The day after the hacker attack: know what to prioritize in the company

The occurrence of a security incident that results in a hacker invasion is undoubtedly one of the biggest nightmares for any company today. In addition to the immediate impact on business, there are legal and reputational implications that can last for months or even years. In Brazil, the General Data Protection Law (LGPD) establishes a series of requirements that companies must follow after the occurrence of such incidents.

According to a recent report by Federasul (Federation of Business Entities of Rio Grande do Sul -, more than 40% of Brazilian companies have already been the target of some type of cyber attack. However, many of these companies still face difficulties to comply with the legal requirements established by the LGPD. Data from the National Data Protection Authority (ANPD) reveal that only about 30% of the invaded companies have officially declared the occurrence of the incident. This discrepancy can be attributed to several factors, including lack of awareness, the complexity of compliance processes and the fear of negative repercussions on the company's reputation.

The day after the incident: first steps

After confirmation of a hacker invasion, the first measure is to contain the incident to prevent its spread.This includes isolating the affected systems, stopping unauthorized access and implementing damage control measures.

In parallel, it is important to assemble an incident response team, which should include information security specialists, IT professionals, lawyers and communication consultants. This team will be responsible for a series of decision-making processes ¡N particular those involving business continuity in the following days.

In terms of compliance with the LGPD, it is necessary to document all actions taken during the response to the incident. This documentation will serve as evidence that the company has acted in accordance with legal requirements and can be used in any audits or investigations by the ANPD.

In the early days, the response team must conduct a detailed forensic analysis to identify the source of the intrusion, the method used by the hackers and the scope of the compromise. This process is vital not only to understand the technical aspects of the attack, but also to collect evidence that will be necessary to report the incident to the competent authorities and also to the insurer 'IF the company has carried out cyber insurance.

There is a very important aspect here: forensic analysis also serves to determine if the attackers are still within the company network ¡ ̄ a situation that, unfortunately, is very common, especially if after the incident the company is suffering some kind of financial blackmail by releasing data that the criminals have eventually stolen.

In addition, the LGPD, in its article 48, requires the data controller to communicate to the National Data Protection Authority (ANPD) and the affected data subjects about the occurrence of a security incident that may entail a relevant risk or damage to the data subjects. This communication must be made within a reasonable time, in accordance with specific ANPD regulations, and must include information about the nature of the affected data, the data subjects involved, the technical and security measures used for data protection, the risks related to the incident and the measures that have been or will be adopted to reverse or mitigate the effects of the injury.

Based on this legal requirement, it is essential, soon after the initial analysis, to prepare a detailed report that includes all the information mentioned by the LGPD. In this, forensic analysis also helps to determine whether there was extraction and theft of data to the extent that the criminals are eventually claiming.

This report must be reviewed by compliance professionals and company lawyers before being submitted to the ANPD. The legislation also requires the company to make clear and transparent communication to the affected data subjects, explaining what happened, the measures taken and the following steps to ensure the protection of personal data.

Transparency and effective communication, incidentally, are key pillars during the management of a security incident. Management must maintain constant communication with internal and external teams, ensuring that all parties involved are informed about the progress of actions and the next steps.

Evaluation of security policies is necessary

In parallel with communication with stakeholders, the company should begin a process of evaluating and reviewing its security policies and practices. This includes re-evaluating all security controls, access, credentials with a high level of access, as well as implementing additional measures to prevent future incidents.

In parallel to the review and analysis of affected systems and processes, the company should also focus on the recovery of systems and the restoration of their operations. This involves cleaning all affected systems, applying security patches, restoring backups and revalidating access controls. It is essential to ensure that systems are completely safe before they are put back into operation.

Once systems are back operational, a post-incident review is required to identify lessons learned and areas for improvement. This review should involve all relevant parties and result in a final report highlighting the causes of the incident, the actions taken, the impacts and recommendations for improving the security posture of the company in the future.

In addition to technical and organizational actions, managing a security incident requires a proactive approach to security governance and culture.This includes implementing a continuous program of cybersecurity improvements and promoting a corporate culture that values security and privacy.

The reaction to a security incident requires a set of coordinated and well-planned actions, aligned with the requirements of the LGPD. From initial containment and communication with stakeholders to system recovery and post-incident review, each step is essential to minimize negative impacts and ensure legal compliance.More than that, you need to look at the flaws head-on and correct them 'above all, an incident should take the company's cybersecurity strategy to a new level.