecurity incident. The first is your general counsel. Your legal team should be fully informed and engaged as you respond to the incident.
They should be responsible for identifying all legal requirements for any and all notifications and remediation actions. Your lawyers should give you sound advice on what you should do, what you have to do, and what you might do when confronted by a Cybersecurity incident.
Another internal notification that should be made is to your PR staff. A Cybersecurity incident can have significant negative effects on your organization if not managed well. Your PR staff should be charged with managing your information flow to the public. Nobody in your organization should be communicating about the event without the expressed approval of the PR staff. Make sure your PR staff is notified of Cybersecurity incidents promptly and completely.
When you are making notifications internally about your Cybersecurity incident, don’t forget to notify your CFO. Cybersecurity incidents can result in significant unplanned expenditures that your CFO will have to find funding to cover. Moreover, CFOs also typically control many organizational auditing functions. As you respond to Cybersecurity incidents, auditing is an important component of investigations and remediation activities, and the CFO ought to be fully engaged. They also need to be fully informed.
You may maintain partnerships that specify a contractual obligation that the parties must notify each other in the event that one is the victim of hacking or similar Cybersecurity incidents. This is common for those businesses that share information through electronic means and those who maintain custodianship of information.
Your contracts should spell out under what conditions notifications are to be made, to whom when they are to be made, and in what manner. Partnerships can be poisoned by lack of transparency during Cybersecurity incidents, so make sure you understand what notification requirements you have in your contracts and hold yourself and your partners accountable to meet obligations.
Your organization may be associated with critical infrastructures whose regulatory authorities mandate reporting of cyber incidents. Whenever you are subject to mandatory reporting requirements, you should comply with the requirements in accordance with the directives. Follow the instructions specified by the regulatory agency and provide the required information, but exercise caution.
In the famous television drama Dragnet, the detective Sergeant Joe Friday would always tell those he was interviewing he wanted just the facts. You should follow this advice and provide just the facts as requested. Anything more or less may expose your organization to additional risk. Be cooperative with regulatory agencies, provide only the information they require, and comply with all control mechanisms.
Because hacking is a criminal activity, you should notify law enforcement officials. Effective prosecution of criminals such as hackers requires cooperation between the victim and law enforcement authorities, and if you do not report the crimes to law enforcement authorities, it is very likely the hackers will continue to victimize you and others. Moreover, as the FBI says, “In a digital world where evidence can disappear at the click of a mouse, the swift investigation is often essential to successful … prosecutions.”
Item 9: Find Out Why It Happened and Who Did It
Your initial response to a hacking or Cybersecurity incident is focused on what happened and how to fix it. Many Cybersecurity professionals like to compare this to fighting a forest fire; you try to contain the damage and will worry about other things later. Just because you have extinguished the fires that erupted from the hacking or Cybersecurity incident doesn’t mean that the incident should be closed. In fact, we’ve found that lasting fixes come from understanding why the incident occurred and who was responsible.
Determining why a hacking or other Cybersecurity incident occurred is helpful in making sure that your controls and defenses are adequate to prevent the attacker from successfully breaching your defenses again. Your investment in Cybersecurity controls is not inconsequential and you want to make sure you have a good return on investment.
Understanding why the perpetrator attacked may give you valuable clues as to whether you can expect them or others to return with other attacks and whether you need to invest in other more robust defensive controls to prevent further damage.
Finding out why you were attacked and who did it also comes into play in assigning liability. Sad as it may be, hacking and other Cybersecurity incidents drive financial losses and hassles, and there will be great calls to assign accountability and liability; somebody has to pay for the incident. Understanding why and who attacked may be extremely helpful during adjudication of culpability. For example, let’s say that your firm does business in Africa and was recently hacked, causing significant losses.
The investigation found that the attack came from one of your IT staff, a contractor from another firm, who was offended by your company’s business dealings in one of the African countries and sought to prevent your company from successfully doing business there. The other firm may be liable for the damages caused by their employee, but this information is valuable in other ways.
Alerted by the contractor’s motivations, as part of your risk management program, you may actively search for others who share this motivation and posture yourself to mitigate risks accordingly.
Finding out why you were hacked and who did it may take a while. In fact, you may never find out who attacked you and why. Nevertheless, you should investigate the facts and circumstances behind the attack so that you can take prudent and reasonable actions to prevent the next one. Be patient yet know when to quit. If your investigation is not showing signs of producing the evidence that leads to answers, don’t waste time, effort, and money. Instead, take the information you have and adjust your defenses.
Item 10: Adjust Your Defenses
If you’ve been hacked, chances are excellent that word is out where you are vulnerable and other hackers will try their hand to penetrate your defenses too. In some regard, hackers are like sharks in the water; when they smell blood, they all flock to the kill. That’s why is it essential that you adjust your defenses to remedy the deficiencies that enabled the initial successful hack into your systems and prevent further losses.
Hackers are extremely smart and talented people. Many seek affirmation of their talents and skills through boasts of their conquests in hacker forums and web pages. Some even believe they are performing a public service by exposing your weaknesses to compel you to improve your Cybersecurity posture.
Many will return to the scene of the crime to see if you’ve learned anything from their initial attack. They will try the same exploits to see if you’ve taken appropriate measures to remedy the conditions that allowed them to attack you in the first place. If not, they will hit you again and may try to inflict even greater damage.
Your defenses should never remain static regardless of whether you have been hacked or not. Technology changes continually as do the tactics, techniques, and procedures used by hackers and other bad actors who seek to gain access to your information. Your Cybersecurity staff should be keeping up to date on the latest threats, vulnerabilities, and defensive techniques to best posture you and your organization to protect your information. Be prepared to continually adjust your defenses.
You should pay attention to these following foot stompers regarding issues you will have to address when you get hacked.
The Importance of Public Relations
When you’ve been hacked, your PR team is needed more than ever. In the aftermath of a hacking incident, confidence in your organization’s ability to adequately protect information plummets. Clients, partners, and some shareholders start consulting with their attorneys to discuss potential litigation. Potential investors begin to look at alternative investments. You need to be very careful and deliberate in your public messaging during this period.
Maintaining the goodwill and confidence of your employees, customers, partners, stockholders, and potential investors is critical when you’ve been hacked. How you lead and manage during this period will be put under the microscope, and people will want to see that you are doing the right things at the right times for the right reasons.
Stakeholders at all levels want to see evidence that you are protecting their best interests. They expect you to demonstrate competency and professionalism in dealing with a difficult situation, expect you to demonstrate that leadership owns the issue and is fully engaged, and expect you to keep them informed. This is where your PR team earns their keep.
Unfortunately, many companies, even great ones, drop the ball when responding to hacking and Cybersecurity incidents. As you build your disaster recovery and business continuity plan to hacking and Cybersecurity incidents, you should carefully study the lessons learned from other companies that already have experienced hacking and cyber incidents so that you are well prepared to have the right public message to maintain confidence in your organization.
Inform those affected immediately:
Consumers consider it inexcusable when you delay notification that their personal and financial information is potentially at risk. Even if there is a suspicion that information is compromised, those affected want to know that you are attempting to look after their best interests by notifying them promptly so they can take appropriate action.
Get yourself a world-class public relations consultant:
even though you may have very capable in-house PR staff, their normal duties are akin to a medical general practitioner. What you need for a significant Cybersecurity intrusion is a specialist. There are several highly competent firms and individuals that are experienced in dealing with such events. Do yourself a favor by including them in your disaster recovery and business continuity planning and provisioning them to launch into action when you need them the most.
Get senior leadership out in front:
Neither Sony nor Schnucks senior executives appeared to be fully engaged in leading the response to the hacks. While they may have been up to their eyeballs handling the events, the perception was that they were disengaged and the matter was not important enough to warrant their attention. Had the CEOs of Sony or Schnucks immediately taken ownership of the issues, made themselves available for interviews to update the public, and been transparent through the incident response, public perceptions may have been different.
Be prepared to offset impacts on consumers:
Many consumers are concerned about the impacts of hacking incidents on their personal and financial information. Offering to underwrite the costs of credit checks and security measures is often seen as a goodwill gesture that may avert lawsuits seeking damages. As a result, this measure may save you money in the long run.
Keep those affected regularly updated and informed:
While your CEO should be visible during hacking incidents with apologies and pledges to protect the consumer’s interests, the organization’s authorized spokespeople ought to be giving regular updates to the public and press during the recovery and remediation process. Transparency is highly valued and builds trust.
Your PR in the aftermath of a hacking incident is crucial to your bottom line. Most people have come to the realization that hacks are becoming a way of life. When they conduct business with your organization, they provide their personal and financial information to you as part of a transaction, and they expect you to be responsible custodians of that information.
When you are the victim of a hack, that responsibility does not evaporate; it magnifies. Your PR effort must demonstrate that you are acting in a manner that relentlessly attempts to protect your consumers. You must never be portrayed as being blamed for indifference to or disregard for your customers. Get yourself that world-class public relations consultant.
Working with Law Enforcement
Hacking is criminal activity that should not be tolerated. It threatens the economic well-being of organizations and nations and will continue if not arrested. We believe that whenever you are the victim of a hacking incident, you should notify law enforcement officials and press charges so that the perpetrators can be apprehended and held accountable.
Making timely notification of hacking incidents to law enforcement officials protects your legal remedies in the aftermath of an attack and can help minimize the damage. Law enforcement officials now have access to increasingly sophisticated technologies and procedures that may reveal who attacked you, how they did it, and how to protect you from reattack. Importantly, calling in law enforcement officials early helps preserve evidence and makes sure that all investigative avenues are fully explored.
In the United States, law enforcement officials at the national, state, and local levels have varying degrees of capabilities to deal with computer crime. Typically, local police have limited capabilities, while state and national agencies have more robust investigative and forensic capabilities. Jurisdiction for the crime is dependent upon a variety of factors including who was involved (i.e., the victim and the perpetrator) and what was the crime (e.g., damages from hacking.).
A state or local computer crime task force may be a more appropriate investigating organization for those cases that do not meet federal computer crime thresholds. As such, we recommend your first call should go to your local police department with the recognition that other law enforcement agencies later may become involved as details emerge.
Some people and organizations admit they do not have confidence in their local police department’s ability to handle computer crime, especially those who are located in smaller communities. If you are one of these organizations, you may want to consider making notification of your attack to the Internet Crime Complaint Center (IC3), which is a partnership between the FBI, the National White Collar Crime Center, and the Department of Justice’s Bureau of Justice Assistance.
The IC3 will take your complaint and refer it to the authorities best aligned to handle your case. They encourage victims to make their reports through their website at www.ic3.gov.
Outside of the United States, most countries also have established national computer crime task forces and procedures. For example, Canada has established the Canadian Cyber Incident Response Centre (CCIRC) to coordinate responses to cyber incidents. In cases where affected organizations believe a computer crime has been committed, the Canadian government recommends that the alleged victims contact their local law enforcement authorities.
In cases where the alleged victim believes national security is at risk, they are instructed to contact the Canadian Security Intelligence Service. The CCIRC is often called in to review incidents and provide advice on whether to contact law enforcement or national security authorities.
In the United Kingdom, the National Cyber Crime Unit (NCCU) was established to leverage national technical and law enforcement specialists in partnership with local law enforcement officials to respond quickly to address cyber threats and crimes. The NCCU addresses the most serious incidents of cybercrime and assists local law enforcement officials. As with the United States and Canada, British victims of computer crime are encouraged to notify local law enforcement officials to initiate the law enforcement investigative process.
Other countries, such as Australia, France, Germany, and Japan have established similar constructs governing the involvement of law enforcement in the investigation of cyber crimes. For those organizations that operate in multiple countries, it is advisable to remember that every country has its own laws governing cybercrime. Normally, the law enforcement organizations of the countries where the perpetrator and victim are located will coordinate for an investigation and prosecution actions.
When to call law enforcement officials is a conscious decision. Many people and organizations elect not to inform law enforcement officials when they have been the victims of hacking and other computer crime. Most do so as they believe that the negative publicity resulting from law enforcement investigations and public disclosure will cost more than writing off the damages from the incident. While this is an understandable response, in many ways it is not socially responsible because it permits the perpetrator to continue to pursue their nefarious hacking activity.
As such, we always encourage our clients to maintain their integrity, report criminal activity, and press charges when the perpetrators are apprehended. We believe in the long run than doing the right thing pays off positively as such actions are viewed by clients, partners, shareholders, and potential investors as appropriate, while failing to report criminal activity is viewed as complicity or condoning it. Furthermore, it conveys an image of weakness.
As Kevin Mitnick reminds us, hacking causes financial losses and hassles. In the aftermath of a hacking attack or similar Cybersecurity incident, you will not have the opportunity to buy insurance retroactively, so you have to plan for the worst up-front and provide for sufficient insurance to offset your losses and minimize your risk.
Unfortunately, even insurance will not make the hassles associated with liability completely go away. You can reasonably expect numerous sources will call for accountability after a hacking incident; someone will have to pay.
Insurance is one of the most popular methods of addressing liability. Many companies offer specific Cybersecurity insurance that will protect you and your organization in the event that you fall victim to hacking or other Cybersecurity incidents. These tailored policies are a wise investment when the potential loss associated with such incidents is high and introduces unacceptable levels of risk; insurance transfers the insured risk to the insurer.
However, be very careful with your insurance. Many people believe their general liability insurance will protect them against losses associated with hacking and Cybersecurity incidents and are shocked to find that may not be the case.
Legal Issues to Keep an Eye On
You should expect to get hacked. You also should expect to be sued. Lawsuits in the aftermath of hacking and other Cybersecurity incidents have become a fact of life. You and your organization should be well prepared to address lawsuits that will be filed shortly after the incidents.
Many lawsuits are filed alleging that due care and due diligence were not performed by your organization, thus permitting hackers to penetrate your defenses, put valuable client and organizational information at risk, and cause you to expend unplanned resources to remediate or repair the damages.
These lawsuits often are filed by shareholders who believe their investments have been compromised by the hack and associated damages. Plaintiffs seek a measure of compensation for their perceived and actual losses. Such allegations will attempt to portray you and other executives as incompetent, ignorant, or worse. You will need a thick skin and a good attorney to help you through the ensuing legal process.
You may expect other lawsuits directed at the corporate board itself alleging that the board did not institute sufficient oversight to ensure that adequate controls were implemented to protect the organization and its resources. If you are a member of the organization’s board of directors, you already should have an insurance policy that protects you against liability incurred in your duties as a board member. Make sure you protect yourself by confirming that your policy covers the costs of lawsuits associated with hacking and Cybersecurity incidents.
Don’t be surprised if your business partners suddenly sue you for damages in the event of a hacking or Cybersecurity incident. If they can prove that hackers who breached your defenses were able to leverage the trusted relationship between your two organizations to gain access to their networks and information, they may be able to prove that you and your organization are culpable for any damages wrought on them, their clients, and their associates. That is why it is important not only to pick your partners wisely but also to be very careful with whom and how you share information.
Maintaining connections between networks using techniques referred to by technical personnel as trusted relationships permit information to flow freely between two network entities. Such an arrangement is considered very convenient by users and partners who share resources. To a hacker, this type of relationship is an information superhighway into your partner’s network. Many great partnerships have been poisoned by one partner not adequately protecting against hackers and exposing both organizations to attack.
Lawsuits also mean that there will be legal discovery and associated requests for information from the legal team suing you. We recommend that you carefully preserve all records associated with your information systems including your baseline hardware and software configuration records, all audit and system logs, and training records.
Expect that technical experts will comb through all records to ensure that they are complete and that you and your staff indeed have practiced due care and diligence in the management of your information systems. Incomplete or missing records will put you at an extreme disadvantage and in some people’s eyes is the equivalent of a confession of guilt.
Even the very best-managed IT organizations can be hacked. When you can prove through your records that you and your organization did everything you could and should have done to protect your information from hacking and other Cybersecurity incidents, you are best postured to protect yourself against lawsuits.
When you are the subject of a lawsuit in the aftermath of a hacking or Cybersecurity incident, pick your counsel carefully. Your general counsel may be terrific in advising you on your particular business functions but may be a detriment in a court arguing the merits of Cybersecurity law and culpability. Just as in selecting specialized PR experts, you will find that hiring a lawyer or firm that specializes in defending corporations in the aftermath of hacking or Cybersecurity incidents is a wise investment.
We recommend that you don’t wait until you are the victim of an incident to scramble around in the heat of battle to find the lawyer or firm you want to represent you when you have been victimized by a hacker. Ask your insurance company if they have any recommendations. Have your general counsel research who are the most successful defenders in known Cybersecurity cases and consider interviewing candidates to see if they are a suitable match to represent you and your organization.
If you find a good match, consider exploring options to put them on a limited retainer. You will find that legal specialists are invaluable in helping draft your disaster recovery and business continuity plan to safeguard your best interests, employ best practices to minimize risk exposure and ensure that you emerge from a hacking incident with minimal damage.
FOOL ME ONCE…
Again, it is inevitable that you will be hacked, but that does not mean that your organization will be destroyed and you will face personal ruin. But it does mean that your organization could be destroyed and you could face personal ruin if you do not prepare properly. Hacking and other Cybersecurity incidents will cause financial losses and hassles for your organization, so you need to be prepared.
Executives are responsible to plan for the future, and your future includes the likelihood that a hacker, a hacktivist, an agent of a nation state, a disgruntled employee, or even a careless employee will cause you or your organization to be the victim of a Cybersecurity incident. It is essential that you have a disaster recovery and business continuity plan that addresses what you and your organization will do in the event you are hacked or suffer some other form of Cybersecurity incident.
We have seen a few organizations who utterly failed in their response to hacking incidents. In some of the most egregious cases, the victim organization was hacked and failed to fix the deficiency that allowed the hacker to enter in the first place. As a result, the hacker and some of their colleagues continued to exploit the deficiency and expose the organization to continued and intensified risk.
We believe such instances indeed indicate a failure to maintain due care and due diligence. If you are hacked, you should fix the deficiency and prevent the hacker from ever exploiting you using that method ever again and do it promptly and expeditiously.
You will get hacked. Plan on what you will do when it happens. Hackers are criminals who will use the path of least resistance to deface and/or steal your information. You and your organization are under surveillance by hackers right now. They are looking at:
The type and strength of your physical security measures
The type and strength of your network security measures
The composition and configuration of your computers, network devices, and software
You and your people to see whether you practice proper security
Your best defense against hacking is not only to defend against it with a cyber-hardened workforce but also to prepare for what to do when you do get hacked. You can minimize the impact of hacking incidents by doing the following before you are attacked:
Back up your information.
Maintain a current baseline.
Protect yourself with insurance.
Create a “Disaster Recovery and Business Continuity Plan” for hacking and Cybersecurity incidents.
When you are the victim of hacking or Cybersecurity incidents, implementing the following ten things to do checklist will best protect you and your organization’s interests.
1. Don’t panic.
2. Make sure you’ve been hacked.
3. Gain control.
4. Reset all passwords.
5. Verify and lock down all your external links.
6. Update and scan.
7. Assess the damage.
8. Make appropriate notifications.
9. Find out why it happened and who did it.
10. Adjust your defenses.
There are some key foot stompers you must pay attention to:
The importance of PR.
Inform those affected immediately. Get world-class PR help.
Get senior leadership out in front.
Be prepared to offset impacts on consumers.
Keep those affected regularly updated and informed.
Working with law enforcement:
Hacking is criminal activity and should not be tolerated. Whenever you are the victim of a hacking incident, you should notify law enforcement officials and press charges so that the perpetrators can be apprehended and held accountable.
Many insurance companies offer Cybersecurity policies that can protect you in the event you are hacked or suffer other Cybersecurity incidents.
Consider investing in Cybersecurity insurance.
Not all general liability insurance policies cover hacking and other Cybersecurity breaches.
Make sure that you conduct a thorough review of your insurance policies to make sure you are adequately covered against hacking and other Cybersecurity incidents.
Legal issues to keep an eye on:
You will get hacked and you will get sued.
Carefully preserve all records, especially logs, for the legal discovery phase of lawsuits.
Not all lawyers are adept at Cybersecurity issues. Identify which lawyer is best prepared to defend you in the event that you are sued and consider putting them on retainer.
Never allow yourself to be victimized by the same vulnerability more than once after it has been detected.