How should a company react to a cyber attack?

More than one in two companies suffered a cyberattack in 2021 according to the CESIN barometer and the personal data police, the CNIL, registered 5,037 data breach notifications in 2021, an increase of 79% in one year.

Whether they are large companies, ETIs, SMEs or VSEs, none are spared from cyber threats. Although it is essential to implement preventive measures, sometimes these are insufficient and do not prevent a cyber attack.

Based on this observation, it is necessary to be able to recognize the warning signs and know how to react to a cyber attack.

Warning signs of a cyber attack

To limit the consequences of a cyber attack, you must be able to react in time. If there are many signs due to the multiplicity of attacks, some are more frequent.

These include, but are not limited to, the inability to connect to a computer tool, unusual connections or activity, file deletion, excessive computer activity, sending or receiving unwanted files, presence of malware detected by antivirus or your IT security provider (SOC), receiving a suspicious email that was clicked, etc.

If any of these signs are present, or if you suspect a cyber attack, quickly contact your IT department or a third-party IT service provider.

5 steps to react to a cyber attack

It is possible to divide the reaction to a cyber attack into 5 steps. Since each attack is unique, and each company with its specificities and its operation, it is likely that these times must be implemented at the same time or according to a different chronology.

For this reason, it is necessary to plan a crisis management protocol upstream and the creation of a crisis cell in which all the entities capable of managing the attack (Management, Crisis Manager, DSI, expert…) participate.

Securing your computer systems. After contacting the computer service or service provider and the internal crisis unit set up for this purpose, it is recommended to disconnect the suspicious equipment from the network, leaving it switched on and not connecting any new device to the network. Next, the computer expert will decontaminate the system while trying to salvage as many healthy items as possible.

Save the evidence and document the violation. This step, essential and carried out as soon as possible, requires the intervention of a computer expert, accompanied by a bailiff, who will make a complete backup of the computer system and will be in charge of identifying, in a report, the evidence regarding the origin of the attacks and possible perpetrators.

Communicate, on the one hand, to employees, some of whom must be informed of the existence of restrictions on use and who can establish certificates and testimonials, and, on the other hand, to third parties (customers, external service providers, etc.) who are likely to be affected by the attack.

Notify the incident. If you have taken out a cyber policy, or if another insurance policy (particularly your RC Pro or property and casualty insurance) may apply, be sure to report the claim to your insurer within the time allowed. Similarly, if the cyberattack involves personal data and creates a risk to the privacy of the people involved, make sure to notify the CNIL within 72 hours and notify the people involved if said risk is high.

File a complaint with a competent department, for example, the public prosecutor’s office (cybercrime unit), the gendarmerie (C3N) or the national police (SDLC/OCLOCTIC). The presentation of a report, based on crimes such as intrusion or fraudulent deletion, fraud or identity theft, is usually an essential requirement for the activation of cyber insurance.

Even if the attack has already occurred, it is never too late to surround yourself with specialists (technicians, insurers, lawyers, etc.) who will be of invaluable help in dealing with the consequences of the attack (conflicts with customers, suppliers, and service providers data recovery, compensation claims, etc.).