Malware Manual – Part 6: 3 Steps to Recover from a Cyber Attack





Cybersecurity Plan for AttacksFor several weeks now, we have been touting the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). The NIST framework encapsulates a thorough, structured approach to managing cybersecurity holistically according to five tenets: Identify, Protect, Detect, Respond, Recover.


In this final installment of our “Malware Manual” series, we explore the final NIST principle, “Recover.” NIST lists only three types of action at this stage: plan, improve and communicate. And in our research for this post, we discovered that few articles by cybersecurity experts address all three activities at once. So, to close our run of posts, we’ll bring together recovery planning, improvement and communication guidance in a 1-2-3 process for you:


  1. Plan Your Recovery Before You’re Breached
    Eileen McCooey, consultant and regular contributor to Baseline magazine, encapsulated recovery planning into the most concise set of bullet points we encountered. We like her selection because it integrates mindset with specific action. She writes, “To help minimize damage, organizations should be ready to take these five steps in the aftermath of a breach:


  • Preserve evidence and consider consequences of every action taken.
  • Be flexible and adapt to evolving situations.
  • Establish consistent methods for communication.
  • Know your limitations and collaborate with other key stakeholders.
  • Document actions and findings and be prepared to explain them.”


  1. Improve Your Future Process as You Investigate Your Current Breach
    As we reviewed a column by CTO Tom Beale in Information Management about assessing risk, we realized Beale’s “10 questions organizations should be asking” before a breach should be asked during a breach investigation, too. This approach ensures your pre- and post-breach processes unite in a cyclical continuum that helps your organization keep pace with evolving threats. In essence, we advocate you review 10 issues – data landscape, security culture, third-party contracts, organizational hierarchy, IT history, network configurations, security budget, security of your products and services, outsourcing policy and infrastructure-to-employee ratio – every time any one of them is compromised by malware or an attack.
  2. Communicate Before, During and After Any and Every Breach
    When we perused a post by CEO Marty Puranik on the readwrite blog, we recognized that communicating inside and outside an organization before, during and after it’s breached was a core theme. Puranik’s communications counsel boils down to three guidelines:


  • Round Up a Well-Rounded Team
    Who’s involved in your cybersecurity communications team varies according to the size and nature of your business. In the least, your full management group, full IT team -- including Managed Services Providers (MSPs) – and legal advisors should be in the mix. Larger companies may expand to include human resources, investor relations, operations and other departments. Puranik also advises adding forensic investigators who can “trace the breach to its source, assess its scope and assist you in forging a remediation plan.”
  • Have a Standing Communications Plan
    Puranik says, “To be most effective, your communication plan should address all implicated parties: customers, employees, investors, and business partners. Avoid being misleading in your communication and withholding details that could help people better protect themselves.”
  • Reach Out to All Relevant Parties
    “…It is wise to notify your local police, or even FBI, immediately after you discover the breach,” Puranik advocates. “Depending on your legal requirements, you may also need to contact specific government branches. Do your research to find out what exactly you are required to disclose. The type of data stolen, financial versus health for example, may require additional steps for you to take, such as notifying the FTC.

Puranik’s closing recommendation resonates most with us: “If cybersecurity isn’t your company’s expertise, you may want to work with an expert provider whose job is to ensure the safety of your data.”


Where have you heard that wisdom before?