212.647.0377

9 Steps to Recover from an IT Security Breach to Minimize Damage

An IT security breach is an incident that results in unauthorized access to data, applications, services, networks, and/or devices by bypassing the underlying security mechanisms.

A security breach is one of the earliest stages of a security attack by a malicious intruder, such as a hacker or malware application. It occurs when the company’s security policy, procedures, and/or system are violated.

Depending on the nature of the incident, a security breach can be anything from low-risk to highly critical.


More on Small Business Cyber Security:

Cyber Security Breach Response Plan

Let’s say you’re a small business struck by a ransomware attack delivered from phishing (the most common type of cyber attack leveled against small businesses). As a result, you are now locked out of your system and the hacker is demanding a ransom, what do you do next?

Here’s a step-by-step IT security breach response plan:

Step 1 — Don’t Engage the Hacker

Do not pay any money to the hacker.

There’s no guarantee that you’ll regain access to your files or applications. Remember, you are dealing with criminals — can you really trust them?

Moreover, by paying the ransom, you are actually just financing future ransomware attacks, not just against others, but yourself as well. Because you had fallen and paid the ransom, you will be an attractive target for bad actors.

Step 2 — Physically Isolate the Infected Host from the Network, Shutdown the Host

Next, disconnect the infected machine from your network by removing both the network cable and turning off the WiFi. This is a critical step and must be completed as soon as possible.

Given the growing prevalence of worm ransomware, such as WannaCry (which exploits a core Windows component), isolating the affected system is vital, otherwise, the malware may spread to the rest of your IT system. This will compound your problems.

Inexperience Delays Your Breach Response Efforts
We’ll Stop Attacks Right Away

Act Quickly

A swift response is crucial to minimizing the potential impact of the IT security breach.

The longer it takes to identify the source of the infection and contain its movement, the worse the infection — and its potential consequences — will get.

Furthermore, the ransom could simply be a cover for another attack, perhaps an attempt to exfiltrate or extract your client data.

We recommend that organizations have a rehearsed response plan in place for such an attack so as to ensure that you are identifying and isolating the root-cause as fast as possible.

Step 3 — Save the Ransom Note

Use a smartphone to take a photograph of the attacker’s ransom note/message.

Step 4 — Identify the Infection

The next step is to identify the variant of the ransomware so you can plan the best recovery option for your situation. The infection already beat your antivirus and other defenses, so they won’t be of any help at this stage.

Here’s How We Do It

Browse the affected shares and you will quickly find a text file, it’ll look similar to the one below:

Step 5 — Lock It Down

At this stage, all you know is that your IT system is infected. One or more users may be the source and the infection itself may be hours or even days old at this point.

We need to ‘stop the bleeding’, so to speak, before we can treat your IT system properly.

First, take the shares offline immediately.

Next, before you lock these shares, you might be able to save a lot of time in later steps by looking at open files on the encrypted shares. This step will help you identify the source of the infection, which is what we call ‘Patient Zero.’ If you see a user with hundreds of open files, they are probably the source of the infection.

Which shares should you lock? All of them is the safest answer, but your situation will dictate which ones you should restrict. There are many factors to include, but locking the shares will stop the progress of the encryption — if it’s still underway — and will prevent other shares from getting encrypted until you remove the infection from the network.

Step 6 — Understand Your Situation

You’ve been infected by malware, which bypassed your antivirus and other defenses.

It is likely the result of some user action, like clicking a link, but that’s not always the case these days. The virus is using the infected user’s permissions to access and encrypt files. In addition, ransomware can also encrypt operating system files, network shares, and cloud file systems.

Inexperience Delays Your Breach Response Efforts
We’ll Stop Attacks Right Away

Step 7 — Implement Your Cyber Incident Recovery Plan

Once you’ve locked down the virus and eliminated its ability to cause more damage its time to enact your disaster recovery (DR) plan and start your recovery.

The company backup strategy influences the recovery process. Hopefully, a well implemented (and well-tested) backup process is in place. This will be the key to retrieving lost files, but if not, tools exist which could assist in decrypting files from certain ransomware families.

Whilst this is sometimes an option, this should not be relied upon as more often than not, a tool does not exist, as encryption implementations within ransomware are getting stronger.

Step 8 — Prepare for the Future

Once you have contained and remediated the ransomware infection, it is important to take any and all lessons you have learned from this experience, and prepare for them in the future. The idea is to prepare your response plan to react faster and minimize the damage even further.

Step 9 — Comply with Regulatory and Legal Requirements

Ransomware can potentially affect your client data, in which case, you will need to comply with regulatory and legal requirements, such as the General Data Protection Regulation (GDPR).

In some cases, this means you will have to notify authorities and any affected individuals within 72 hours of first becoming aware of the breach, so as to avoid penalties.


More on Small Business Cyber Security:

What are the Components of an Incident Recovery Plan?

Having an IT security breach response plan is only part of the solution, you must also have a team and infrastructure to properly implement it.

  1. Assign an executive to take on responsibility for developing the plan and integrating incident-response efforts across your business units and geographies.
  2. Develop easily accessible quick-response guides for likely scenarios and hold your staff accountable for knowing what to do in the event of an incident.
  3. Establish processes for making major decisions, such as when to isolate compromised areas of your network. This may involve taking certain systems offline, so you will need to weigh the risk costs against the downtime costs.
  4. Maintain service-level agreements and relationships with external breach-remediation providers and experts.
  5. Ensure that all staff members understand their roles and responsibilities in the event of a cyber incident.
  6. Identify the individuals who are critical to the incident response plan and ensure you have redundancies in place in case something fails.
  7. Train, practice, and run simulated breaches to develop response “muscle memory.” The best-prepared organizations routinely stress-test their plans.

Each of these steps requires a measure of cyber security expertise, especially for designing and implementing cyber security breach plans. You cannot put this on staff who lack the training and experience in cyber security.

Simply keeping up with today’s security dynamics is a full-time job in of itself. If you lack the resources to build this capacity internally, then speak to a managed IT services provider (MSP).

Building the team and infrastructure for an effective IT incident response plan is far too resource and time-intensive for many small businesses. But why ignore the problem when you can solve it right away by leveraging our team today? Reach out to us for a FREE consultation.

Leave a comment