Cyber security breach detection
It's not always easy to tell if your business has experienced a cyber security breach. Attackers use a variety of ways to avoid detection and stay in your system long enough to harvest as much data as possible.
Sometimes, it can take months - and often longer - to realise that an attack has taken place. By that stage, attackers might have already caused significant damage to your business or customers. See impact of cyber attack on your business.
How to detect a security breach
Detecting cyber attacks is a challenge even for the experts, but certain warning signs could indicate that a cyber breach or intrusion is underway. For example:
- suspicious network activity (eg strange file transfers or log in attempts)
- sudden changes to critical infrastructure or system passwords and accounts
- suspicious files in your system, which may or may not have been encrypted
- suspicious banking activities and transactions
- inexplicable loss of access to your network, email or social media accounts
- leakage of customer details, client lists or company secrets
- unusually slow internet connections and intermittent network access
- error signs or warnings in browsers, anti-virus or anti-malware tools alerting you to infections
See how to detect spam, malware and virus attacks.
If you have a business website, you should monitor it for any anomalies that may suggest an attack may be in progress. For example:
- unexplained inconsistencies or questionable extras in your code
- problems with administrative logins or accessing management functions
- unexplained changes in traffic volume (eg sudden and drastic drop)
- unexplained changes in the design, layout or content of your site
- performance issues affecting the availability and accessibility of your website
Criminals are constantly finding new ways to exploit vulnerabilities, so it's important to be aware of current and emerging threats. See the latest cyber threat alerts from the National Cyber Security Centre (NCSC).
Recently, there has been an increase in malicious cyber activity relating to COVID-19. You should take steps to protect yourself and your business against these threats.
Check NCSC weekly threat reports and the advisory on cyber exploitation of the coronavirus pandemic.
Breach detection systems
Breach detection tools (also known as intrusion detection tools) can help identify threats inside your network. They are either software or hardware products capable of recognising active threats and alerting relevant security staff that they need to take action. For example, you can set up these tools to monitor the network and send an alert if they suspect:
- suspicious user behaviour
- vulnerability in the network
- threats in applications and programs
These tools focus on identifying intrusions after they happen, containing and controlling the breach, and mitigating the damage. Many different products exist in the market, from open source tools to commercial packages. Read more about business data breach and theft.
How to contain and control cyber breach
Security and data incidents are becoming a daily norm for many businesses. No single product or method will give you a 100 per cent guarantee that your business' cyber defences will hold.
Before you detect an intrusion, you should consider and decide in advance how you will manage your response. Develop a comprehensive cyber security incident response plan to help you contain and recover from any potential breach.
To help you prepare for and plan your response to a cyber incident, consult the NCSC's small business guide to response and recovery.
You can also use the NCSC's online tool 'Exercise in a Box' to help you find out how resilient you are to cyber attacks and to practise your response in a safe environment.
After you detect an intrusion or realise that a crime has been committed, you should report it to the relevant authorities. See how to report a cyber crime.