What to do when your infrastructure has been breached

Planning, response, and swiftly fixing the incident are key

Hardly a week goes by without news of some company's infrastructure being breached and data compromised.

In late February this year, the servers belonging to Linux distro Mint were penetrated and a malware-infested ISO was inserted, leading to many users downloading more than just an operating system.

And one of the highest profile breaches of recent times in the UK was that of TalkTalk. The breach last October has cost the firm around £60 million ($85 million, or AU$115 million), almost double the initial estimate of damages.

According to a survey conducted by training company QA, nine out of ten UK organisations experienced some sort of cybersecurity breach in 2015. Of those, 66% said that the breach had led to a loss of data, 45% said that it had resulted in a loss of revenue, and 42% said that it had caused a PR nightmare for the business.

Have a plan

While no one wants to fall victim to such a breach, organisations must take steps to prepare for such an event. If it does happen, what should you do to survive such a security incident?

Although it is almost impossible to create detailed response procedures for every breach scenario that could occur, you can create and agree a framework with generic processes and clear responsibilities, according to David Calder, managing director at ECS Security.

"This is worth doing and will help ensure good governance and momentum while minimising the business impact of any attack," he says. Calder adds that industry standards exist to support the creation of response procedures. "There are sound and proven sources such as NIST and the ISO."

Mark Logsdon, cyber resilience expert at Axelos, the UK government and Capita joint venture, says that the first thing to do when an incident takes place is to activate the incident response plan.

"This plan should consider what's been lost or is not available, the impact it has, how it happened, is it still going on, how do we fix it and how we prevent it happening again. In addition, there are some crucial business decisions," he says. This means who do you talk to first? Customers, press, police, regulators, shareholders?

Also what do you say and when? "There's also the question of what to say to staff, who then may innocently use social media to tell the world about what's being said internally," adds Logsdon.

Calder says that organisations should know their systems inside out. Compromises will often not leave obvious, conclusive signs – the evolution of attacks means that some will not have been seen before, he says.

"The best defence against these is investing time to know your environment better than an attacker could, making it easier to spot anomalous activity," he notes. Firms must also consider how to do this in their infrastructure. "At the very least it will highlight points that will benefit your organisation, such as potential availability issues and potentially unauthorised actions by legitimate users."