Even when businesses implement common sense security precautions to prevent cyber intrusions, breaches or other incidents can still occur. In fact, hackers can maintain access to compromised systems for many months after conducting a breach, remaining dormant until they decide to take action. Effective cybersecurity protocols include proactive detection measures to determine if an incident has happened and a comprehensive plan for immediate action if needed. Additionally, there are common signs to be aware of that could signal possible compromise of a company asset. What practices can small and medium-sized business adapt to discover and mitigate potential intrusion activity? This article will answer that question in three parts: detection, restoration, and protection. Simple, low-cost detection methods typically utilize common sense practices and readily available tools, while restoration and protection may require further investment if the compromise is significant or impacts sensitive information.
Detecting a Compromise
Creative and competent intruders might leave virtually no trace of the tools they used during an attack. However, their activity will likely leave some type of trail behind. Unmasking a virtual criminal is not as important as understanding their motivation, target, and scope of access. If it’s possible to determine what information hackers are targeting and why the situation can likely be controlled and further damage prevented. Basic techniques for detection, restoration and prevention can be broken down into two categories: information theft or manipulation, and system malfunction or irregularity. Below is a list of common indicators within each category that can be to help discover whether a compromised has occurred:
Information Theft or Manipulation
- Unknown or suspicious bank account activity like errant charges, withdrawals or logins.
- Unauthorized account access.
- Unexpected notifications that an account security question has been answered incorrectly.
- Unexpected notifications that an account password has been changed.
- A message from ransomware or an intruder that can prove access to data or systems.
- Normal user credentials (usernames, passwords) are not working.
- Unusual activity in common business applications (financial system, accounting software, CRM, enterprise tools, etc.)
System Malfunction or Irregularity
- Alerts from antivirus software about a suspicious file or abnormal activity.
- Noticeably reduced computer performance and responsiveness.
- The appearance of an unfamiliar new desktop item or program file.
- Associates report receiving strange e-mails sent from your account.
- Fake/spoofed antivirus messages warning users of a potential issue and asking for payment information to activate a purported fix.
- Unwanted browser toolbars.
- Programs seem to open on their own and the mouse moves “independently.” These signs indicate remote access by an intruder.
- Unexpected redirection when using search engines or browsers.
Any of the signals listed in either category above certainly warrant suspicion and immediate investigative actions. If a breach is suspected, restorative measures should be taken as quickly as possible.
Comprehensive restoration and repair go beyond simply changing a few passwords. The issue may go much deeper than superficial fixes as many types of malware allow attackers persistent access to company devices or systems. Malicious software like rootkits, spyware, adware, Trojans, and ransomware will only continue to create problems unless they are fully discovered and removed. The following recommendations are good starting points for controlling and repairing damage caused by a breach or other cyber incident.
Information Theft or Manipulation
- Try manually resetting authorization credentials for the application that is suspected to be hacked. Authorization credentials include usernames, passwords, PIN numbers, security questions and any other information that should be kept exclusively by the intended user.
- Because the exact method of compromise might remain unknown, consider resetting passwords for other common applications like e-mail accounts, desktop profiles and more.
- Contact the service provider (especially if it’s a financial institution) and inform them of the suspicious activity.
- Check e-mail accounts to see if a forwarding rule is sending communications to an outside address.
System Malfunction or Irregularity
- Disconnect the machine from the Internet (wireless and hardwired) to disrupt and prevent any further access.
- Install and run reliable antivirus software to locate malware.
- Check which programs automatically open and execute when the computer is booted.
- If an irregularity is spotted or a compromise is suspected, immediately shut down the machine restart it in safe mode (using an antivirus rescue disk, if available).
- If possible, locate and uninstall the malicious program. Try using programs like VirusTotal to scan the file and determine the exact kind of malware used and the information that is potentially compromised.
- If data was recently saved (to a central server, for example) and the network mapped, consider restoring the entire system and overriding current settings/storage. Data that was added or changed after the most recent backup will be lost, but the positives to this approach could significantly outweigh the negatives (especially considering the financial impact of downtime on small businesses).
Proactive measures are the first line of defense against a cyber attack. While no security system can prevent all possible attacks, following these recommendations can dramatically reduce the likelihood of a catastrophic event and provide greater peace of mind.
- Verify that business accounts are monitored for suspicious activity. Most banks and online applications will provide basic free monitoring to let users know about an irregular activity like high numbers of failed login attempts or credit card charges that exceed an authorized limit. Only allow the use of authorization credentials that meet best practice standards.
- Ensure that data is backed up in at least one location. Best practices require that data be backed up virtually and on a separate physical device. This way, if the information is destroyed or lost, it can be recovered quickly and with minimal cost.
- Update ALL systems regularly and as recommended by the manufacturer.
- Run periodic full-system scans with multiple antivirus software programs.
For a complete list of appropriate protective measures, see our article Common Cyber Security Mistakes Made by Small Businesses. Since it is virtually impossible to prevent all incidents, comprehensive cyber insurance is an essential component of a proactive prevention strategy. Cyber insurance assists businesses in handling the impact of an attack by protecting them against liability, covering costs related to recovery, and helping a business restore full functionality quickly. To learn more about exactly how cyber insurance helps shield small businesses, read our recent blog entry All You Need to Know About Cyber Insurance.
https://www.csoonline.com/article/2457873/data-protection/signs-youve-been-hacked-and-how-to-fight-back.html https://www.cnbc.com/2014/06/10/hackers-can-be-undetected-for-210-days-expert-says.html https://www.pnc.com/en/about-pnc/topics/pnc-pov/innovation-security/youve-been-hacked.html