You’re in bed, fast asleep. Then your cell phone starts ringing. You ignore it until it stops, but seconds later it starts ringing again. After rubbing the sleep out of your eyes and checking the time (3am, seriously, who makes phone calls anymore, and at this hour?!) you see it’s your head IT person calling. You answer and hear them nervously utter words that make your heart sink into your stomach: “You’d better get into the office as soon as you can. We’ve been compromised.”
This could never happen to you, right? Wrong: According to a report by Cisco, 50% of organizations encountered ransomware-related activity in 2021. Are you an MSP or other tech services provider? In July 2021 Kaseya announced that one of their toolsets had been compromised through a ransomware threat and over 50 customers were directly impacted. Thirty of these were MSPs, which led to disruptions of over 1,500 of their business customers.
Is your business next? A more important question is, what will you do to save your business and to reduce as much impact as possible for your customers if you are hit? DISCLAIMER TIME! This blog is NOT legal advice and is intended for illustrative and inspirational purposes only. Now with that out of the way, here are five critical items that could help your business after a cyberattack.
5 Critical Items to Help Your Business After a Cyberattack
Contact your carrier FIRST
Don’t call your friends or partners. Call your carrier/insurance provider. They will get the ball rolling in your favor and help to prevent unintended fallout and mistakes. They have independent forensic investigators who specialize in what just happened to your company, as well as suggestions for lawyers they trust to help you, too.
Don’t contact the media
Trust me, the media will get involved without your help, hopefully at a time when you’ve been able to gather more facts and gain an understanding of the scope of what you are dealing with. You want to control the messaging as much as possible and not let bad reporting seed the market with sensationalized reporting.
Understand the state-by-state reporting requirements
Unfortunately, there are no federal guidelines here and each state has their own reporting requirements after a cyber incident. Make sure you understand these requirements for every state in which you serve customers who may have been affected. You can access the NCSL (National Conference of State Legislatures) list HERE to help you get started. Do you have customers in other countries? You’ll need to work with your carrier and legal advisor to ensure you meet notification standards here, too.
Start mining forensic data ASAP
The more data you can get your arms around as early as early as possible is key. The kind of information you and your team will be mining should include customer information that impacts “Natural Persons”. If you first contacted your carrier, they should have provided the help you need to gather the information you need to best serve you and your customers.
Be careful with your words
Until you know what happened you shouldn’t be guessing, especially in any correspondence or communication with your customers. Hot words like “hacked,” “ransomware,” or “breached” may need to be used at some point, but these decisions MUST be made with the aid and guidance of your carrier and legal counsel if you want to minimize costly mistakes.
How to Prepare for a Cyberattack Before it Happens
Remember that stat shared earlier—50% of organizations encountered ransomware-related activity in 2021. You don’t to wait to start preparing in case you’re next. Here is one thing you can start right away:
Develop an IRP (Incident Response Plan)
Having an Incident Response Plan will be critical, so there is no time like the present to build one. This plan should include critical details like roles and responsibilities of key team members, contact information for your carrier and legal counsel, as well as other items you’ll need to have ready to best survive and respond to an attack.
Your plan should be updated often to account for changes (Did you lose a team member, which means training a new person for a specific response role?) Remember, practice makes perfect, so do some table-top testing with mock scenarios to improve muscle memory for when it matters most. Pro tip: Encrypt the digital copies of this plan and print physical copies in case you are locked out of all your systems!
Feeling inspired but still feel like you need some help to better respond to a cybersecurity incident? Check out the Forrester Wave 
Cybersecurity Incident Response Services guide to find a partner that can help you hit the pavement running. For more on protecting your business, tune in to my interview with security expert Matt Lee on Tigerpaw Radio.