It’s not a matter of if but when. In Mimecast’s 2019 State of Email Security report, 61% of respondents said they believed it was likely or inevitable that they would suffer a negative business impact from an email-borne cyberattack. There’s an air of resignation to it all: it’s going to happen, so you may as well prepare for it.
Check Point Software’s 2020 Security report carried a similar air of fatalism. ‘With the popularity of cloud computing and network-connected smartphones, it’s no secret that there are more ways to invade an organisation,’ it warns. ‘A once-hardened network perimeter is now blurred and porous to cyberattacks, and the bad actors are well aware. If there’s one clear takeaway from 2019, it’s that no organisation, big or small, is immune from a devastating cyberattack. Cyber exploits are more sophisticated, elusive and targeted than ever before.’
Yet nothing can really prepare you for the full horror of when it actually happens. At an individual level, it’s bad enough having your Facebook or Instagram account hacked. Someone might publish an annoying post in your name or force you to reset your password. At a business level, the impact is far, far worse.
Israeli cybersecurity firm Radware tried to count the cost of a cyberattack in a 2019 worldwide security report. It found that the repercussions of a cyberattack can vary from bad to very bad. In its survey of 790 businesses, 43% said a cyberattack had caused them to suffer a negative customer experience, while 37% had endured brand-reputation loss. One in four said they had lost customers. ‘The most common consequence was loss of productivity, reported by 54% of survey respondents,’ Radware’s report states. ‘For small to medium-sized businesses, the outcome can be particularly severe, as these organisations typically lack sufficient protection measures and know-how.’
It’s bad for big businesses too. A 2019 Kaspersky survey found that 67% of industrial organisations do not report cybersecurity incidents to regulators – perhaps, the survey suggested, to avoid the regulatory punishments and public disclosure that can harm their reputation. In fact, the survey report notes, ‘respondents said that more than half (52%) of incidents led to a violation of regulatory requirements, while 63% of them consider loss of customer confidence in the event of a breach as a major business concern’.
Little wonder, really. No organisation likes to advertise that its IT system has been hacked, and most tech consultants prefer to focus on what you can do to prevent cyberattacks. But what happens when you do get hit?
‘Having a plan to defend and quickly respond to cyberattacks is no longer an option but a business necessity,’ says Bethwel Opil, enterprise sales manager at Kaspersky in Africa. ‘If an organisation believes that it has been hacked, there are a few key steps to follow and some actions to definitely avoid, to ensure the hack or attack can be stopped and the potential impact and damage minimised.’
Opil recommends taking immediate action. ‘Don’t sit around and wait,’ he says. ‘Worryingly, Kaspersky’s latest Incident Response Analytics report shows that around 56% of incident response requests processed by Kaspersky security experts in 2018 happened after the affected organisation experienced an attack that had visible consequences, such as unauthorised money transfers, workstations encrypted by ransomware and service unavailability. Only 44% of requests were processed after detection of an attack during an early stage.’
That action involves calling in specialised cybersecurity experts to investigate the matter immediately and then provide guidance on how to rectify the attack and prevent it from creating further damage. Opil emphasises that the sooner an organisation acts when it thinks it has been hacked, the higher the chance of minimising potentially severe consequences. ‘An interesting aspect from our research is that in two out of three cases, investigation of incidents related to the detection of suspicious files or network activity revealed an actual attack on the customer’s infrastructure,’ he says.
The worst thing you can do is nothing. ‘No matter how minimal the hack may seem, a company should never be tempted to do nothing about it,’ says Opil. ‘Law enforcement agencies or the police should be notified about the attack, and the business should work with such entities to help fight cybercriminal activity.’
In some cases, organisations don’t have to investigate to find out if they’ve been hacked. In a ransomware attack, the cybercriminals will make it very clear, very quickly, that they have penetrated your IT systems. They will threaten to publish your private data or block access to your IT systems unless a ransom is paid. The natural response in this case is to pay the ransom. That’s also the wrong response.
‘Never pay the ransom,’ says Opil. ‘While it can be tempting to just pay up to be able to get the data back, it is never guaranteed that the data will be fully restored. Further-more, paying only entices the cybercriminals to continue with their tactics as they are benefiting from it. Like [with] a real-life hostage situation, it is best not to negotiate with cybercriminals.’
Berné Burger and Daniel Vale, associate and candidate attorney respectively at Webber Wentzel, agree, sounding a further warning about the legality of paying that ransom. ‘There is no broadly applicable South African legal principle that makes ransom payments illegal,’ they say. ‘However, the broad duties set out in the Prevention and Combating of Corrupt Activities Act would also cover ransomware victims being obliged to report incidents of ransomware/extortion to the police.’ Those two-thirds of companies that prefer to stay mum about their cybersecurity breaches may have to consider that.
Burger and Vale add that there are also negative effects of ransom payments outside the legal realm. ‘There is no guarantee that the hackers will return the hijacked data,’ they say. ‘And paying a ransom not only emboldens current cybercriminals to target more organisations, it also offers an incentive for other criminals to get involved in this type of illegal activity.’
Kaspersky’s Opil says that the first thing to do in the event of a ransomware attack is to isolate the problem. ‘Disconnect the [affected] device from any networks and the internet,’ he says. ‘Isolating the computer minimises the chance of the ransomware infection spreading to other computers.’ It may seem like a small thing, but it’s better than nothing – and nothing, Opil stresses, is the worst thing to do.
‘Common errors companies can make when a victim of a cyberattack is either giving into the urge to do nothing about it – due to the risk of being embarrassed or potential reputational damage – or, in a panic, turn to the police before consulting with a cybersecurity expert for urgent assistance,’ he says. ‘Taking no action only leaves a company more vulnerable to future cyberattacks. And while it is essential to alert law enforcement agencies of the crime, a first step should be to consult with cybersecurity experts to stop the attack and the damage being caused, and to investigate the problem, to be able to identify the weakness and patch it with urgency.’
Then, as the dust settles, Opil recommends spending time speaking to cybersecurity experts to understand why and how the attack happened in the first place.
‘A cybersecurity audit should also take place with the aim of identifying weak points within the cybersecurity strategy of the business, and where the business is most vulnerable,’ he says. ‘Following this, to ensure a repeat attack doesn’t take place, the business must tighten up its cybersecurity measures and ensure a robust strategy is in place. This strategy should not only look at the right software but also investigate threat intelligence and the ability for the business to be able to predict an attack, to prevent cyber risks of any nature.’
The strategy is clear, then. When – or if – your organisation is hit by hackers, act quickly, act decisively, isolate the problem, call the police, call the cybersecurity experts… And then find out what went wrong, so that the same sort of thing doesn’t happen again. (Even though it probably will. That’s the cost of doing business in a connected world.)