Content area
Cybersecurity has become a prominent issue for companies in all sectors. Businesses need to ensure that they have taken the necessary measures and have methodically prepared for a cybersecurity incident. The impact of a cyber-attack can be significantly reduced by a company’s ability to react quickly to unexpected events. This article aims to highlight ways to reduce the likelihood and impact of a cyber-attack and provide a clear understanding of the critical steps and appropriate responses to such attacks. Even though cyber risk has become one of the most critical operational risks for firms, the literature has not yet sufficiently addressed the practical ways companies can reduce exposure and mitigate these risks. Therefore, this article contributes to the literature by providing immediate steps that organizations should take in three possible situations, before, during, and after a cyber-attack.
Introduction
Cybercrime has become an increasingly critical issue in our society. This is also due to the increasing cyber-attacks on companies’ computer systems and websites. These attacks can be highly damaging for businesses and other organizations, especially when security is breached and confidential business and personal data is compromised [11]. Cyber-attacks have been defined as an action taken by a group or individual to breach vulnerabilities by forcing access to restricted devices or areas in order to take control of personal computers by stealing information from databases or disabling firewalls [29]. Although until recently the main targets of cyber-attacks were financial firms, all industries face greater exposure to cyber threats due to increasing digitization [2]. In addition, the COVID-19 pandemic has created additional challenges for businesses which, due to restrictions imposed by governments in response to the pandemic, have had to increase their capacity and capabilities to work remotely. According to the National Cyber Security Centre (NCSC), 350 cases of cyber-attacks on companies were reported in Switzerland in June 2020, compared to a norm of 100–150 [24]. This was mainly due to the increased number of people working from home and not enjoying the same level of protection inherent in a work environment [23].
According to the Cynet 2020 report, about 20% of cyber-attacks before the pandemic used malware or previously unheard-of methods. However, the proportion increased to 35% during the pandemic [8]. In addition, cyber attackers have used websites without strong security to distribute malware, sometimes using hacked websites and domains to spread resources and information to combat COVID-19 [2]. Criminals have also taken advantage of cybersecurity weaknesses in remote working and launched a series of cyber-attacks on videoconferencing services. Users’ data, such as email addresses, passwords and names, were stolen and sold on the dark web [23]. In 2022, in addition to the challenges companies were already facing in the wake of COVID-19, the war in Ukraine has further aggravated their situation and thus continues to have a profound economic, human and business impact on companies. Therefore, business leaders are now having to cope with rising inflation, skills shortages, changes in consumer behavior, and supply chain pressures [1]. However, as the conflict drags on, the effects of the invasion are also expected to be felt in various areas of cybersecurity [7].
The resulting security breaches and cyber-attacks are part of an expanding global cyber threat, which may already be amplified in light of the war in Ukraine and the pandemic. According to the Cisco Annual Internet Report, by 2023, the number of cybersecurity breaches is expected to reach 15.4 million [6]. This costs companies and taxpayers billions of dollars in lost information and response costs [11]. Executives prioritize their investments in cybersecurity and digitization, given the complexity and increased number of risks facing businesses today [2]. However, there are ways to reduce the likelihood and impact of a cyberattack.
For this reason, companies need to clearly understand the key steps and appropriate responses to cyber-attacks to be adequately prepared and reduce risk exposure. Therefore, this paper aims to provide immediate steps that organizations should take in three possible situations, before, during and after a cyber-attack. These key steps are particularly relevant given that the literature has not yet sufficiently recognized the importance of preparing and equipping organizations to adequately respond to cyber-attacks and minimize their impact.
The remainder of this paper is structured as follows: Sect. 2 presents effective ways to reduce the likelihood and impact of a cyber-attack. Section 3 lists the immediate steps organizations should take to mitigate the effects of the attack. Section 4 reviews the steps an organization should take after a cyber-attack. The last section introduces the concluding remarks.
Before the attack
While technological advances have made it easier for organizations to update their security measures, cybercriminals have also begun to use more advanced malware and more sophisticated techniques to avoid detection and prevent removal [18]. For this reason, this section outlines practical ways to reduce organizations’ exposure to cyber-attacks on internet-exposed systems or minimize such attacks’ effects.
Constantly perform and test backup procedures. The external hard drive used to make the backups must not be permanently connected physically or via a local network connection to the device being backed up. The ability to restore data from clean backups is one of the best ways to defend against malware. This method is cheaper, more reliable and does not involve paying a ransom to criminals. Especially when an organization pays a ransom, there is no guarantee that attackers will give them the decryption key [18].
Establish an incident response (IR) plan and a business continuity (BC) plan. The IR plan provides precise guidance on what to do during incidents and data breaches. Good cybersecurity programs place a high priority on writing and regularly reviewing an IR plan. The BC plan describes how operations will be maintained during and after a significant disruption or incident. The IR and BC plans should be tested periodically through role plays [21].
Have a built-in intrusion detection system (IDS). This is a software device or application that detects vulnerability exploits, policy violations or malicious activity. Once an IDS identifies a threat, the system reports this information to a security specialist or to the security information and event management system (SIEM), which collects it centrally. In addition, IDSs enable organizations to immediately detect cyber-attacks such as distributed denial of service (DDoS), ransomware and botnets to ensure prompt remediation [5].
Ensure that the systems are patched. Security patches are an update that often comes from a security developer for devices that need updating. They cover security gaps that were not initially covered. Therefore, security patches are a way of protecting against cybercriminals exploiting a known vulnerability [4].
Cybersecurity awareness training for employees. Employers often focus on firewalls and other desktop technologies when it comes to securing their organizations. However, they often neglect employees who inadvertently give hackers access to confidential information. It is often the case that employees have clicked on a phishing email while at work. Therefore, employees need to be educated on how to defend themselves against hackers and be prepared to identify phishing emails. As a preventative measure, it is also highly recommended to limit employee access to sensitive information [30].
Data protection impact assessment (DPIA). This studies a network or business application, a system, and the information and data held by certain parts of the enterprise. This enables organizations to identify and mitigate problems early or even reduce any damage to the enterprise and associated costs. DPIA helps identify the most effective way to comply with data protection and privacy obligations [13].
Data breach notification. This must be within and in security IR plans to ensure it is properly executed. If personal data is unlawfully processed and security measures are breached the controller must report such a breach to the supervisory authority within 72 h and possibly to the affected data subjects [19].
Cybersecurity insurance. Such insurance allows businesses to reduce the risk of cybercrime activities such as data breaches and cyber-attacks. In addition, a cyber insurance policy helps organizations pay for any financial losses they may suffer during a data breach or cyber-attack. It also helps cover costs related to the remediation process, such as legal services, investigation payments, crisis communication and customer reimbursements [20].
During and immediately after the attack
According to the latest IBM report, the average data breach cost increased in 2021 to $ 4.24 million per incident. This is the highest average cost in the history of this report [16]. It only takes one click on a bad link or a single security gap to allow cybercriminals access to a company’s computer systems. In a cyber-attack, extensive investigations are needed to support recovery, regulatory investigations, remediation, litigation, and other related activities. This section lists the immediate steps organizations should take to mitigate the effects of the attack.
Damage examination. This is done as part of an internal investigation to determine the impact on the organization’s critical functions. Such a thorough investigation will allow the organization to discover unknown security vulnerabilities, identify the attacker and determine what improvements need to be made to the company’s information systems [10].
Setting up a team of experts. Once the extent of the damage has been identified, organizations can develop a comprehensive breach response with the help of an expert team [12].
Preventive measures are needed to minimize further damage. Affected companies should prevent further data loss by taking additional measures such as redirecting network traffic, blocking a distributed denial-of-service attack, and isolating all or parts of the compromised network [17].
Inform those affected. Organizations must create a plan that encompasses and reaches all affected audiences, including customers, employees, business partners, investors, and other stakeholders [12].
Inform law enforcement. It is recommended that organizations work with law enforcement at all times. The sooner they are informed about theft, and the more effective they can be. Often, some companies may be reluctant to notify law enforcement because of the damage it could do to their reputation as well as the disruption it could cause to a business. Nevertheless, informing the authorities is often a legal requirement [17].
In-house legal counsel. They usually take the lead in communicating with regulators and external advisors. Consideration may be given to hiring an external legal advisor with data security and privacy expertise. Legal counsel can also advise on state laws that a breach may implicate [12].
Compliance. A major cyber-attack can spread across multiple countries or jurisdictions and sometimes even face conflicts between jurisdictions [26]. The chief compliance officer (CCO) is responsible for assessing compliance risk in a cyber-attack. The CCO must work with the board, legal department, and executive team to manage these issues.
Notify the insurance company. It is recommended that the organization contact the insurance company as soon as possible to get help with the necessary measures after a cyber-attack [22]. Transferring some of the financial burdens of a cyber-attack to the insurer could make the difference between staying in and going out of business. It can also cover third-party costs, such as notifying affected partners and customers, public relations services needed to repair reputational damage caused by the cyber-attack, credit monitoring, and civil damages resulting from lawsuits.
In the aftermath of a cyber-attack
For an organization to return to normal operations as quickly as possible following a cyber-attack, it needs to understand how to identify, isolate and resolve an attack as effectively as possible and ensure that further damage to systems is prevented. This section lists the steps an organization should take after a cyber-attack.
A comprehensive security risk assessment. This identifies and assesses potential vulnerabilities in different applications, systems, and hardware and then prioritizes the risks that could affect them. The purpose of security assessments is to indicate vulnerabilities in corporate systems and where employees need the training to enable organizations to prepare adequate responses to risks and take preventive defensive measures [31].
Restore systems. As a priority, both systems and data should be restored and it should be ensured that the restored data has been thoroughly cleaned of any malware [15].
Proper collection of evidence. Collect audits, memory dumps, logs, network traffic and disk images because digital forensics is limited without proper evidence collection. Therefore, no further investigation can be conducted [3].
Change passwords. This can be done most quickly by using a password manager, which allows companies to store complex and unique passwords for each account. It is recommended to start by changing passwords that were part of a data breach [14].
Documentation of every action taken during the incident. This ranges from documenting how the incident was identified, the type of incident, and the assets affected to identifying the cyber-attacks impact on the organization [3].
An organization needs to learn from this experience. The organization can determine how to modify its procedures and systems based on a thorough investigation to avoid future attacks. Such an incident can cause a company to become more assertive and thoughtful about cybersecurity [25].
Insurance. Documentation of all internal costs through a statement of work is required. Any breaches of the terms and conditions of claims notification and cooperation obligations will be investigated thoroughly by insurers to avoid or limit payment. If negotiated, the ransom may be covered by the insurer [28].
Discussion and conclusion
Cybersecurity has become a prominent issue for companies in all sectors [27]. The risk of a cyber-attack increased even more during the COVID-19 pandemic due to changes in working conditions that made it more difficult for companies to maintain security. For this reason, they need to be as initiative-taking as possible in addressing threats and planning ways to prevent cyber-attacks. However, in addition to these prevention measures, cyber-attack detection, response and recovery capabilities are also needed. Businesses need to ensure that they have taken the necessary steps and have methodically prepared for a cybersecurity incident so that their response is coordinated and swift. It is important to be aware that the better prepared an organization is, the less impact the incident will have on it and the quicker it will be able to get back to business.
Indeed, managers cannot prevent cyber-attacks, which have become much more common due to digitization. However, the best practice for companies is to develop a response plan and security measures in case of a breach. The impact of a cyber-attack can be significantly reduced by a company’s ability to react quickly to unexpected events. Before implementing an incident response plan, it must determine who will be responsible for this. A clear picture of the technology available to manage the incident, the people trained, and the time required to respond to the incident must be in place. The incident response plan can create problems if it is outdated. Therefore, keeping the plan up to date is extremely important. Incident response simulations and role-play exercises also play a beneficial role. When a cyber-attack occurs, time is of the essence. For this reason, the response plan should be consulted to see who should be contacted. The faster an organization reacts, the more it can minimize the risks.
Depending on management’s response, the incident may be limited or aggravated. Only a coordinated and vigorous response can limit reputational damage, loss of time, money, customers, and recovery costs [9]. To respond appropriately, the cybersecurity response team must first identify the type of attack and then identify the likely scope and impact of the attack. In addition, in order to prevent the cyber-attack from happening again, it is important to trace the source. To do this, everything that happens both during and after the attack must be monitored and documented. With the help of a reliable monitoring service, a company receives regular status updates, making it possible to detect the attack in its preliminary stages. If sensitive data has been stolen, the potential risk to the company should be analyzed. In addition, risks and compliance should be examined to anticipate potential legal consequences. Depending on the country, the sensitivity of the data or the sector, it may also be necessary for the incident to be reported to the relevant authorities. Ultimately, organizations need to learn from this experience. After a thorough investigation, they should determine how to modify their procedures and systems to avoid future attacks.
Given the current threat environment, it is only a matter of time before an organization suffers a cyber-attack. However, there are ways to reduce the likelihood and impact of such an attack. Companies must clearly understand the key steps and appropriate responses to cyber-attacks to be adequately prepared to shorten resolution time and risk exposure. For this reason, this paper provides immediate steps organizations should take in three possible situations, before, during and after a cyber-attack. These steps provide practical ways for companies to reduce exposure and mitigate the effects of a cyber-attack. They can be used to guide future research and improve current understanding of how organizations can better equip themselves to respond appropriately to cyber-attacks.
Funding
No funding was received to assist with the preparation of this manuscript.
Author Contribution
All authors contributed to the conception and design of the study.
Data Availability Statement
The data used to support the findings of this study are included in the article.
Conflict of interest
F.M. Teichmann and S.R. Boticiu declare that they have no competing interests.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
References
1. Barton R, Roark C, Delawalla A (2022) Operating through volatility: Five pillars to manage business continuity. https://www.accenture.com/us-en/insights/strategy/ukraine-operating-through-volatility-business-continuity. Accessed 6 Oct 2023
2. Boehm J, Kaplan J, Richter W (2020) Safeguarding against cyberattack in an increasingly digital world. https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/safeguarding-against-cyberattack-in-an-increasingly-digital-world. Accessed 6 Oct 2023
3. Carson J (2022) Cyber Incident Response Checklist and Plan: Are You Breach-Ready? https://delinea.com/blog/cyber-incident-response-checklist. Accessed 11 Oct 2023
4. Chachak E (2017) What is a Patch in Cybersecurity? https://www.cyberdb.co/what-is-a-patch-in-cybersecurity/. Accessed 7 Oct 2023
5. Chipeta C (2022) What is an Intrusion Detection System (IDS)? + Best IDS Tools. https://www.upguard.com/blog/intrusion-detection-system. Accessed 6 Oct 2023
6. Cisco. (2020). Cisco Annual Internet Report (2018–2023) White Paper, Available at: https://www.cisco.com/c/en/us/solutions/collateral/executive-perspectives/annual-internet-report/white-paper-c11-741490.html (Accessed 6 Oct 2023).
7. Clarke A (2022) Hacking the Invasion: The Cyber Implications of Russia’s Invasion of Ukraine. http://thirdway.imgix.net/pdfs/hacking-the-invasion-the-cyber-implications-of-russias-invasion-of-ukraine.pdf. Accessed 6 Oct 2023
8. Cynet. (2020). COVID-19 Cyberattack Analysis. https://go.cynet.com/covid-19-cyberattack-analysis?utm_source=thn. Accessed 6 Oct 2023
9. Deloitte (2016) Readines, response, and recovery. Cyber crisis management. https://www2.deloitte.com/content/dam/Deloitte/ch/Documents/audit/ch-en-cyber-crisis-management.pdf. Accessed 12 Oct 2023
10. Dhillon, G. What to do before and after a cybersecurity breach; 2015; University, Washington, DC, Kogod Cybersecurity Governance Center, American:
11. Farhat V, McCarthy B, Raysman R, Canale J (2011) Cyber attacks: prevention and proactive responses. Practical. Law: 1–12
12. Federal Trade Commission. (2021). Data Breach Response: A Guide for Business. https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business. Accessed 7 Oct 2023
13. Georgiou, D; Lambrinoudakis, C. Data protection impact assessment (DPIA) for cloud-based health organizations. Future Internet; 2021; 13,
14. Grauer Y (2021) What to Do After a Data Breach? https://www.consumerreports.org/electronics/data-theft/what-to-do-after-a-data-breach-a7749505463/. Accessed 11 Oct 2023
15. Haggi, H; Song, M; Sun, W. A review of smart grid restoration to enhance cyber-physical system; 2019; Innovative Smart Grid Technologies-Asia (ISGT Asia), IEEE: pp. 4008-4013.
16. (2023) IBM. (2023). Cost of a Data Breach Report. https://www.ibm.com/reports/data-breach. Accessed 10 Oct 2023
17. Irwin L (2017) How to prepare for and respond to a cyber-attack. https://www.itgovernance.eu/blog/en/how-to-prepare-for-and-respond-to-a-cyber-attack. Accessed 10 Oct 2023
18. Kenyon T (2021) Top 10 ways to prevent cyber-attacks. https://cybermagazine.com/cyber-security/top-10-ways-prevent-cyber-attacks. Accessed 6 Oct 2023
19. Lowijs J‑J (2022) GDPR Top Ten #9: Security and breach notification. https://www2.deloitte.com/ch/en/pages/risk/articles/gdpr-security-and-breach-notification.html. Accessed 7 Oct 2023
20. Marotta, A; Martinelli, F; Nanni, S; Orlando, A; Yautsiukhin, A. Cyber-insurance survey. Comput Sci Rev; 2017; 24, pp. 35-61. [DOI: https://dx.doi.org/10.1016/j.cosrev.2017.01.001]
21. Meers T (2022) Incident Response vs. Disaster Recovery vs. Business Continuity: What’s the Difference? https://pratum.com/blog/540-incident-response-vs-disaster-recovery-vs-business-continuity-what-s-the-difference. Accessed 6 Oct 2023
22. Mukhopadhyay, A; Chatterjee, S; Bagchi, KK; Kirs, PJ; Shukla, GK. Cyber risk assessment and mitigation (CRAM) framework using logit and probit models for cyber insurance. Inf Syst Front; 2019; 21, pp. 997-1018. [DOI: https://dx.doi.org/10.1007/s10796-017-9808-5]
23. Nabe C (2023) Impact of COVID-19 on Cybersecurity. https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html. Accessed 6 Oct 2023
24. Swissinfo.ch. (2020). Jump in cyber-attacks during Covid-19 admissions. Available at: https://www.swissinfo.ch/eng/jump-in-cyber-attacks-during-covid-19-confinement/45818794 (Accessed 6 Oct 2023).
25. Teichmann FM, Boticiu SR (2023) An overview of the benefits, challenges, and legal aspects of penetration testing and red teaming. Int Cybersecur Law Rev: 1–11
26. Teichmann, F; Boticiu, SR; Sergi, BS. Latest technology trends and their cybersecurity implications. Int Cybersecur Law Rev; 2023; [DOI: https://dx.doi.org/10.1365/s43439-023-00091-0]
27. Teichmann, F; Boticiu, SR; Sergi, BS. The evolution of ransomware attacks in light of recent cyber threats. How can geopolitical conflicts influence the cyber climate?. Int Cybersecur Law Rev; 2023; 4,
28. Tosh, DK; Shetty, S; Sengupta, S; Kesan, JP; Kamhoua, CA. Risk management using cyber-threat information sharing and cyber-insurance. In International conference on game theory for networks ; 2017; Cham, Springer: pp. 154-164.
29. Vatis M (2002) Cyber attacks: Protecting. America (s security against digital threats. Discussion pa)
30. Zhang, Z; He, W; Li, W; Abdous, MH. Cybersecurity awareness training programs: a cost-benefit analysis framework. IMDS; 2021; 121,
31. Zografopoulos, I; Konstantinou, C; Tsoutsos, NG; Zhu, D; Broadwater, R. Security assessment and impact analysis of cyberattacks in integrated T&D power systems. In Proceedings of the 9th workshop on modeling and simulation of cyber-physical energy systems ; 2021; pp. 1-7.
© The Author(s), under exclusive licence to Springer Fachmedien Wiesbaden GmbH 2024.