Successful cyber attacks on corporate IT are almost part of everyday life today. The best tips on how those affected can best prepare for an emergency.
Cyber attack checklist: First steps in an emergency
How does a company manage to react quickly when it becomes the victim of an attack? In order not to be caught cold if the worst comes to the worst, such an emergency should be practised at least once a year, according to the beyond participants. This is the only way to ensure that the first and most important steps are really in place and can be taken quickly:
Back up log files: At first glance, the advice to immediately back up the log files may seem somewhat strange. However, it is precisely this data that is absolutely necessary from the point of view of IT forensics to preserve evidence of the IT incident that can be used in court. In addition, the attackers' actions can be clarified later within the framework of a methodical data analysis.
Centralise crisis, emergency management team: Furthermore, the crisis should be made a cross-company, central issue so that all those involved pull together. It also serves the speed of response if a previously defined crisis management team can intervene quickly. This team takes charge of the further course of action.
Ensure communication: Ensuring one's own communication capability in an emergency - both technically and organisationally - is an essential requirement. From a technical point of view, this is necessary because especially in times of Voice over IP, telephony is also at risk of failure, as it is part of the IT infrastructure. This is why it has proven useful in practice to define alternative communication channels in advance. In some companies, for example, the Signal Messenger is used for this purpose. Organisationally, the communications department should inform and reassure its own employees in order to avoid panic (fear for jobs, etc.) and prevent rumours and wild speculation. Likewise, it is advisable to proactively inform the outside world, because experience has shown that such cyber attacks almost always come to light. Those who retain control over communication have a good chance of averting greater damage to the company's reputation. And last, but not least, the C-level board must be informed every half hour about the current status so that it can make decisions quickly if necessary - for example, about the payment of a ransom in the case of a ransomware attack.
Bring in external advisors: How do you negotiate with a blackmailer? What legal questions arise from the highly complex crisis situation? Hardly any company will have the necessary know-how in-house. Therefore, external advisors should be called in who have the appropriate specialised knowledge.
Observe reporting obligations: Which notification deadlines apply to your own company according to the GDPR? Are there even KRITIS regulations to be complied with? In the event of violations, there is the threat of severe fines here, which are unnecessary and only increase the financial damage. Therefore, one should not only inform oneself in advance about deadlines and obligations, but also find out about the possible or necessary reporting channels.
Analysis of the status quo: After these preparatory steps, it is important to systematically get a picture of the extent of the damage. Which systems are still functioning? What data is affected? What are the effects on the business? Is the company's own ability to deliver threatened, do customers have to be informed? How long will it take to remedy the disruption? Is emergency operation possible in order to be able to produce at least in part?
Respond to cyber attacks: Make preparations
In order for these steps to be carried out really successfully in an emergency, it is not enough to just practise. As many of the steps as possible should already be prepared in normal times so that they can proceed as if according to a script. Similar to the emergency checklists of an aircraft, a detailed manual with emergency plans for various crisis scenarios helps here.
It is downright counterproductive if the members of the emergency team are only appointed in the event of a crisis. This only costs valuable time. Hierarchical aspects should play a subordinate role in the selection of team members; the important thing here is to have the right know-how at the table. In the team itself, roles for different damage scenarios must be defined. In addition, a clear chain of command is necessary, because nothing confuses more in extreme situations than contradictory instructions. This also includes defining the responsibilities and decision-making powers of the emergency team.
Preparing communication is also part of the preliminary work. In the event of a crisis, there is no time for lengthy coordination and approval loops in which the appropriate wording is haggled over. To enable Corporate Communications to act quickly, ready-made templates for communication have proven their worth.
Since practice is often neglected in the day-to-day running of a company, emergency tests should be a fixed criterion for the acceptance of IT projects. The beyond participants recommend taking out cyber risk insurance so that external experts do not have to be sought for a long time if the worst comes to the worst. This is advisable for two reasons: on the one hand, the insurance companies usually offer emergency support with appropriate specialists and consultants, and on the other hand, they cushion the financial damage, which can be considerable - even if many ransomware extortionists are willing to negotiate.
After the cyberattack: The importance of backups
As much as cyberrisk insurance helps in an emergency, it does not help in one respect: it does not bring back data. Therefore, special attention should be paid to the topic of backup and recovery. An annual backup/restore test should be standard. And test procedures must be defined to ensure the consistency of the backups and to find out whether there is already malicious code in the backup.
The backup should be the best-secured system in the company, because all too often attackers rush to it first in order to render the backed-up data unusable. Against this background, practitioners advise offsite backups. Ideally, there should be an air gap - a virtual moat - between the backup storage and the rest of IT, so that no access is possible. In principle, only a few selected users should have access to the backups. And the backup processes themselves should be defined as a pull process so that other systems have no access rights to them. Furthermore, precise monitoring of access to the backup system should be included in the specifications. This is particularly useful as an early indicator for detecting attacks, since intruders often try to paralyse or manipulate the backup systems first. (CW)