A cyberattack remains one of the biggest risks for businesses, as downtime costs a lot of money, whether in production or administration. To stay operational, companies must implement measures beyond endpoint protection solutions. The key term here is: Incident Readiness.
Nowadays, the question isn’t if a company will fall victim to a cyberattack, but rather when. Companies that prepare for this scenario are acting with foresight.
Security experts have been preaching for years that IT security belongs at the management level. Now, the EU’s NIS-2 Directive – NIS stands for Network and Information Security – is turning this creed into corresponding legal regulations. The goal is to strengthen IT security along the value and supply chains. The electronics industry, which relies on a network of suppliers mainly from Asia, has some vulnerabilities to address. Even though the implementation into national law is still in progress, it’s clear that companies can no longer afford to take risks. Hoping that everything will be fine can backfire quickly, especially when a full-blown IT security incident occurs, leading to significant financial losses. The new NIS-2 Directive contains clear guidelines: a company must report a potential security incident within 24 hours – even on holidays and weekends. Regular updates to the notification after 72 hours and after 30 days are now also mandatory. Final reports must be complete and include the exact course of events and the causes of the security incident.
It’s advisable for those responsible to familiarize themselves with the upcoming legal changes early on. They should take the opportunity to improve IT security, review critical business processes, and secure them sensibly. In addition to all security measures, the possibility of an IT emergency must now also be considered. Experts refer to this as Incident Readiness.
Paper is Patient – and Safe
For IT emergencies, companies absolutely need a crisis plan – preferably on paper. This plan should include an overview of the company’s network and the devices used. In an emergency, this information is crucial and is better stored in a filing cabinet than on an encrypted server or a non-functional administrator’s laptop. This crisis plan ensures that an external incident response team can start work much faster, getting the company back up and running sooner and limiting financial damage. Few companies have their own incident response team, as maintaining such a team of highly specialized experts is not financially viable for many. Training in-house staff for incident response is nearly impossible, as this area requires specific experience in handling security incidents – and this can’t be learned from a book or a course.
Be Prepared for the Worst Case
The insidious thing about cyberattacks is that attackers often go unnoticed for weeks or months. If an attentive IT employee doesn’t accidentally discover irregularities, it’s usually a locked screen with a ransom demand that reveals a ransomware attack. From that point on, every minute costs real money. This is when the experts in incident response come into play. They are often the last hope for restoring the systems.
Before an incident response team can take action, they need information about the current emergency. Therefore, those responsible must answer key questions – similar to the central questions asked during an emergency call to the fire department. These answers provide a deeper understanding of the current situation in the company:
- What happened – more precisely, what is happening right now?
- When did it happen?
- How was it noticed? This question can also provide clues about the attack vector.
- What measures have already been taken? This is about whether forensic traces have been secured or evidence has been accidentally rendered unusable. This can happen quickly if the people on-site lack the necessary knowledge.
- Which company is affected? Is it a manufacturing business, a critical infrastructure company, or a government organization?
Of course, technical details also need to be clarified in advance to better assess the situation on-site and plan the deployment. Therefore, experts need information about the IT infrastructure, network size, operating systems and their patch status, and the security components used.
Dos and Don’ts for an IT Security Incident
Those who want to be well-prepared and remain operational for the deployment of an external response team should consider the following dos and don’ts:
Dos:
- Immediately interrupt internal and external network traffic: This locks out attackers and prevents further spread of malware.
- Pause virtual machines or create snapshots: Modern malware is no longer on the hard drive but in the memory. Turning off a VM renders the memory unusable and destroys possible forensic traces. It’s advisable to pause them or create a snapshot to save a current interim state.
- Appoint a central contact person / establish a command post: Short communication paths are essential in an IT emergency. A contact person or command post coordinates communication with the incident response team. They also liaise with involved IT service providers and communicate with customers and employees.
- Prejudice-free communication: It’s important to create an environment free of fear, where even employees with little IT knowledge can provide hints about the incident. Accusations or blame are not helpful in this situation!
- Check and provide backups: This should be on the agenda before an emergency. It’s too late during an IT emergency. Current backups can minimize data loss.
- Cooperate with local authorities: Every victim should file a criminal complaint to initiate investigations. Each federal state has its own contact point for cybercrime. In addition, the duty to inform the data protection officer must be clarified to report a possible violation in a timely manner. The rule of thumb is: better one report too many than too few.
What Not to Do:
Shutting down systems: Doing this might destroy or render useless any forensic evidence.
Starting systems within the compromised network: There’s a risk that the malware could spread to more parts of the network, increasing the damage.
Turning off antivirus solutions: Even during or after an attack, antivirus helps by blocking further attempts at intrusion.
DIY attempts: Those without expertise who try to fix things can delay and complicate the quick resolution of the infection. The risk of making things worse is quite high.
Negotiating with extortionists alone: The rule of thumb is “No negotiations with extortionists!” But if you must, ensure you have expert support.
Assigning blame: Promptly reporting a suspicious action can help limit damage early on. This requires a company culture where employees feel safe admitting mistakes, like clicking on a phishing link, without fear of repercussions.
In Conclusion: Invest First, Save Later
The question for companies today is not if they will fall victim to a cyberattack, but rather when. Companies that prepare for this scenario and seek expert help are being prudent. They ensure the survival of their business even in the event of damage and are able to recover operations faster. Studies show that in an IT emergency, the biggest cost is not the deployment of the Incident Response Team, but the lost revenue due to operational downtime.