BakerTilly.ca Logo

Publications

Publications
October 28, 2019 by Blair Brown
Lawyers Alert |  Legal firms | Private Sector Consulting | Private Enterprise | Business Advisory Services | Enterprise Effectiveness | Cybersecurity Solutions | Data Solution Services | 

You’ve been hacked: now what?

This is the third article in a three-part series on cybersecurity for law firms and small businesses. In the previous articles, Cybersecurity and Data Loss: You are a Target and Data Breach and Ransomware: Reduce your Risk, I outlined the increase in overall threat levels to small and mid-size businesses, and described some simple user-level security controls to help mitigate ransomware.

While those controls are effective, the sad truth is that you may still become a victim of cybercrime. According to the 2018 Verizon Data Breach Investigations Report, 58 per cent of cyberattack victims were small businesses. A cybercrime incident can be one of the most dynamic and challenging technology issues a small business or law firm will face.

The difficult realization for many, as discussed in the two articles above, is that the ideal time to prepare for incident response is before an incident happens. A security crisis is not the time to draft your response plan. Here, I examine and discuss what to do if, despite your best planning, an event still occurs.

There are three distinct phases in reacting to a cybercrime event: identification, response and recovery.

Identification: containing the incident

The first question for any law firm or small business is, “How do you know you had an incident?”

During the preparation phase, you will have implemented employee security awareness strategies; all your staff should now have a basic understanding of common attacks and what they might look like. Some common indicators include:

  • You opened an email attachment or clicked on a link and now your computer acts strangely or won’t respond.
  • Your antivirus software becomes disabled.
  • Strange things are happening onscreen, such as popups, new toolbars, etc.
  • Your browser shows unexpected activity, site redirections, etc.
  • Someone used one of your credit card accounts without your knowledge or permission.
  • You start receiving strange email messages, particularly with attachments, or friends and clients tell you they received a strange email from you.
  • New programs suddenly appear on your computer.
  • Your regular passwords don’t work.

After receiving reports of this type of activity, you can be relatively certain something bad is happening. How do you respond?

Response: mitigating the damage

Response and containment are difficult and time-sensitive; if you do not act quickly, everything could be compromised. Your specific response will depend on your system and whether you have in-house IT staff, a managed service provider (MSP), or third-party assistance through your cyber-insurance provider.

Your local IT staff or MSP may be able to carry out immediate technical response actions to identify the scope and limit the spread of the incident. Alternatively, your cyber-insurance may cover the engagement of external experts to respond and manage the entire incident, including recovery and restoration of services.

Regardless of the resources used, the key to the response phase is having a plan already in place to allow you to identify the available resources and have everyone understand their responsibilities immediately.

Core incident response (IR) actions include:

  • Communicate and implement your IR plan to quickly minimize the impact.
  • Reduce damage by disconnecting affected assets from your network.
  • Assess the scope and damage; identify and prioritize the systems and processes that may have been exposed.
  • Collect the system configuration, network and intrusion detection logs.
  • Identify the likely attack method and path of attack (e.g., malware through an email attachment).
  • Update your protection: firewall, email and gateway filters, intrusion detection and prevention, antivirus and SIEM signatures or rules.
  • Re-scan your systems and network for indicators of compromise (IOCs).
  • Document all steps that were taken during the incident. These may be important for second-level responders, law enforcement or insurance purposes. It also demonstrates your level of due diligence in managing the event.
  • Notify appropriate internal parties, third-party vendors and authorities as required.

Recovery

The core focus of the recovery stage is to keep the company in operation and move toward a return to normal business operations. Key points to consider include:

  • Identify the essential systems, applications and data required for operations.
  • Restore essential systems and applications to the last-known good status.
  • Use backup data to restore to the last-known clean restore point.
  • Update systems, virus scan and patch configurations to prevent reinfection.
  • There may be a gap between the data restore point and current data, so be prepared to manually update recovered systems with transactions conducted offline during the cyber event.
  • Create a new updated and clean backup from restored assets.
  • Ensure all backups of critical assets are stored in a physically and environmentally secured location. Keep a read-only copy, as ransomware loves backups.
  • Increase your scanning and monitoring for unusual behavior.
  • Be prepared for another attack. Remember, the attacker was in your systems: there may be backdoors. Why wouldn’t an attacker try again?
  • Document all actions; these will support your cyber insurance claims and root cause analysis, and will demonstrate due diligence in your response.

There is an old saying that applies well to incident response preparation: “Any plan is better than no plan.” It may not be awe-inspiring, but it illustrates two key points:

  1. Incident response can be dynamic, confusing, technically challenging and time consuming, so the time to figure out what to do is before an incident, not during.
  2. Will your plan be perfect for all incidents? Probably not. But it will be better than no plan. At the very least, you will have a framework to build upon.

By considering the actions outlined above, you can at least start the discussion of how to respond to an incident and begin gathering the resources you need to be effective. Even a basic plan will help you respond quicker, contain the damage sooner, and reduce the time and cost of recovery.

For a comprehensive evaluation of your security and a network security solution set tailored to your environment, talk to us at Baker Tilly, your partners in cyber-risk management.

Meet the Author

Blair Brown Blair Brown
Courtice, Ontario
E .(JavaScript must be enabled to view this email address)

Information is current to October 28, 2019. The information contained in this release is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

Recommended Content