Don’t hit the panic button: What to do if you think you’ve been hacked

There’s a lot of hyperbole and alarmism within our industry. At times this can be self-defeating, muddling the email security must-haves with the not-so-necessaries, and leaving CISOs, CIOs, and IT Managers resenting the would-be protectors almost as much the hackers attacking them.

Hence why it’s important to stick to the facts around the risks posed to your business. The Government tells us that more than two in five UK businesses uncovered breaches in 2018. Given that it takes an average of almost 200 days after the initial occurrence to identify a typical data breach, combined with the truth that not every breach is reported, it seems reasonable to estimate that more than half of UK businesses are being hacked every single year.

Creating your response strategy

Now, alarmism aside, this means your business is odds-on to be attacked before Santa Claus next comes to town, making it the ideal time to audit your existing cyber defenses and ensure you’ve taken every step to minimize the potential entry avenues that could be exploited by hackers.

But it’s also high time to create a response strategy in preparation for the event that your business is penetrated at some stage in the future. After all, blind panic is rarely a helpful form of remediation, and a great many companies manage to escalate potentially serious cyber scenarios to out-and-out crises by failing to keep a cool head and thus missing vital response steps – some of which carry their own legal or regulatory ramifications.

So, below we’ve included a walkthrough of how to avoid panic and address the essentials should you discover that you’ve become a hacking victim:

  • Close the door: If it’s an individual machine that’s been compromised, disconnect it from the internet and other machines. If you fear multiple points of entry, consider what needs to be disconnected and for how long, to assess the extent of the attack. In extreme cases, a temporary shut-down may be the only viable means of isolating the incident.
  • Alert the leadership: Businesses need to assume collective responsibility for cyber breaches from the top down – this is too big a burden to be born by the IT department. Making the wider leadership team aware of the issue is an essential early step, given the range of compliance procedures that will have to be fulfilled further down the line.
  • Assess the damage: This may be easier said than done if a hack attack is widespread, but you should attempt to get an early read on the level of damage as this will inform the steps that must follow around comms and legal proceedings. If a broader assessment is needed, assign a team to investigate more thoroughly and/or bring in a trusted third-party to help undertake the work and arrive at certainty.
  • Seek legal guidance: You should talk to your company’s legal team about cybersecurity irrespective of whether you’ve been hacked, in order to formulate a response plan covering as many types of breach as possible. This gives your legal eagles the chance to construct well-considered guidance for each scenario about the necessary remedial steps that must be taken to. If in doubt, when the attack happens, get your legal team on the phone at the earliest opportunity.
  • Internal and external comms: Every hack will have different ramifications, but it’s likely that employees will have to be informed as quickly as possible – particularly if they need to change practises/behaviours as a consequence. It may be necessary to communicate the information to suppliers, as many cyberattacks originate within firms’ broader supply chain networks. Finally, from regulators to insurers to the media, it’s crucial that your communications strategy considers every audience that needs to know about the hack. Do some advance planning and formulate a communications strategy – again based on a variety of incident types – with a clear timeline for engaging each audience in each circumstance.
  • Tell your customers/the public: Informing your customers, or the public at large, should form a central part of the communications strategy. However, it’s worth singling out this audience, as it’s your customers that need to be kept on-side at all costs, particularly if their data has been compromised. Many companies suffer far more reputational damage in the aftermath of a breach than they do during the attack itself, almost always due to a failure to communicate clearly, quickly, and honestly with the audiences that matter most.
  • Review the causes, plug the gaps: Being hacked once doesn’t make you immune to the risk of future attacks. In fact, if there’s a vulnerability in your organizational defences, whether the result of a poorly patched network of machines or a lack of employee awareness, then hackers will go on exploiting it until the vulnerabilities are eradicated. So once the above mitigation steps have been taken, get to work on figuring out how the hack occurred and how future attacks can be prevented.

Remember, creating an effective response strategy is not a task that can be solved by a simple checklist. This is a serious business; indeed, an entire industry has arisen that is dedicated to helping companies respond to cyberattacks more effectively. But before you shell out for third-party support on building your response strategy, it’s worth checking out the NCSC’s website to help you better determine what the most appropriate steps are for your business. And whatever you do, don’t panic!

To find out more about how Red Sift can help protect your business from cyberattacks, get in touch.

Get in touch

PUBLISHED BY

Clare Holmes

28 Mar. 2019

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DMARC

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail…

Francesca Rünger-Field

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail Check users With the NCSC discontinuing key features of its Mail Check service, including DMARC aggregate and TLS reporting, after March 2025, UK public sector organisations must prepare for this change by transitioning to alternative email security solutions. To support this shift,…

Read more
DMARC

Mail Check is changing: What UK public sector organisations must know about…

Jack Lilley

The National Cyber Security Centre (NCSC) has suggested a change to Mail Check services starting on 24 March 2025. This change mainly involves ending DMARC aggregate reporting. This change comes as a measure to expand the services provided by Mail Check to any UK based organisation, while also limiting the cost and complexity of…

Read more
DMARC

Beyond DMARC: How Red Sift OnDMARC supports comprehensive DNS hygiene

Red Sift

Registrable domains and DNS play a crucial role in establishing online identity and trust, but their importance is often taken for granted. During new service setups, record updates are often overlooked, accumulating outdated entries. As infrastructure teams become increasingly overstretched,  services may be incorrectly shut down without proper cleanup, leaving behind a sprawl of…

Read more
DKIM

First look at DKIM2: The next generation of DKIM

Red Sift

In 2011, the original DomainKeys Identified Mail (DKIM1) standard was published. It outlined a method allowing a domain to sign emails, enabling recipients to verify that the email originated from an entity holding a private key that matches the public key published in the domain’s DNS records. Now in 2024, DKIM is ready for…

Read more