How to: Spot an infection and act quickly

Welcome to our first ‘How-to’ article in a new series designed to outline simple actions you can take to improve resilience. We’ll publish a new one every month. Feel free to get in touch with us if there’s anything you’d like to see explained by our expert team.  

Detecting the early signs of infection in your IT systems and responding swiftly is crucial to minimising damage. 

Infection is when malicious software enters your environment and potential computer systems are intentionally harmed or altered through malicious programming to cause significant damage. That can include ransomware, corrupting data, and phishing. Being aware of the signs and risks is crucial for several reasons: detecting threats, preventing loss and damage, and safeguarding sensitive information. 

It also empowers your organisation to take proactive steps in maintaining data privacy and securing your digital environment. 

Indicators of infection

1. Unusual system behaviour, e.g., a change in privileged user accounts which can indicate someone is using it to gain access to the company’s network.  
2. Messages from your antivirus software indicating a problem.  
3. Experiencing restriction on accessing platforms or data. For example, not being able to access your start menu or documents.
4. A higher volume of emails coming from specific accounts.   
5. Unfamiliar network traffic or file encryption e.g., uploads of large files to a personal cloud application or USB drive.  

How do you act quickly?

1. Detection 
2. Isolation
3. Cyber forensics 
4. Recovery: Invoking your Disaster Recovery Plan 

Once an infection is detected and confirmed, your first action should be to make the IT team aware of the issue to begin isolating and containing it. The IT team should be involved throughout the process until the issue has been resolved and the Disaster Recovery plan has been utilised.  

If the system is on a network, unplug and disconnect all connecting cables, to break communication. These actions should prevent further digital transmission.  

The next stage would be the Cyber Forensic process, which should be in conjunction with relevant third parties, like your insurance company. 

The Cyber Forensic process helps identify, collect, and store evidence of the breach to help understand your situation. Cyber forensic experts will focus on finding the extent of the breach, and how the infection occurred. 

You would then proceed to the recovery process, referring to your Cyber Incident Response Plan as the guide for your organisation.   

Prevention is better than cure

Preventing malware infections saves time, and resources, and mitigates potential damage:  

Your plan should include an identification of the most critical workloads to prioritise for restoration, as outlined in your Disaster Recovery Plan (link to how to write a disaster recovery plan guide). The Disaster Recovery planning process aids in identifying potential vulnerabilities within the organisation. You can look at our guide on How to write a Disaster Recovery Plan for more information. 

1. Make sure everyone in your organisation knows how to spot a phishing scam and how to recognise a potentially harmful link.  
2. Firewalls, antivirus software, and regular data backups can safeguard against threats so check regularly that these are up to date. 
3.  Keep your operating system updated.  
4. Don’t click on pop-up ads.
5. Enable two-factor authentication and change your passwords regularly.  
6. Using your antivirus software, run regular scans to spot anything that might be less obvious.  

To learn more about recovering from Ransomware, check out our video detailing lessons we’ve gained from 100+ Ransomware attacks. 

Ultimately, organisations must prioritise investing in employee training to ensure a proactive approach to security within all departments. A strong focus on prevention and recovery processes is key to maintaining a resilient and secure environment.