Hacked? Here’s What to Know (& What to Do Next)

Virtual ArmourBusiness, Cybersecurity, Risk Mitigation & Prevention

What to Do When You Get Hacked

Whether criminals are posting inappropriate or illegal content on your company website, sensitive data, and emails have been accessed by unauthorized users, or your data is being held hostage by ransomware, being hacked is every organization’s worst nightmare.

Though there’s nothing you can do to ensure a breach never happens, there are a lot of things you can do to minimize the likelihood of a breach occurring and, if one does happen, a lot you can do to contain and mitigate the damage and disruption associated with the incident. 

Contact Your MSSP

A good Managed Security Services Provider (MSSP) will help you respond quickly to a breach once you let them know a cybersecurity incident has occurred. A great MSSP will have been monitoring your systems closely and already know a breach has occurred, possibly even before you do. 

If, for some reason, your MSSP doesn’t already know about the breach, the first thing you should do is contact them for advice. Your MSSP will assess the situation and offer expert advice and support to help you repair the breach, minimize damage, alert users and relevant authorities, and assess the situation afterward so you can strengthen your cybersecurity defenses. 

Learn More: What is a Managed Security Services Provider?

What to Do When You Get Hacked

Find Out How the Incident Occurred

Before you can respond effectively to the incident, you need to know exactly what happened. Was software not kept up to date? Did an employee click on a suspicious link in a phishing email? Was a company laptop left unattended and stolen? Was your organization targeted with ransomware?

Once you know exactly what happened and what systems and files were accessed, you can work quickly to address the incident, thoroughly assess the damage, and take the necessary next steps.

Implement Your Incident Response Protocols

If you don’t already have incident response protocols in place, you should start crafting some right away. Each protocol is a plan that allows you to respond effectively to a specific threat or incident, sort of like safety plans for cybersecurity. Just like a fire safety plan outlines, in detail, what everyone in the building should do if there is a fire, a well-crafted incident response protocol should outline who should do what in the event of a cybersecurity incident.

However, having an incident response protocol is only useful if everyone involved knows exactly what their role is and how to carry out their duties effectively. To help everyone get familiar with the plan, you should have all critical personnel work through tabletop scenarios regularly.

Tabletop scenarios are like fire drills: they pose a hypothetical scenario and let your employees work through and refine their response in a no-stakes environment. When the scenario is complete, your team then sits down, preferably with someone from your MSSP, to review your response, look for weaknesses, and further strengthen your current protocols.

Though scheduling a tabletop scenario now won’t help with the current situation if you have already experienced a breach or other cybersecurity incident, you should begin drafting robust incident response protocols and conducting tabletop scenarios as soon as the current situation is resolved.

What to Do When You Get Hacked

If Necessary, Go Into Lockdown Mode

Depending on the nature of the incident, you may need to go into lockdown mode. If a company laptop has been infected with malware, that device needs to be isolated from the main network to avoid spreading the virus. If a particular area of the network has been compromised, that section should also be isolated from the larger network to prevent cybercriminals from accessing other systems.

One way to prevent cybercriminals from easily accessing multiple systems if they can hack into your system is to follow the zero trust architecture model. Zero trust makes lateral moves within the system more difficult by automatically assuming every user is unauthorized, even if they have already verified their identity and limits access to each area to employees who truly need it to perform their duties. 

If your firewall and other perimeter defenses are the security guard at the front desk, zero trust architecture acts more like the RFID badges your employees wear as they move about the building. Once someone has moved beyond the security guard at the front desk, they still need to verify their identity before they can access restricted or sensitive areas, typically by swiping their keycard to unlock doors. This extra layer of security ensures that even if a cybercriminal gets past your firewall and other perimeter defenses (sneaks past the security guard), their access is limited to non-critical systems where they aren’t able to cause as much damage before they are discovered by security and removed.

Inform Your Users & the Relevant Authorities

Once you have contained the breach, isolated any infected systems or devices, and begun to repair the damage done by the cybercriminal, you need to inform your users or customers as well as the relevant authorities. 

For example, GDPR (which applies to all organizations and companies whose customers include EU citizens) requires breaches are disclosed within 72 hours of their discovery, and US law requires that organizations notify affected individuals if their personally identifiable data may have been compromised

Depending on which states you conduct business in, your organization will likely also be subject to other reporting laws. If you are unsure what is required of you in the event of a cybersecurity incident under state laws, your MSSP can help you review the relevant state laws and ensure that you comply with them fully.

Review What Happened & Improve Your Cybersecurity Protocols

Once the cybersecurity incident has been resolved, it is time to review your current protocols, identify which weaknesses were exploited, and craft flexible yet robust protocols to strengthen your cybersecurity posture.

This task may sound daunting, but that is where your MSSP comes in. Not everyone is a cybersecurity expert, and that is alright. Your MSSP’s job is not just to monitor your systems and help you respond to breaches. They are also there to provide expert advice and suggestions and help you avoid or minimize the impact of cybersecurity incidents going forward. 

Practice What You’ve Learned

Once your current cybersecurity protocols have been strengthened or updated, it’s vital that your employees understand what has changed, why those changes were made, and how they should respond to various cybersecurity incidents moving forward. Make sure any changes or updates are clearly communicated to all employees and relevant outside contractors, and that all concerned parties are given the chance to ask questions and seek clarification if necessary.

Once everyone has been brought up to speed, you should contact both a tabletop scenario and, if relevant, a pen (penetration test). A pen test involves hiring an ethical hacker to stress test your current cybersecurity protocols and try to access sensitive data. Once the test is done, the hacker then sits down with your organization and details what systems they were able to gain access to and how they managed to get past your defenses. They can also then provide you with suggestions for strengthening your cybersecurity posture. 

A cybersecurity incident may be every organization’s worst nightmare, and when they happen, the consequences can be devastating. Having a great MSSP can help you recover quickly and effectively from a cybersecurity incident and strengthen your defenses to avoid future incidents. With 24/7/365 monitoring and a 15 minute guaranteed response time, VirtualArmour can help you craft robust yet flexible cybersecurity protocols so you can better safeguard your organization’s digital assets.