How to React to a Cyberattack? Do’s and Don’ts

You can watch the video of this panel here.

The attack surface of companies is only expected to grow, opening a window of opportunity for cybercrime. Companies should no longer ask themselves whether or not they will be the target of a cyberattack, but when. Dynamic lines of defense and sticking to protocols are just some of the keys to better cope with this situation until the remediation phase, agreed panelists during the first day of the Mexico Cybersecurity Summit 2021 held on Wednesday, June 16. “Reaction speed is critical. You need to know how to contain the cyberattack to minimize the damage that it could spread,” said Stephen Fallas, Sr. Cybersecurity Architect Strategist for Latin America of FireEye.

Shutting down the network from the internet, Fallas said, is one of the first actions a company should take when it is subject to a cyberattack to prevent data from being infiltrated further. Changing all passwords for any service is also a must as, “any of these accounts could have been compromised during the whole process of the incident.” Once past that stage, Fallas said getting an expert who can understand what is happening and identify the root causes is vital. "We need to identify which assets were modified or stolen. We need to know who might be affected and what the consequences of this whole situation are,” he said.

The best practice a company can adopt is to implement “a tailor-made suit,” said Norma Ubaldo, Cybersecurity and Corporate Governance Manager of Totalsec and Grupo Salinas. Training employees in a preventive manner, so that everyone is aware of their roles and responsibilities during a cyberattack, is fundamental because during an incident “processes and protocols take a back seat and time is precious. Today, cybercrime evolves on a daily basis, with more and more new and emerging threats,” she added.  

However, not all companies have protocols in place to react to such an event. With this in mind, Alberto Vargas, Managing Partner of Secnesys, said that it is essential that someone who is familiar with the most critical processes of the business takes a leadership role to coordinate the others and prioritize what needs to be done. 

Don'ts During a Cyberattack

In the middle of the chaos, companies under a cyberattack can make many mistakes. “It sounds easy to say but one of the first things companies should do is not to panic,” said Secnesys' Alberto Vargas. Often, when companies are in this situation, the first thing they do is look on the internet to see if they can find a key to decrypt their data, but most of the time "those actions only detract from an event like this,” he said. “You have to contact the people who are really knowledgeable about cybersecurity and not try to bail the boat out on your own”. 

“It may sound tempting to try to do something to stop the cyberattack, but a new set of eyes can go a long way towards understanding and uncovering the problem faster,” added FireEye's Fallas. He also mentioned that not turning off devices is also a golden rule, as it can destroy forensic evidence. This ties in with not reusing the same passwords for different accounts, he added.

According to Norma Ubaldo, thinking that the attention, containment, eradication and treatment of a cyberattack is only the responsibility of the IT area is a common mistake. “It is no longer possible to see it that way because it is a multi-disciplinary effort. Businesses cannot limit themselves to seeing the incident at the IT level; they need to hand over the responsibility to different areas of the company in order to be able to react as quickly as possible and with a clear and orderly method of communication,” she noted. “Sometimes writing in a chat room what is going on can trigger panic or contain and reassure the direction.”