You’ve been hacked. NOW WHAT?

Richard Frost, Armata

---

No matter how diligent your organisation is when it comes to cybersecurity, there’s always the chance that you may be hacked. Look at Forrester’s round-up of the world’s biggest data breaches: local credit bureau TransUnion comes up number six on the list, with over 10 million records exposed in 2022.

“The reality is that these things will happen,” says John Kampas, the founder and CEO of EMPIST. “They happen every day, every hour; if you have identified that your business has fallen victim, the number one thing you can do is contain it. If it’s on your computer – for example, if you received a ransomware note and now you’ve lost control – unplug your computer; disconnect from the wireless network. If it’s a desktop, unplug the network cable. Do not turn it off.”

The reason for this is that a lot of the evidence that may be needed will be lost the moment you reboot that computer. “There are things that reside in memory and you want to preserve those in the event there needs to be any type of forensic analysis or a deeper analysis on your system to determine exactly what happened,” he adds.

The next step is to inform the IT department or managed security service provider. “Your business should have what we call a ‘no blame zone’,” says Kampas. “If something happens on somebody’s system, or they clicked on something that they shouldn’t have, they should feel comfortable and confident to report that to the authorities – anyone who is governing IT and technology for your organisation.” Reporting is important, more so when you consider than human error is the main cause of 95% of cybersecurity breaches. “Sweeping it under the rug can result in damage so great that it could be detrimental to the business and potentially even cause that business to close down,” warns Kampas.

Once reported, this is where an incident response plan (IRP) gets put into action. An IRP often includes four phases that align with standards put in place by the National Institute of Standards and Technology (NIST). This includes preparation and prevention; detection and analysis; containment, eradication, and recovery; and post-incident activity. “When an incident response is initiated, the first step is to determine the type of attack and identify what is already in place that can help mitigate against it,” says Richard Frost, Armata’s head of cybersecurity. “It also helps identify which stakeholders need to be involved; for example, if there is a breach at an organisation involved in financial services, a key stakeholder is the Financial Sector Conduct Authority (FSCA), which, if not notified, can impose harsh penalties on organisations.”

Your business should have what we call a ‘no blame zone’.

John Kampas, EMPIST

Kampas adds that it’s important to have the appropriate tools, platforms, processes and people in place so incidents can be identified when they happen. “Depending on the extent of the attack and the industry you’re in, you may be required to provide notice to employees, customers, and partners,” he says.

Being transparent about a cyberattack is good security hygiene. This is why there are local portals such as the National Cybersecurity Hub, which is a central point for collaboration between industry, government and civil society on all cybersecurity-related incidents. In South Africa, data security comes under the Protection of Personal Information Act (PoPIA). “Organisations should do everything they can in order to protect themselves; in this way, even if they get attacked, they can show that they have taken the necessary steps to protect personal information, as required by privacy regulation,” says Frost. Other consequences of noncompliance include legal penalties, reputational damage and loss of customer trust.

Armata’s executive head and cybersecurity specialist, Caesar Tonkin, adds that as an incident is being resolved, an organisation needs to carry out further risk analysis in parallel. This can be done through a proper penetration test or active threat hunt to ensure that the initial attack is over and that malicious actors are not lurking in the system – or have created backdoors – in order to launch secondary attacks later. “After they’ve been hit, organisations need to ensure that they did not just stop the attack, but also the method of attack so that it is not exploited again,” Tonkin says. “They can assess whether their incident response plan was effective (if they had one in the first place) and use these lessons to build a roadmap to strengthen their future incident response capabilities.”

Recovery, the final piece of the puzzle, goes back to preparedness. In today’s world, a business needs to be ready because if it isn’t, it’s at risk of making news headlines. So, depending on your backup configuration, you should be able to determine what your restore options are. “IT departments and managers have the right intentions, but the reality of running an IT landscape means backups are often deprioritised to make space for daily operational tasks,” says Barry Kemp, head of cloud at Nymbis Cloud Solutions. “This mindset needs to change as backups should be of the highest priority. The IT department should be actively testing backups, running disaster recovery tests and generally ensuring that in a disaster, the business can be bought back online in the least amount of time.”

While there is no question an IRP should be a fundamental part of security for businesses of all sizes, what many have learnt the hard way is that an off-theshelf, one-size-fits-all security plan gives a false sense of security. And not only are there different levels of risk, different hacks require different responses. “There is acceptable risk, for example, in certain instances where an attack can cause some damage, but there is no sensitive information at risk,” says Armata’s Richard Frost. “In these instances, a server could be simply locked down or taken offline, and have its information restored afterwards. While some services might become inaccessible for a short period of time, the impact is less significant than what would result from a breach that compromises personal data.”

IT departments and managers have the right intentions, but the reality of running an IT landscape means backups are often deprioritised to make space for daily operational tasks.

Barry Kemp, Nymbis Cloud Solutions

Frost says that organisations need to have specific incident response processes in place, and assessments can help determine how they respond by codifying operating procedures. For instance, combating a DDoS attack might require tweaks to settings in a firewall, but tackling ransomware is far more complex. “Ultimately, the response to a cyberattack will vary based on the outcomes of the investigation and troubleshooting, the stakeholders involved and the remediation required. Even the technology solutions used to mitigate against various cyberattacks are different.”

According to Cisco’s Cybersecurity Readiness Index, only 19% of organisations in South Africa have a mature level of readiness needed to be resilient against today’s modern cybersecurity risks.

Luckily, there are a number of strategic actions a business can take to enhance their cybersecurity posture and mitigate future risks (see sidebar). “Taking these steps after a cyberattack can help businesses recover effectively and fortify their defences against future threats, demonstrating a commitment to cybersecurity and protecting sensitive data,” says Christo Coetzer, the director of BlueVision ITM.

HERE ARE 10 KEY ACTIONS FROM BLUEVISIONITM’S CHRISTO COETZER WORTH CONSIDERING:

1. Root cause analysis: Conduct a thorough analysis to understand how the cyberattack occurred. Identify the vulnerabilities or weaknesses in your systems or processes that allowed the breach. This analysis is essential for preventing similar incidents in the future.

2. Implement remediation measures: Address the identified vulnerabilities and weaknesses promptly. This may involve patching software, upgrading security systems, and strengthening access controls. Ensure that all identified issues are remediated to prevent the same attack vectors from being exploited again.

3. Enhance security posture: Use the lessons from the cyberattack to enhance your cybersecurity posture. This may include implementing advanced security technologies, conducting regular security assessments, and improving employee training on cybersecurity best practices.

4. Update IRP: Revise your incident response plan based on the experience gained from the cyberattack. Ensure that it reflects the most current threats and vulnerabilities and incorporates the lessons learned from the incident.

5. Review compliance and legal obligations: Assess the impact of the cyberattack on compliance with data protection and privacy regulations. Ensure you comply with reporting requirements and notify relevant regulatory authorities as necessary. Review and enhance your legal and regulatory compliance measures.

6. Engage with stakeholders: Communicate openly and transparently with affected parties, including customers, partners, and employees. Rebuild trust by providing updates on the incident, its resolution, and the steps to prevent future occurrences.

7. Security awareness training: Invest in ongoing employee cyber-awareness training. Employees are often the first defence against cyber threats, so educating them on phishing, social engineering, and safe online practices is crucial.

8. Cyber insurance review: If you have cyber insurance, review your policy, and make any necessary updates based on the incident. Ensure that your coverage adequately addresses the cyber risks your business faces.

9. Continuous monitoring and threat detection: Implement continuous monitoring and detection systems to proactively identify and respond to potential threats. Regularly review security logs and conduct threat intelligence analysis to stay ahead of evolving cyber threats.

10. Business continuity and disaster recovery: Re-evaluate and potentially enhance your BC/DR plans to ensure your organisation can quickly recover from cyber incidents. This includes data backup strategies, system redundancy, and disaster recovery testing.