The Christmas period is a perfect time to perform a cyber-attack on your IT environment. Darktrace reported a 30 percent increase in the average number of ransomware attacks over the holiday period compared to the monthly average. Therefore, it’s vital you stay extra vigilant during this period. But what should you do if you suspect someone has stolen your customers’ data?

Step 1 – Communication: If you suspect you have had customers data stolen, the first step is to make sure the relevant parties are informed within your business. This may include your IT Manager, Senior Managers, Data Protection Officer and Security Operations Centre. 

Depending on the extent of the breach, you will have 72 hours from identifying the breach, to report it to the Information Commissioner Office (ICO). A full investigation is not expected within this time frame,  they will allow you to provide information in phases. It’s important at this stage to make sure a log is kept of all actions taken so that they can be included within the report. 

Step 2 – Containment: To prevent the attack from spreading further into your network, the immediate action will be to contain the incident by isolating compromised devices from your network. This may also involve isolating entire parts to your network if a particular office or department is affected. 

Step 3 – Investigation and Removal Of Threats: Now that the affected devices have been contained, you will need to have the devices examined to determine the extent of the attack including: 

• What data has been stolen?
• If the attacker can still access your IT network?
• How was the attacker able to gain access? 

Any threats that could allow the attacker to regain access to your network will then be removed. 

We know that time is of the essence in these situations. By choosing SYTECH, you will get undivided attention and focus with the best customer care from the moment you first contact us, until the incident is fully resolved.

Step 4 – Submit A Report: Once the investigation is completed and depending on the results, you will need to submit a full report to the ICO. Not all incidents need to be reported though. You can use the self-assessment tool on the ICO website to see if a report is required. 

Step 5 – Recovery: Now that the investigation has concluded, you can now start the recovery process to restore functionality to your business. Ideally, you will have backups of your data which will allow you to carry on where you left off. Once you have your systems back online, you should test and monitor each device to ensure there is still no threat. 

Step 6 – Security Improvements: The final step is to review the incident, so that you can apply additional security to prevent a similar incident in the future. This can involve:

• Installing security patches
• Physical security improvements
• Changing passwords
• Staff awareness training
• Install monitoring software

Although your IT environment is now secure, threats are ever evolving. Once improvements have been made to your systems, it is vital to continue monitoring for threats and making an effort to constantly improve your security and keeping staff aware of the dangers.