No prevention is perfect. No protection is perfect. You are already a target for cyberattacks, and eventually, one will likely succeed. When that happens, you need to know what comes next.

Event or Incident? Know the Difference

Understanding the distinction between a cybersecurity event and an incident is critical because they carry different operational and legal implications.

A Cybersecurity Event is an observable change in the status of a network, system, application, or data. You should investigate these events to determine if they qualify as an incident. Not all events become incidents.

A Cybersecurity Incident is a confirmed event, or series of events, that jeopardizes the confidentiality, integrity, or availability of data or systems. It causes harm or disruption and requires an immediate, formal response. Incidents trigger legal, regulatory, and contractual obligations, such as reporting, that must be managed.

Your Next Steps

With this distinction in mind, follow these steps to manage the situation effectively.

1. NOT Panic

Stay calm.

Quick, smart action serves you better than panic.

2. Disconnect and Isolate

Notify your IT team and service providers immediately.

Enlist their assistance to secure every impacted or potentially impacted system:

• Log out users on all devices.

• Change passwords or disable accounts.

• Disconnect systems from your network and the internet.

• Document all actions and changes with a timestamp.

3. Document the Event

Take a few moments to document everything you know.

Create a clear timeline of the situation:

• What did you notice and when?

• What happened and when?

• What actions did you take (e.g., links clicked, reports made to IT)?

4. Do NOT Start Fixing Things

Your cyber insurance carrier, legal counsel, or law enforcement may need to preserve your systems for forensics.

Restoring systems or recovering data prematurely could destroy evidence and impede criminal investigations. Furthermore, altering systems might provide a reason for your insurance carrier to deny or limit your claim.

5. Make These Calls

Connect with resources that can help you navigate your next steps.

Your Cyber Insurance Agent and/or Carrier

Advise your insurer that you are responding to a cybersecurity event that may be an incident. They will want to know the nature of the event and any actions you have taken. If they determine the event is an incident, they will initiate a response.

Your insurer may: (1) Require you to report the event to law enforcement (FBI or CISA.GOV); (2) Require you to hold systems for forensic analysis; (3) Hire a specialized firm to manage recovery efforts; (4) Direct you to complete other specific actions.

Your insurer may also ask for validation that you follow your security policies and procedures. Depending on your coverage, they may also provide assistance with: (1) Required legal and/or regulatory reporting; (2) Client communications; (3) Client response services (e.g., credit monitoring); (4) Other response-related services.

Your Legal Counsel

Work with counsel knowledgeable in cybersecurity response.

They will help you with: (1) Compliance with state and federal laws and industry regulations; (2) Stakeholder and customer notifications; (3) Contractual obligations; and (4) Interactions with law enforcement.

Law Enforcement

We recommend opening a report with law enforcement in coordination with your cyber insurance carrier and legal counsel.

• If your local law enforcement agency lacks a dedicated cybercrime unit, they can still open a report and refer you to the cybercrime unit of your local FBI field office. You can also report directly to the FBI or CISA.GOV.

• Please be aware that law enforcement may collect computers or other devices as evidence. While this can be disruptive to daily operations, the long-term benefits far outweigh the temporary inconvenience.

• Reporting the crime provides you with an official record that often assists insurance claims, and law enforcement may also be able to assist with recovery. For example, federal agencies maintain a database of decryption keys for ransomware attacks which could help you recover data without paying a ransom.

The Event

Human action triggered all three of these recent events. While it is easy to claim that the individuals involved should have known better, the reality is that even knowledgeable people succumb to these tricks when they are tired or distracted.

How many times have you replied to or acted on an email that you skimmed or quickly read without focusing on the content? We are all busy, and an email often feels like just another task to check off.

When you combine a false sense of security with a momentary lack of attention, it is very easy to click the wrong link, enter credentials into a fake site, or share private information.

Technology is vital for protection, but your people must also understand the risks. They should be able to identify suspect interactions and know exactly what to do when faced with a suspicious email, text, call, or web page.

After The Event

In every recent event we have handled, the business and IT leaders were unsure how to proceed. Given the urgency and stress of the moment, none of them referred to an existing Information Security Plan because they did not have an incident response checklist or strategy in place.

We tend to focus on recovery, such as getting systems back online and restoring data. While this is an urgent and tangible response, it is only one part of the equation.

Your cyber insurance carrier may need to verify your security measures, conduct a forensics analysis, or direct your recovery efforts. You likely have legal, industry, or contractual reporting requirements, and you may even need law enforcement to investigate.

Response and recovery from a cyberattack requires having the technology in place to get your systems, apps, and data back in operation as well as having resources in place to get you through the legal, regulatory, contractual, marketing, and customer relationship challenges you will face.

Help is Here

Responding to an attack requires a plan before the attack occurs. Our Security CPR® model provides the framework your business needs:

• Communicate and Educate: Ensuring your team stays knowledgeable, aware, and prepared through appropriate policies and procedures.

• Prevent and Protect: The right mix of security solutions to prevent cyberattacks and protect against active and successful attacks.

• Recover and Respond: The services needed for business continuity, resilience, and a quick return to operations, along with the resources to assist with the insurance, regulatory, legal, and communication aspects of a cyber incident response.

Connect with a Cloud Advisor

About the Author