How to behave correctly as an employee in the event of a cyber attack
One wrong click and it happens. Windows pop up, the ventilation goes up, you lose access to folders, task manager, other functions. One of the open windows then says in large letters: "Transfer 10,000,000 €" paired with links, then it should be clear that you have fallen into the clutches of a hacker. Now, of course, good advice is expensive, but even more expensive is the removal of the malware. But the question of how to behave properly is also at the top of the list. One thing in advance: you should not pay the ransom, because as experience unfortunately shows, the money is collected but the necessary code to remove the malware is unfortunately rarely sent along.
1st step: inventory and involve experts
- If it is determined that data has been lost due to a hacker attack, it is important to take stock of the damage. What data has been lost? Has personal data fallen victim to the hacker, is it a data breach according to DS-GVO?
- Directly involve the DPO, IT department and check how to proceed.
- Document data breach (samples are provided by the relevant data protection authorities!).
- IT security: back up data, remove devices from network, check administrator rights and change accesses
- Reporting to the police or public prosecutor's office is also possible and makes sense. Caution: taking action to stop the attack or repair the damage can destroy traces.
2nd step: Report data breach.
- Check the obligation to report to the data protection supervisory authority according to Art. 33 DS-GVO: If a data breach is discovered, e.g. due to a hacker attack, the person responsible for an organization has 72 hours to report it to the competent supervisory authority. This deadline also applies on weekends and holidays. So it is important to act immediately. Most important in terms of data protection law, because without a report, the company faces fines! Examples of when a data protection notification must be made in the event of hacker attacks: https://www.secion.de/de/blog/blog-details/wann-muss-ich-einen-cyberangriff-gemaess-dsgvo-melden-und-wann-nicht-18-beispiele
- Checking a notification obligation towards the affected third parties according to Art. 34 DS-GVO: In addition, it is elementary to find out what risk is posed by the data breach (See step 1!). This may not always be entirely clear in individual cases. In the case of a normal risk for the data subject, at least the competent supervisory authority is informed in writing. For all those who process personal data in NRW (companies, schools, associations, landlords, law firms, self-employed persons, practices, craftsmen, etc.), the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW) is responsible. If the risk to the data subject is high, the data subject must also be informed of the incident immediately and by appropriate means. An assessment of what must be reported or who must be informed should always be clarified by an expert. So always consult a data protection officer.
It becomes particularly critical when special category personal data (e.g., health data, information on religion, etc.) is affected by the hacker attack. In this case, there is a particularly high risk of damage to the data subject.
More info on when to inform affected parties: https://www.dr-datenschutz.de/hackerangriff-muss-man-die-kunden-informieren/
3rd step: Reduce damage
- Has data been published on the Internet without authorization? Then notify the respective provider and/or hosting provider and request deletion (Art. 17 DS-GVO).
4th step: Increase security measures and avoid new hacker attacks.
- In order to prevent hacker attacks or other data protection incidents, the requirements of the GDPR state that, among other things, so-called technical and organizational measures (TOM) should be taken (Art.32 GDPR). These are intended to prevent access to the data by unauthorized third parties.
- It should be found out whether and, if so, which improvements need to be made in the IT. The aim should always be to protect the personal data of the data subjects even better.
5th step: Who can help further?
- Data protection supervisory authorities, e.g. https://www.baden-wuerttemberg.datenschutz.de
- German Federal Office for Information Security (BSI), https://www.bsi.bund.de
- The BSI has also published important tips on hacker attacks: https://www.bsi.bund.de/DE/Presse/Kurzmeldungen/Meldungen/Empfehlungen_fuer_Betroffene_von_Datenleaks_08012019.html.
- State Criminal Police Office of Baden-Württemberg, https://lka.polizei-bw.de/zentrale-ansprechstelle-cybercrime/
- Federal Criminal Police Office (BKA), https://www.bka.de
- Baden-Württemberg State Office for the Protection of the Constitution, https://www.verfassungsschutz-bw.de/,Lde/Startseite/Arbeitsfelder/Spionageabwehr
- Cyberwehr Baden-Württemberg, https://cyberwehr-bw.de/
You do not have to be paranoid now, but especially when you are out and about in the digital world with your work devices. Because the data of a company, are the most valuable asset of a company and must be protected with all means. We are happy to help you with this!
Do you have questions about HP Sure Click Enterprise, would you like to have your employees trained in the handling of data or would you like to receive detailed and professional advice? Then contact us today, we will be happy to assist you.
Contact us now