On the technical side, clarify whether and how the attackers were able to infiltrate your IT systems and what they did once inside.
In addition to removing vulnerabilities and closing open access points, it must also be ensured that attackers are prevented from installing a backdoor through which they can launch further attacks.
If appropriate expertise is not available within your company, the NCSC recommends contracting out to an IT security company.
Some measures should be taken before you fall victim to a successful attack. This can help to handle an incident more efficiently.
- Draw up a communication concept. This defines whether and how to communicate in the event of an attack.
- Draw up a business continuity concept. This should describe how your employees can continue working if your IT is unavailable for a more or less long period of time.
- If the feared data leak actually takes place, the NCSC recommends that you proactively inform your customers. This will enable them to take appropriate measures.
- Get an overview of the potential data loss and the risk associated with the data leak (e.g. reputational damage). Use this information to take further proactive measures.
- Depending on the type of data leak, you should inform the Federal Data Protection and Information Commissioner:
- File criminal charges with the cantonal police where your company is based. They will then initiate the necessary investigation. You can find police stations in your area and the corresponding contact details at:
Notes on ransom payments
The NCSC recommends that you do not pay ransom money. Once the ransom is paid, there is no guarantee that the criminals will not publish the data anyway, or otherwise try to profit from it. Moreover, every successful ransom attempt encourages the attackers to continue, finances the further development of attacks and encourages their spread.
If you are nonetheless considering paying the ransom, the NCSC urgently recommends that you discuss this step with the cantonal police.