How to handle a cyberattack

Open, transparent communication with employees 'very important'

How to handle a cyberattack

Latitude Holdings is the latest Australian company to experience a devasting cyberattack.

The financial services company revealed that the personal information of 7.9 million customers has been stolen.

Back in January, it was Australian property developer and construction company Meriton who experienced a cyberattack — and the list of companies doesn’t stop there.

Optus, Medibank Private, IPH and ProctorU have all experienced cyberattacks in the past 12 months.

In fact, the Australian Cyber Security Centre’s (ASCS) Annual Cyber Threat Report covering the period of July 2021 to June 2022 revealed that ‘The ACSC received over 76,000 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. This equates to one report every 7 minutes, compared to every 8 minutes last financial year’.

These increasing cyberattacks resulted in an average loss of $39,000 for small business; $88,000 for medium-sized businesses and $62,000 for large businesses, representing an increase of 14%.

Businesses in Australia need to be prepared for a cyberattack that could happen at any minute of the day.

What should businesses do in the event of a cyber-attack?

“You need to convene your cyber response team immediately and leverage whatever intel you may have to determine the current state,” Dan Schiappa, chief product officer at security operations firm Arctic Wolf, said. “After you identify as much as you can, do your best to contain the incident by blocking any continuing communication with the outside world from any infected device and monitor for potential exfiltration of information or IP.

“If you have cyber insurance, immediately contact your provider with a claim so they can have their recommended incident response team engage ASAP.  If you do not have cyber insurance and you do not have the means to conduct your own incident response, contact a leading incident response firm immediately so they can engage and provide service.”

The next stage of the process is informing employees and clients as quickly as possible. Being open about the situation will reduce any innuendo and help people deal with the issue.

“It is very important you have open and transparent communications with your clients, employees and any government or law enforcement agency that may have jurisdiction over the event,” Schiappa said. “It is critical, however, to have a basic assessment of the situation in place and make sure you are not putting your clients further at risk by communicating without a proper assessment.

“The sooner you can inform them with a status or any action they must take to protect themselves, the better.  Nobody is immune to these attacks. So long as you have a quality cyber plan in place, there is no reason to hide in shame.”

Non-stop attacks

The ASCS took down more than 29,000 brute force attacks against Australian servers throughout the July 2021-June 2022 period along with blocking more than 24 million malicious domain requests. The report also stated that ASCS removed more than 15,000 domains hosting malicious software and shared in excess of 28,000 indicators of compromise with ASCS partners.

“If it is determined that a compromise of customer or other sensitive information has taken place, most countries today have regulations in place which dictate how soon communications must happen and what sort of notification must be made,” Nathan Wenzler, chief cybersecurity strategist, Tenable, said.

“It’s important in these situations to be as upfront as possible so that users, customers and partner companies have enough information to take the necessary steps to protect themselves without necessarily providing information that an attacker could intercept and use to expand their attack.

“When it comes to informing the media, it will depend on the nature of the company’s primary business, brand reputation and if they provide services to the general public that would make it of interest if an attack has taken place. Every organisation will need to determine this based on their own risk tolerances and business operations, and if it is decided to talk to the media, it should be done through the designated communications liaison identified in the incident response plan and controlled carefully to ensure the proper message and amount of detail is released.”

How to prepare for the future

All companies must prepare as if a cyber-attack is imminent. It is imperative whether it is small, medium or large sized business, that a plan is in place to control the outflow of data and to stop it spreading to clients and customers.

“Always perform a retrospective of what happened and ensure you have learned from the experience and hardened the environment from a similar attack,” Schiappa said. “Keep your incident response firm on speed dial, and if possible, have a retainer with them as even the most secured companies can have a breach again. 

“In summary, be prepared to be attacked again. Formulate a strategy, identify key stakeholders, conduct tabletop exercises and external penetration tests, and have your incident response plan at the ready. 

“If you do not have a security operations centre inside your company, engage with an outside managed detection and response (MDR) or security operations centre as-a-service (SOCaaS) vendor and ensure you have security professionals monitoring your environment.  This is one of the most sure-fire ways to limit the damage of any attack.”

Employers: you have been warned.