Notice, we did not say if, but when. The number and sophistication of attacks is increasing all the time. For most companies, you fall into one of three camps,Been hacked will be hacked
or have been hacked but do not know it. We felt it would be a good time to remind folks of first steps when a hack has been discovered.
First, disconnect your network or infected systems from the Internet. Your priority is to stop further harm.
Second, clean the infected devices and restore from the last known clean backup. Restoring from a time before the hacker attacked is the fastest way to undo what has been done.
Third, determine how the hack was perpetrated and what information may have been compromised or what files were infected. Examining log files can be tedious work, but will provide logins and activity that can show you how the attack was initiated.
Fourth, make sure you notify affected users. This can be an uncomfortable step, but must be done to protect users and help prevent the problem from spreading.
Fifth, take corrective action. Hackers gain access most frequently by exploiting known vulnerabilities and secondly by careless users. Remind all users of security policies, and the need for strong, unique passwords that are not shared between users. Ensure that your system software is kept current and all patches and updates are applied. Separate functions like accounting and payroll to different servers or systems not connected to the Internet so that access to one does not provide access to all.