The steps you take within the first 24 to 48 hours of a security breech is crucial. These decisions can have a long-term effect on your company’s reputation, finances, and legal implications. It’s important to already have an Incident Response plan in place prior to any attacks. Here’s a list of things to do and not do if your network has been compromised. 

 

            DO

  • Take the proper steps to ensure your network is secured.
  • Notify legal team as soon as possible to assist in determining legal requirements arising from the occurrence, managing the crisis response and investigation.
  • Rally your incident response team and initiate the plan set in place.
  • Identify what caused the security breach and the source and make certain it’s contained.
  • Network access should be disabled for computers infected and those computers need to be quarantined. Patching will be necessary to resolve vulnerabilities.
  • Any accounts that were breached will need password resets. If the attack was an inside job, then that account will need to be blocked.
  • Ensure all impacted systems are back up for forensic purposes.
  • Any party affected by the breach should be notified so they can protect themselves from events caused by the incident, such as identify theft and exposure of financial information and confidential information.
  • When the issue has been resolved, ensure preventative measures are taken to prevent a recurrence. Make sure all employees have security awareness training.
  • Reevaluate and update your current Incident Response plan to reflect any lessons learned from the incident.

 

      DON’T

 

  • Do not panic and make haste decisions, straying from your IR plan because this may cause disorganization and more issues.
  • Don’t remain silent. Communication should be open with employees and customers about the incident, the plan and how to prevent a recurrence.
  • Do not communicate with threat actors directly without consulting with specialists.
  • Don’t make false statements. Anything said publicly should be honest and accurate to preserve your company’s integrity and prevent any legal implications.
  • Don’t delete files or communications as it is important to retain all documents and evidence in case of future proceedings or enforcement of regulations.
  • Do not close the incident early. Even if the crisis appears to be over, you need to continue proactively and vigorously monitoring the network to make sure no attacks follow.