In the event of a cyber incident, the instinctive response to act quickly may lead to an unsatisfactory solution. If a threat actor infiltrates one of your systems, the recommended list of what to do is nearly as long as the list of what NOT to do.
When managing a cyber incident, keep these “don’ts” in mind.
- Do not destroy evidence.
When managing cybersecurity incidents, it is important to not destroy evidence. Some clients instinctively bring in IT providers to rebuild systems before preserving evidence, potentially leading to costly consequences, such as having to notify the entire client base.
- Avoid arbitrary restoration.
Do not restore systems to the closest available backup. Threat actors often linger in the environment for days to weeks before being detected. Restoring to a compromised state could worsen the situation.
- Do not contact threat actors directly.
In the event of a ransomware attack, refrain from reaching out to threat actors before seeking legal counsel or professional assistance. Consulting with a legal team can help assess the consequences of communicating with threat actors. Leave contact with the threat actor to qualified negotiators.
- Avoid handling complex incidents alone.
Do not attempt to manage a complex incident without seeking outside guidance. Managing it alone often leads to complications, as you’ll likely need external assistance at some point and may have to undo previous actions. Utilize available resources, such as your data breach coach or insurance broker, for guidance.
- Do not use compromised communication channels.
Stop using your email the moment you suspect it’s been compromised. Switch to more secure communication channels, such as phone calls or platforms with robust security features, like Microsoft Teams or Slack, to protect sensitive information.
- Refrain from using the term, “breach.”
Avoid using the term, “breach.” Instead, use the term, “security incident.” A lawyer is the one to make that legal determination after analyzing forensic evidence.
- Avoid making hasty public statements.
Refrain from making broad public statements before conducting a thorough investigation. It is essential to collect all relevant facts before communicating with stakeholders, as spreading incorrect or incomplete information can lead to misunderstanding and panic.
Let’s talk about protecting you and your business.
Baldwin Risk Partners, LLC offers insurance services through one or more of its insurance licensed entities. Each of the entities may be known by one or more of the logos displayed; all insurance commerce is only conducted through BRP insurance licensed entities. This material is not an offer to sell insurance.