Once a company’s IT system has been breached or infected, there are standard procedures to follow, in order to make sure all malicious elements are removed and for the system to safely re-engage in the usual activities.
Bigger companies employ specialized services for cyber-security system setting up and monitoring, as well as for the measures that need to be taken after an unpleasant event has occurred. But small and medium businesses (SMBs) can see themselves forced to handle their own cyber-security measures at company level, or to mix their own efforts with off-premises paid services, in the attempt of keeping costs under control.
Although it is never a good idea to save money on essential cyber safeguarding elements, since it may prove incredibly expensive to repair damages if a cyber-attack occurs and company data is compromised or lost, it is nevertheless advised to always have at least an educated idea of what are the essential measures and steps, even if the actual actions are outsourced to a specialized company.
Financial post-breach impact
In December 2015, the SANS Institute released a comprehensive cost compendium for the parties interested in post-breach operations and their variables. As the authors mention, the material is based on a large-scale study where a variety of organizations in healthcare, education, government and retail revealed how they dealt with repairing their damaged IT systems.
Interestingly, keeping the breach from making the news is listed right up front as a factor in reducing costs and speeding up the recovery. Long-lasting breached effects consist in facing the customer loss triggered by the data being compromised, reputation damages, collateral fines (if any), as well as in paying the actual system cleanup that needs to be properly performed in order to avoid recurrent cyber events.
As an overall sum, the most frequent post-breach cost levels (mentioned by 31 percent of the study participants) are between $ 1,000 and $ 100,000, followed by a threshold of $500,000 up to $ 50 million indicated by 27 percent of the respondents. Of course, this data is better placed on the background of the entire study, where demographics, organizational size, culture and purpose better reveal why some have to pay more than others in what post-breach measures are concerned.
Backup and recovery strategies can make all the difference and help breached companies repair the damages at lower costs and with faster speeds. Also, making sure to be compliant to the specific cyber-security related rules and regulations and to have all the necessary check-ups and updates not only reduces the chances of actually suffering an incident, but also helps in diminishing the (possible) post-breach costs.
Backups and data restoring after being breached
Assuming that an organization, whatever its size might be, took care to strategize, prepare in advance and backup its data, the operations following the breached moment would include all the necessary data-restoring operations. This presumes the following:
- Clearly identifying the people assigned for performing the cleanup tasks (inside or outsourced staff);
- Determining how and for what purposes did the breach take place;
- Determining exactly how much damage occurred until the attack was stopped;
- Understanding the mechanisms and the vectors of attack and determining whether apparently un-compromised data also holds the risk of being infected;
- Performing an in-depth analysis in order to determine the incipient date of the attack – this is very important, since all previously made backups could be considered infection-free, whereas backups made in the initial attack stages are not eligible for restoring;
- Scanning and analyzing the system once again to exclude any possibility of Trojans or other delayed risks being still present in the system as it presents itself before the data restoring operation itself.
Basically, to restart its system in safe mode, any organization needs to make sure it has a clean system to populate with clean backup data.
Going back to the aforementioned SANS study, it is a positive thing to see that almost 35 percent of the subjects vowed to have had no continued effects after data breach remediation – therefore cleaning up the right way can assure a fast operational restart and limit the costs and damages efficiently.
The right attitude helps containing the damages
Most big names in security dedicate at least one section of their webpages to advice for breached companies post-breach operations. Cisco for example keeps it short and to the point, recommending all affected parties to:
- Verify (the attack that just happened from all possible angles, in order to fully comprehend what happened);
- Contain (isolate all affected parts of the systems, stop the infection spread, go offline and/or other measures to regain system confidentiality and autonomy);
- Adopt a public statement strategy (depending on various factors, companies can choose to disclose the data breach, to postpone the statements of to fully refrain from any public disclosures);
- Clean up and restore (only after fully comprehending the mechanisms of the attack and under specialized supervision);
- Close the vulnerable access point (so that it does not provide further access to the same malicious entities or to other attackers).
Of course, you may find online advice on specific hardware types (when it comes to cleaning up computers that got infected), specific operating systems, or on types of attack vectors (malware, viruses, worms). Symantec even maps out what virus removal and troubleshooting on a network should look like in terms of basic steps and of the most efficient order of operations.
In the hope that cyber preventive measures would ensure your company never faces the unpleasant situation of structuring a post-breach intervention, we hope that we have however provided an overall summary of what this would look like, for informative purposes.
