The First 24 Hours: How to Prepare and Respond to a Major Cybersecurity Attack - McDermott Will & Emery

The First 24 Hours: How to Prepare and Respond to a Major Cybersecurity Attack


In Depth

In today’s digital age, data privacy and security incident response plans are critical. Companies need to have a well-designed cybersecurity plan to protect their systems from attacks and respond to a crisis when they are affected. Whether you are preparing your incident response plan to respond to a cyber attack, or if you are caught off guard by a major cyber incident, you should consider deploying the following steps in the first hours of a cybersecurity breach:

  • Taking steps to preserve a claim of attorney-client privilege over the incident response, including by establishing a written communications protocol covering the investigation and requiring all participants in the investigation to commit to adhere to the protocol.
  • Working with the company’s chief information security officer and IT security team to ensure that the organization is taking appropriate steps to protect the company’s systems and, if necessary, to prepare for a forensic investigation to determine the full scope of compromise. Depending on the type of attack, such steps may include taking services offline, scanning and imaging affected systems, forcing password resets, adjusting firewall settings, identifying and terminating unauthorized programs running on the system, implementing software patches, updating anti-virus definitions, rebooting systems after the updates at an appropriate time and generating backups of critical systems.
  • Ensure that key IT security personnel remain alert to signs of the attack, are available to the company and its workforce 24/7 and are prepared to activate the company’s incident response plan immediately if the company’s system is compromised.
  • As appropriate, communicate with the company’s workforce to:
    • Remain alert for phishing emails and pay attention to the details of emails, including the sender, body of message, attachments and links directing to an unknown site;Be alert for suspicious emails and notify a designated contact in the company’s IT team if the employee suspects that he/she has received a phishing email, if he/she has unexpected difficulty accessing a file or if he/she sees anything that might suggest a compromise of the company’s systems;
    • Keep on hand the contact information for the IT security team and ensure that the IT security is on 24-hour call until further notice.

If the company has been a victim of a cyber attack, such as a ransomware attack where system files have already been encrypted, then additional steps will be necessary:

  • Work with counsel on a plan to manage the incident response, including preservation of a claim of attorney-client privilege, the retention of a cyber-forensics consultant under privilege, compliance with notification requirements, and the assessment of legal exposure arising from the incident.
  • Work with the cyber-forensics consultant to preserve logs and images for affected systems and to begin work on analyzing the attack, the extent of the compromise and the adequacy of remedial measures.
  • Evaluate backup system availability and adequacy.
  • Consult with counsel, IT and your forensic expert about other appropriate steps.

Register for Webinar on Large Data Breaches | May 24

Join our CLE webinar on Wednesday, May 24, that will cover lessons learned and best practices from overseeing responses to large breaches, ransomware and threats posed by sophisticated attackers. Register here.