Einstein was right: time is relative, especially when your company is experiencing a cyberattack. With critical systems down, time seems to slow to a crawl as business grinds to a halt. Yet simultaneously, time accelerates as critical decisions must be made quickly. Make the wrong decision and you can either cripple your restoration efforts or violate clauses in your cybersecurity insurance policy that will lead to your claim being denied.

Unfortunately, this will happen to every business eventually, the only variables are when it happens and how well you are prepared for it. To help you better prepare for this eventuality, this month we’ll discuss what you need to do during the first three days of a cyberattack.

Day 1: Discovery

The clock starts ticking when the breach is detected. The first problem is the difference between when the attack began and when you first notice it. Some attacks will be detected quickly by security software or make themselves known like a ransomware attack, but others can evade detection for weeks or longer. Recently we began working with a midsize financial services business. As part of the onboarding process, we performed a network health assessment which uncovered a security breach that had been in place and gone unnoticed for quite a while. Obviously, the sooner an attack is detected, the better.

However you come to discover you have been attacked, the first step is to activate your security incident response plan. (You do have a plan…right?). This first day is when time flies. The decisions you make this day will determine the effectiveness of everything that comes after. You do not want to “make it up as you go along” – have a plan beforehand.

Preventing the spread of the attack and limiting the damage is critical in the first few hours after discovery. Your security teams should begin working to identify and isolate infected systems. Employees should be notified of the attack, what services are impacted, how to notice if other systems have been infected, and whom to contact when other infected systems are discovered.

Management should immediately contact the company’s lawyers and cyber insurance provider to coordinate the response. They will give you advice and assistance on notifying law enforcement, retaining evidence, preparing for disclosure to customers and government agencies, and proper procedures for recovery. Collaboration with your legal and insurance partners is critical to minimizing direct attack costs as well as fines and reputational damage that can be even more expensive.

Day 2: Assessment

At this point you should have stopped the spread of attack and isolated infected systems. Cybersecurity experts approved by your insurance company will work alongside your team to evaluate the breach. They will determine the type of attack, the number and types of systems that have been impacted, and the data that may have been accessed. They will begin to draw up a plan to root out the malware, remediate impacted systems, and restore data.

Management will work with legal and insurance representatives to assess the non-technical impact. If customer data has been stolen, it’s time to begin preparing to notify customers and government agencies. If operations have been impacted, how to handle the disruption.

By this point, time begins to slow down. You want your business back to normal as quickly as possible, but it feels like everything is taking too long. It’s another reason why you need a security incident response plan: so you know you’re on schedule even when it feels like everything is going too slow.

Day 3: Containment

Before infected systems can be remediated and returned to the network, your security infrastructure will need to be updated to prevent this attack from resurrecting on your network. That could be implementing new policies on your existing security tools or deploying new security solutions. If your backup devices have also been attacked, that will require further remediation before you can begin restoring impacted systems. The experts will determine which devices can be restored from backups and create a prioritized list to get your business back to normal as quickly and safely as possible.

Forensic investigators may be brought in to help identify the attackers, their methods, and exactly what data was compromised. In addition to helping law enforcement, this information can also be used by the insurance company to assess the financial impact of the attack. This is one more reason why it is critical to not begin restoration activities without contacting your insurance company. If your unapproved recovery efforts accidentally destroy forensic evidence, the FBI might forgive you, but your insurance company won’t.

Next steps

At this point you’re ready to begin the recovery process and deal with the financial implications of the attack. We’ll cover those areas in next month’s blog.

A lot needs to happen in the first 72 hours. The most important thing you can do to prepare your company to survive a cyberattack is to have a documented response plan. We know from experience that companies that have up-to-date security tools AND a security incident response plan can return to normal operations faster and with less collateral damage. If your company doesn’t have a plan, make that a top priority today.