How Would a Cyberattack Affect your Business?

After reading our first two blog posts, you should have a better understanding of the main players behind cyberattacks and how some of them operate. Now you have a new question to answer: “Is my company ready to deal with a cyberattack?”

Instead of listing everything you need to think of before, during, and after an incident, we’ve prepared a scenario for you. How would your company react? (Note: this scenario has been simplified to make it easier to read.)

A Friday like no other

It’s Friday at 4:45. The week is almost over and a company’s 150 employees are getting ready to enjoy a well-deserved break. Mark, the financial controller, is still at his desk. He notices that some file names have changed and that he can’t see their contents anymore. Instinct tells him he needs to let William, his contact in the IT department, know. William has already logged off, but luckily Mark knows his personal cell number.

William isn’t a cybersecurity expert, but he quickly realizes the company’s been hit by ransomware. He continues to talk to Mark on the phone while he logs into the antivirus software console and sees that the system has found “anomalies” at three workstations, including Mark’s. The workstations belonging to Anne, the president, and John, the sales director, may also have been infected.

Mark mentions that his computer has been running slowly ever since he downloaded an email attachment earlier that afternoon. The file wouldn’t even open. William quickly recognizes that the email was probably the source of the attack.

Questions to ask

  • Do your employees know who to contact when they see a potential issue, even on evenings and weekends?
  • Do your employees know who to contact when they see a potential issue, even on evenings and weekends?
  • Do you have a malware detection solution on every computer and server in your company?
  • Is someone monitoring this solution at all times, or will you discover the damage on Monday morning?

The call for help

William quickly realizes he doesn’t have the expertise to respond to the attack His anxiety soars as he realizes that only three employees are known to have downloaded the infected file so far, but it’s very likely that several others have received the same email and will download it as well.

It’s only a matter of time before the infection spirals out of control. William decides to reach out to a former colleague, Leah, who specializes in cybersecurity.

Here are her recommendations:

  1. Cut the infected workstations off from the Internet and the local network. This prevents cross-contamination while stopping third parties from sending commands or moving the data elsewhere.
  2. Delete the malicious email from all the company’s inboxes. This prevents new people from downloading the malware.
  3. Revoke Mark, Anne, and John’s access to the company’s systems, like the accounting system and cloud network. Revoking access limits attackers’ ability to access the company’s systems.
  4. Examine the logs on the company’s main systems and verify if Mark, Anne, or John’s computers have taken any illegitimate actions. Were any files read and potentially sent elsewhere?

Questions to ask

  • Do you have round-the-clock access to cybersecurity experts who can help you if there’s an attack?
  • Can you quickly isolate workstations or servers from your network and the Internet, even when people are working from home?
  • Do you know what your employees have access to, and can you quickly revoke that access to limit contamination and understand the potential extent of the damage?
  • Do you have quick access to key system logs to see which systems might have been infected?

Damage assessment

Fortunately, William was able to do what Leah recommended. The company had the right tools, they were well configured, and William had the expertise and enough permissions on those tools to quickly contain the threat.

Leah now recommends that William assess the damage. The logs for the key systems show that they were not likely accessed illegitimately. Next, he needs to examine the files on the infected workstations Here’s what Leah tells him to do:

  1. Talk to the victims to determine whether their computers had any files containing sensitive information.
  2. Check whether the computers have established connections to unknown and/or suspicious external destinations (servers).
  3. Talk to the victims to figure out if they had access to IT systems other than the ones they’ve been locked out of, then isolate those as well.
  4. Get a snapshot of the malware on Mark’s computer and analyze it. If the malware is known to the cybersecurity community, you can often gain additional information to help fully eradicate the hostile and malicious guest.

Questions to ask

  • Do you have an escalation process that lets you quickly reach potential victims if a cyberattack occurs?
  • Do you know where sensitive information (like information about your employees, your suppliers, your customers, or your intellectual property) is stored? If this information is copied to multiple locations, it can be hard to prove that it hasn’t been stolen.
  • Do you have an up-to-date record of systems that an employee can access? When an employee’s workstation or digital identity is compromised, it’s much easier to determine the impact of the incident if you know what information the hackers may have accessed.
  • Do you have the in-house expertise to harvest malware from a workstation and identify its nature?

Cleanup

With Leah’s help, William is able to identify the offending malware. Eradication was simple and quick. In addition, there was no sensitive data stored on the infected computers. The usual precautions were followed and the victims’ workstations were restored. The story ended well—so well, you’d almost think it was made up. This isn’t usually the case; the response to an attack is often more chaotic and the damage is more severe.

It’s important to ask yourself a few more questions:

  • Do we have up-to-date and functional security backups
  • If so, are we able to use them?
  • What sensitive information could fall into the hands of criminals?
  • Do we need to notify our employees, our customers, our partners, our insurance company?
  • Should we report the incident to the authorities? What should the report contain?

Being ready for a cyberattack is about more than just “passing” a cybersecurity audit with flying colours. You need to be able to react quickly and make the right decisions. Otherwise, the consequences could be disastrous.