Launching a Professional Counterattack to a Big Hack
By Lisa A. Myers, CPA, CFE, MAFF, CGMA, and Bill Dean, CCE, GCIH, GCFA, GPEN
The aptly named “WannaCry” ransomware attack that paralyzed computers across the globe the day after Mother’s Day 2017 is believed to be the biggest online extortion assault ever recorded. It’s disconcerting to know that security experts believe the next massive ransomware attack is already underway – it just hasn’t manifested itself yet.
Cybercrime prevention comes in many forms, and includes software updates and anti-virus protection, extra caution with e-mails, firewalls with advanced threat protection, and data backups. But if the ounce of prevention fails, what do you do after an attack?
Assemble a Response Team
It is critical to create the right response team if you are a victim of a hack. It should be guided by an attorney, a forensic accountant, and a cybersecurity expert. The goal is for this team to work with upper-level management to quickly quantify the damage and take steps to prevent future attacks.
Remember, dealing with a data breach is about fixing the problem as well as shielding the company from liability. Having an attorney on the team ensures that as your business deals with the issue all communications become “work product privilege,’’ and thus are protected from discovery in a lawsuit.
Following a breach, companies are legally required to save data in its original form, including information on home and office computers, work and personal e-mails, databases, text messages, the cloud, and backup systems.
It’s best to assume that all investigations wind up in court, whether criminal, civil or both. If your experts need to testify, it is essential that all electronic evidence is properly preserved.
“Chain of custody” logs will document how data was gathered, analyzed, and preserved for production. Witnesses may be interviewed, especially in cases of insider infiltration. After companies discover a compromise, they have a legal duty to maintain data in its native format.
During an investigation, communication among team members is a must. For example, an IT expert may not realize that an individual file contains a company’s most secret information unless they are alerted to it.
Even if a hacked company tries to quantify the loss and identify the source themselves through their own IT department, they may rapidly discover they are in over their heads. Moreover, they may inadvertently damage data and evidence in the process. Immediately hiring a forensic accountant and security expert saves precious time and money.
Alert Insurance Carriers and Clients
Don’t wait until a cyberattack to start reviewing your coverage. Many companies find their existing business coverage isn’t adequate if they face a significant disruption.
If there is a breach, an immediate call to your company’s insurance carrier is a must. Experts should review the notice of loss requirements in the policy, especially since failing to make prompt notification can result in a denied claim.
A business’s clients also need to be notified immediately following an attack, and a company should be prepared to deal with the media. Consider hiring a public relations firm to get the right information out and to protect the corporate image.
Some companies immediately engage a forensic accountant to conduct an analysis whenever a high-level executive leaves. The right team can assist with penetration testing to detect and guard against vulnerabilities. Knowing that these safeguards are in place is a deterrent, not only to the person who departs but also to those still with the company.
Having a strong cybersecurity posture is the best defense against cybercrimes. And following an attack, legal, digital, and accounting experts can help minimize the damage, bring wrongdoers to justice, and prevent a tragic WannaCry sequel.
Lisa A. Myers, CPA, CFE, MAFF, CGMA, is a principal of Boyer & Ritter LLC and heads the firm’s advisory services group. She was 2016-2017 president of the Pennsylvania Institute of Certified Public Accountants (PICPA). Contact Lisa at (717) 761-7210 or firstname.lastname@example.org.
Bill Dean, CCE, GCIH, GCFA, GPEN, is a senior manager at LBMC Information Security and is responsible for incident response, digital forensics, electronic discovery, and overall litigation support. Contact Bill at (865) 862-3051 or email@example.com.