Blog

Recovering from a Data Breach or Cyberattack – An IT Perspective

Recovering from a Data Breach or Cyberattack – An IT Perspective
Law Firms, Solo Attorneys, Cyber Insurance

It will happen. It’s not “if” but “when” you get hit by a cyberattack or data breach. What’s your plan for when it happens?

Cyberattacks and data breaches hit companies of all sizes. But small and medium-sized businesses get hit more than large businesses. Prepare for the eventuality. Then you’re prepared to manage the crisis.

Zac Wilcoxen runs Pretect managed IT services. Like many, he’s seen cyberattacks skyrocket during the COVID-19 crisis. Zac sat down for an interview and answered the following questions. You can jump to his answers by clicking on the links below.

Cyber liability self-assessment

What are the first steps you should take when hit by a cyberattack?

The first thing I would recommend doing is isolating the affected infrastructure, typically by disconnecting it from the network to keep it from spreading. And then, I would have your IT team investigate to determine the level of breach that has occurred and the source of the vulnerability. Then depending on your industry, if you're subject to HIPAA, GDPR compliance or anything like that, there are times in which you'd need to report that a breach has occurred.

CEOs and Presidents oftentimes don't want to know that there is an issue until it's been officially confirmed. Ideally, they will want the breach to go through a chain of command, starting with the IT team, because the IT team is going to have the most insight into the infrastructure and can identify if a breach did occur. For example, some of what we're going to be talking about through this process is phishing. If an employee thinks they have received a phishing email, they should follow the chain of command and send that email to the IT team. That way the IT department can do a deeper dive and identify whether or not a breach or cybersecurity vulnerability is present.

What is business continuity and why is it important?

Every business should invest in the proper backups. Not just data backups. But also system and application backups. This is called “business continuity”.

You may have data backups going to an external drive. But what if your main application server gets hit with ransomware? How long is it going to take to set up another server, install the applications and then restore that data to the new machine? This process can take hours. Sometimes it can even take days, depending on the resources you have available.

Having business continuity in place makes the recovery process much easier. One way to implement business continuity is to have a virtual machine (VM) that is running at all times in congruency with the main application server and is taking backups frequently. Typically, you would want to it to send every fifteen minutes for a differential backup—a differential backup will pull anything that's changed over to the VM. Then, if ransomware hits your main application server, you can change the hostname of that virtual machine (VM) to the hostname of what was the main application server.

So, what could have been a multiple hour or multiple day downtime can be culled down to a few minutes of downtime, and the wheels of your business can keep turning. Business continuity is an investment. But in the event of a data breach or cyberattack it saves so much money on the back end by not having to be down for long periods of time.

We use a downtime calculator to determine the cost of being down by not having the proper infrastructure in place. Long story short, it is very costly for most businesses to shut down shop for any amount of time.

Click here to access the downtime calculator.

Should you pay the ransom?

No. You should never pay the ransom. If you have the proper backup and business continuity in place you won’t need to pay the ransom. You can shut the application server down if you get hit with ransomware. Then, restore from a backup virtual machine (VM) that you have running for business continuity. Next, you can reformat the main application server that was hit. You give it a totally clean slate and then do what's called a bare-metal restore from your VM to the application server. You take the image that's on the virtual machine (VM) and apply it to that application server. Now your application server is back to the point where it was prior to the ransomware.

If you don't have business continuity, and you get hit with ransomware, you're in a bad spot. This is the worst-case scenario. Now, at that point, you need to make a decision to pay the ransom or not. If you don't pay the ransom, you are definitely not getting your data back, but if you pay the ransom, there is also a chance you won't get your data back. Don’t put yourself in that position.

How long does it take to restore the system after a ransomware attack?

That depends on the backup and continuity solutions in place. But it can take anywhere from a few minutes to several days.

Is there a point where it makes sense just to scrap everything you have and start over?

Technology advances quickly with hardware and software. Depending on your infrastructure, there are certainly times in which it does make sense to scrap a portion and upgrade those things. One example is firewalls. A lot of times, people are using old firewalls that aren't doing much in regards to protection in today's modern cybersecurity realm.

Obviously, you want to continually upgrade your system. But if you’re waiting until a ransomware attack, and then you’re rebuilding from scratch; then, you weren't properly prepared. And that's really what I'm trying to drill down here is that cybersecurity is all about being prepared.

How do you establish an escalation protocol for a cyberattack?

It depends on the size of the organization. If it's a small organization, I would go to the head honcho immediately. Otherwise, I’d train the employees to go to the IT team or another single point of contact first. The CEO and president typically are not the individuals that are handling these day-to-day operations. In my experience, a lot of who we end up working with are operation managers, director of operations, those folks.

In this new age where we're working from home, people are a little bit on edge, and they feel like they might be compromised when they might not be. So, it’s important to have a single point of contact, and potentially a back-up point of contact. Then clearly communicate that to the employees.

What does a Managed IT Provider Service cost?

Many businesses are moving to a Managed IT Service Provider model. This brings enterprise level expertise to small and medium businesses. Find the right provider that works for a small team and can fit within a budget. Typically, fees range from $75 to $125 per user per month.

You may be starting a business and trying to minimize cost. The question is how much risk you're willing to endure. And the key is to minimize your risk while trying to stay within the IT budget. Just keep the long view in mind. After you get hit by a cyberattack, managed IT services look cheaper with hindsight.

Final Thoughts

Start with the realization that you will get hit by a cyberattack or data breach. Be prepared. Have a plan. Make sure your employees know how to respond if they’re concerned. All of these are components of business continuity.

Employees staring at ransomware messages on their screens is not the time to start thinking about your business continuity. And the costs of idled employees, frustrated customers, and last-minute troubleshooting add up quickly.

Sadly, we live in a world with bad and malicious actors. You can pretend they aren’t there or won’t go after your company. Many other small businesses had the same plan and regretted it. The future is in your control.

Related Resources

Data Breach vs. Cyber Liability Insurance: Is there a Difference?
Cyber liability self-assessment

Bio

With a lifetime spent in IT, Zachary Wilcoxen has seen it all. He started young as an agent doing on-site service calls for Computer Nerdz, before taking a position at a data center in the network operations center. There he maintained the infrastructure most people refer to as "the cloud". Honing his craft, and studying computer science, he eventually took a software engineering position working on a popular cloud storage platform.

After a number of years in the workforce, building a skill set, Zac set off to start his own business which today is known as Pretect Managed IT Services. We offer 24/7 help desk support, proactive asset monitoring, cyber security, and automation. 

Topics:

Cyber Liability Self-Assessment

Smart businesses confidently endure cyberattacks because they quantified their risk and planned for it.

Quantify:

  • Lost productivity
  • Lost work product
  • Loss of current and future revenue
  • Reputation damage
  • And more
Get Your Self-Assessment

Business Plan Guide for Growing Law Firms

“Law school teaches you about the law, but it doesn't teach you how to run a law practice.” - Austin, TX-based attorney

So, we put together a guide to help you grow your law firm.

Download the Guide
Trustpilot