While cyber attacks used to be a problem for large corporations, the danger for SMEs is also growing steadily in view of the charged political situation, particularly with Russia, North Korea and countries in the Middle East. Cyber criminals are increasingly operating on a broad and professional scale and are quickly exploiting security gaps in the IT systems of their so-called targets. They use sophisticated tools to identify weak points, and fraud and phishing attempts are also becoming more sophisticated. E-learning and sometimes costly training courses from global compliance service providers that employers offer their employees can only provide the necessary awareness to a limited extent. This makes it increasingly difficult for users to identify such threats early on or seismically. Experts from all disciplines (legal, compliance, IT, etc.) agree that the question is not whether whether a data breach or an attack has occurred, but tends to only When. The following steps are intended to give you a guideline on what you can do if the worst happens
Stop or contain the attack: Identify the affected systems and isolate them from the network to prevent the spread.
Start an investigation: Analyze the course of the attack, the attack vector and the extent of the damage. External expert teams such as CERT or CSIRT should also be involved.
Assess the risk to data subjects: Determine which data is affected and assess the risk to the rights and freedoms of data subjects.
Measures to limit the damage: Check what can mitigate possible effects and, if necessary, inform the people affected about the incident.
Strengthen protection measures: Adapt security systems to prevent future attacks and document all measures taken.
1. Stop the attack and minimize damage
The first step is to immediately check which systems are affected and isolate them from the network. The goal is to prevent further damage. Systems that are not immediately affected should be monitored to detect possible hidden backdoors.
2. Investigation of the incident
Cybersecurity experts should be called in to analyze the attack in detail, determining the chronology, cause and extent of the attack. In particular, it must be checked whether and how much personal data is affected.
3. Assess the risk to affected persons
The information collected is used to analyse the risk to those affected. Both the severity and the likelihood of possible damage play a role. Damage can include identity theft, damage to reputation or economic disadvantages.
4. Damage limitation measures
Mitigating potential impacts includes regularly restoring data and services and checking the data for unauthorized changes. The LDI NRW (State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia) generally considers it sensible to inform affected persons about the attack - even if there is no obligation to do so under the GDPR.
5. Long-term security measures
After an attack, the security level must be adjusted. This includes installing updates, regular checks and implementing secure authentication procedures such as multi-factor authentication
In addition to your own response to the attack, it is advisable to involve external service providers. The Federal Office for Information Security (BSI) offers lists of IT security service providers as well as contact points for reporting cyber incidents.
After each incident, detailed documentation is necessary. This should cover the entire course of the attack, the measures taken and the assessment of the damage. The documentation is not only used for internal follow-up, but also for reporting to the data protection authorities.
Cyber attacks are a real and increasingly common threat. Companies and organizations must not only constantly update their protective measures, but also be prepared for possible attacks. Fast, coordinated action can minimize damage and prevent future attacks.
Mon-Sat: 10:00 am – 1:00 pm
Mon-Fri: 2:00 pm – 8:00 pm
and by telephone appointment
English 
German 
Italian