Following the recent high-profile cyber-attacks on the Ashley Madison and the National Crime Agency websites, Mark Edwards managing director of South Wales-based Capital Network Solutions and a certified cyber forensics professional, explains how businesses can detect a security breach and deal with it.

AFTER the recent high-profile cyber-attacks on the Ashley Madison and the National Crime Agency websites, hacking and online safety has become a mainstream discussion. The Ashley Madison story in particular has made international headlines after the company saw millions of its customer’s details breached in a single malicious attack.

In the UK cyber-crime is a serious economic issue, with data breaches, malware infections, and IP theft costing our economy an estimated £27 billion every year.

Though Ashley Madison was an international company with turnover of millions of pounds, businesses of all sizes are at risk from cyber-crime. Last year in the UK 60 per cent of small businesses experienced a cyber-breach, and the worst breaches cost small businesses between £65,000 and £115,000.

It goes without saying that businesses that take a proactive approach to their cyber-security, with clearly defined procedures in place, greatly reduce the threat of security breaches. All businesses should have a clear, documented ‘Incident Response Procedure’ that is authorised by management and the board. This should detail exactly what actions should be taken in the event of a security incident, both technical and non-technical.

Within the ‘Incident Response Procedure’ should be a clear outline of how to spot a security breach, who to report the security breach to, and how to deal the security breach.

Though the indicators of being hacked vary based on the nature of the intrusion, there are some simple signs that may signal a security breach. From an end user point of view it might be suspicious emails, unusual behaviour of applications, passwords being reset or changed unexpectedly, or files moving and disappearing.

From a technical point of view all devices such as servers, network switches, firewalls and routers should be configured to alert on suspicious behaviour and log activities to central storage. While many businesses have a server log record, very few check the activity noted in those logs. Regularly checking a server log record can raise awareness of unusual activity across the server.

If any irregularities are spotted they should be reported to the IT department immediately (as outlined in the ‘Incident Response Procedure’). The next step is to actively deal with the security breach.

The first step in dealing with a security breach is to limit the damage caused. Depending on the incident a business may consider taking a forensic image of the affected systems so that evidence of the cause of the incident and those responsible can be captured before it is lost.

During the containment period, all software and programs should be updated and security scans run. Employees should also avoid using any external devices such as USB’s to transfer data, and refrain from sharing any sensitive data through the communication networks.

Once a threat has been contained, it needs to be removed. This should be solely the job of the IT department or an IT specialist.

After the breach has been resolved, the last task is to analyse the incident and any lessons learned from it. The ‘Incident Response Procedure’ should then be reviewed and amended if there were any improvements to make. This should ensure the business is safe from future cyber-crime attacks.