Have you been hacked? Discovering a virus in your system is common these days, but that doesn’t mean it’s any less exasperating. It’s not always easy knowing what to do, either.
To help you with your next virus incident, here’s a basic course of action for you to take. It’s only a framework, but it’s a step in the right direction.
Whether you were hacked or an employee inadvertently opened the door for some malware, or even if you have no idea how the virus got in, here’s an immediate response plan for you to follow.
1. Get the Right People Involved
Different problems may require different team members for an effective response. Gather your team based on the circumstances of the virus. Did a government agency contact your company about a network breach? You’ll want to involve the company solicitor. Were trade secrets compromised? Call in the executive board.
Secondly, assemble your response team, if you don’t have a dedicated team in place already. This will mean selecting people with the appropriate expertise and pulling them from their regular duties at the company.
2. Clear All Roadblocks
Roadblocks to fixing your hack might include:
- Uninformed managers. If your company doesn’t have a full-time IT team, you’ll need full cooperation from managers whose departments include people you need.
- Bad communication. Information needs to flow effectively and quickly so each team member knows what to do, and quickly.
- Inappropriate/untimely communication. Speculation about the hacking incident and the status of the response needs to be closely monitored by the incident team leader. Resist the temptation to supply initial reports too early. Instead, wait until you have accurate information to divulge.
3. Gather the Right Data – Quickly
Like a good murder investigation, a proper virus incident investigation begins immediately. The first 24 to 48 hours are critical times to be gathering data. Find out:
- which machines were affected
- what data was stolen
- how the machines were affected
4. Create an Incident-Specific Plan
Part of your plan should be how and what to communicate to employees, the public, regulators, and your board of directors as well as law enforcement.
As for your response to the incident, here’s what your plan should include:
- a complete technical description of the virus and how it infiltrated your system
- who will respond to the incident
- the role of each team member
- how the team will handle the machines which were affected
- how and when normal course of business will resume
- whether to restore backups
- whether to block IP addresses
- whether to adjust firewalls
- what to do with corrupted machines
5. Plan for the Future
All good incident reports include some implications for the future. After all, if you can’t learn from your mistakes, how can you make your security processes better and your response teams stronger?
After your hacking attack has been resolved, gather the team one last time and ask:
- what went wrong?
- what did we do right?
- how can we be better prepared for next time?
You might want to ask other affected colleagues to join in- their alternative viewpoint on the matter might prove helpful in your analysis.
Plus, when you include managers whose team members were on your response team, your next hacking response may go more smoothly. Those managers will better understand your processes, which means they’ll be more helpful next time there’s a hacking incident.
This has been only a blueprint for what to do after finding a virus. However, now that you’ve been through one incident, you are one step closer to becoming fully prepared for the next. Good luck!