Isolate networks, safeguard the evidence, communicate with stakeholders – these and other measures will go a long way towards protecting your business after an attack.
On June 27, 2017, A.P. Møller-Maersk, commonly known as Maersk, the largest container shipping line in the world, suffered from an incredibly debilitating malware attack. A malware designated by cyber security experts as NotPetya infected its systems, bringing this global giant to its knees.
But the consequences of the attack were not just restricted to one company. In 2017, a container from a Maersk ship was offloaded at some ports worldwide every 15 minutes. The malware attack, as a result, not only threatened Maersk, but entire global supply chains, including those for critical items like medicines.
The damage caused at Maersk was devastating. All end-user devices, including 49,000 laptops and print capability, were destroyed. All of the company’s 1,200 applications were inaccessible, and approximately 1,000 were destroyed. Data was preserved on back-ups, but the applications could not be restored from those as they would immediately have been re-infected. Around 3,500 of their 6,200 servers were destroyed — and again, they could not be reinstalled. The severity of the attack was such that it even made recovery extremely difficult. All fixed-line phones were inoperable due to the network damage, and because they'd been synchronised with Outlook, all contacts had been wiped from mobile phones, severely hampering any coordinated response. The malware also severely damaged both Maersk’s implementations of DHCP (Dynamic Host Configuration Protocol) and Active Directory, which, respectively, allow devices to participate in networks by allocating IP addresses and providing a directory lookup for valid addresses. Along with those, the technology controlling its access to cloud services was also damaged and became unstable while its service bus was completely lost.
Undoubtedly, it suffered a huge loss estimated to be in the region of USD 300 million. Still, the amazing thing is that Maersk, through a combination of luck, dedicated efforts of its staff and support from customers and vendors, was able to put its systems back online within two weeks.
What can managements learn from how Maersk and other similarly attacked companies have dealt with a data breach crisis? Federal Trade Commission (FTC), a US government body, has also come up with detailed guidelines for actions that businesses should take following a data breach.
Here are the key points:
Isolate Network: Take all affected equipment offline to prevent additional data breaches. What is worse than one data breach is multiple breaches. But even while doing so, the FTC advises businesses not to turn off the infected machines till forensic experts arrive to estimate the vulnerabilities and modes of attack. It could also ultimately destroy evidence that may be vital in future legal and criminal actions.
Fix Vulnerabilities: This process ranges from identifying possible weak points in the system from humans, service providers and network segmentation. Each of these has to be investigated and fixed appropriately.
Assess Losses: Ascertain the data that has been compromised and its nature. Is this information retrievable? Do you have uncompromised backups? Is it safe to operate from this backup data while addressing the systemic issues?
Communicate: It is essential to communicate honestly and openly with all stakeholders about the extent of the data breach and how it affects them. These stakeholders include employees, vendors, customers, bankers and regulatory authorities, among others. For example, one of the things that helped Maersk continue to function and get its system back online was that it communicated clearly, which resulted in not just employees stepping into the breach, but even clients extending a helping hand.
Consult Legal Teams and Work Closely with Law Enforcement: Any data breach, especially where customers’ personal data is illegally accessed or where there is a failure to provide the promised service, can carry severe costs. Therefore, the company’s legal team must be fully and completely briefed about the nature of the incident and its likely repercussions. Similarly, managements need to understand that their business has been a victim of a malicious attack and fully cooperating with law enforcement authorities is their best option.