On the technical side, clarify whether and how the attackers were able to infiltrate your IT systems and what they did once inside.
In addition to removing vulnerabilities and closing open access points, it must also be ensured that attackers are prevented from installing a backdoor through which they can launch further attacks.
If appropriate expertise is not available within your company, the NCSC recommends contracting out to an IT security company.
Some measures should be taken before you fall victim to a successful attack. This can help to handle an incident more efficiently.
- Draw up a communication concept. This defines whether and how to communicate in the event of an attack.
- Draw up a business continuity concept. This should describe how your employees can continue working if your IT is unavailable for a more or less long period of time.
- If the feared data leak actually takes place, the NCSC recommends that you proactively inform your customers. This will enable them to take appropriate measures.
- Get an overview of the potential data loss and the risk associated with the data leak (e.g. reputational damage). Use this information to take further proactive measures.
- In accordance with Article 24 of the new Federal Act on Data Protection (nFADP), which enters into force on 1 September 2023, data security breaches must now be reported to the FDPIC if the persons affected by the data leak are exposed to an increased risk of their privacy or basic rights being infringed as a result. The requirement applies to private individuals, businesses and federal bodies. Reports to the FDPIC must be submitted as soon as possible. You can find the reporting form here: https://databreach.edoeb.admin.ch/report
- File criminal charges with the cantonal police where your company is based. They will then initiate the necessary investigation. You can find police stations in your area and the corresponding contact details at:
Notes on ransom payments
The NCSC recommends that you do not pay ransom money. Once the ransom is paid, there is no guarantee that the criminals will not publish the data anyway, or otherwise try to profit from it. Moreover, every successful ransom attempt encourages the attackers to continue, finances the further development of attacks and encourages their spread.
If you are nonetheless considering paying the ransom, the NCSC urgently recommends that you discuss this step with the cantonal police.