Clarify who is responsible
Ultimate responsibility must lie with a member of the management or Executive Board. This also makes it easier for staff in IT and Compliance to assert themselves against colleagues.
Attacks via email and telephone
Numerous well-publicized examples have put the focus on cyber attacks. But do not forget that companies are still constantly defrauded via email, telephone and fax. Give your staff regular training to ensure that they are aware of the risks.
Clear procedures in an emergency
Define now who will be responsible if damage occurs. In addition: Who needs to be notified immediately (both internally and externally)? Who are the internal and external points of contact for staff, customers, suppliers and media inquiries? Does a law enforcement agency need to be informed?
After a cyber attack
In order to prevent damage from spreading, for example by a virus, everyone who is potentially affected needs to be informed immediately. This includes developers, suppliers and customers. If third parties have also suffered significant damage, the company that was attacked has to prove that it had taken all feasible protective measures in advance and implemented all necessary security measures once the damage event occurred, in order to limit the damage for itself and third parties.
Attacks relevant under criminal law include the following: An unauthorized person has logged into the system, large amounts of system resources are suddenly being used, malware is identified or large quantities of data from one or more senders are flooding the system.
Document the damage
Cyber attacks can cause enormous damage. The resulting costs must be documented carefully. The same goes for verification of the measures taken to mitigate the attack.
Inform the insurer
If the company is insured against this kind of damage, for example with cyber insurance, the incident must be reported to the insurer or agreed service provider immediately.