As organizations around the world begin to take cybersecurity threats more seriously, large-scale attacks like the recent breach of a major credit reporting agency seem to be happening more frequently. At the same time, there’s increased focus on who’s responsible for security vulnerabilities.
The aforementioned Equifax attack exposed the personal data of as many as 143 million Americans, triggered a lawsuit by the state of Massachusetts as well as at least 50 class-action suits, Federal Trade Commission and FBI investigations and questions from a Senate oversight committee.
Also in September, one of the world’s largest accounting firms was hit by an attack which breached its internal email system, as well as a well-known U.S. regulatory body, which revealed that hackers gained access to information that could have given them an unfair trading advantage. In the wake of these attacks, we must accept that almost anyone can be hit, which means we all have to be prepared.
Don’t blame the victim
As I’ve written before, it’s crucial not to blame the victim in a cyberattack. Pointing the finger at the perceived weakest links in the chain of the organization can encourage them to hide breaches, or try to fix things themselves. This kind of suppression of information and awareness can be devastating for cybersecurity.
Basically, “blame the victim” and finding the “bad guy” inside the company does not do any good and only fosters a mentality of “pretend it doesn’t exist,” especially in a layered bureaucracy. Today, data has more value than physical objects and crosses not only corporate lines but sovereignty. That means we need a new mentality of reporting incidents quickly, and without blame. If a stranger without a badge wanders into a company, it will provoke a response from today’s workers. Similarly, suspicious data has telltale signs that we need to report immediately — it’s better to be better safe than sorry.
Read the signs
Awareness of the basic stages of a cyberattack can help foster a culture of vigilance and communication. Criminals don’t simply exploit an unpatched vulnerability and then get the data and run. They have to traverse a gauntlet of security measures in today’s IT-dependent organizations. This process is known as the attack lifecycle. This model that describes the tasks an adversary group must accomplish in order to complete its mission. It must first reconnoiter for victim weaknesses — this is the part that is often automated and done broadly. After a vulnerability is found, the initial attack is delivered and once the victim is compromised, a command and control channel is installed while traversing the internal networks to create other enclaves for attack
It’s important to remember that for an attack to be successful, these last few steps are not only crucial steps but also take time to manually execute. Thus, it is not only important for corporations to put automatic prevention systems at these various stages but to also create a culture where people will quickly notify security if there’s any unusual or suspicious activity at these stages. Time is of the essence but there are actually many opportunities to catch an attacker.
It’s not game over if your system gets penetrated, but it might be if you don’t properly communicate this fact in a timely manner. You should also communicate how further damage was mitigated and whether actual data loss occurred because of this quick action. Thus, it’s critical in this day and age that we not only be ready for cyberattacks but we also rehearse for them and other, related scenarios. Because they will happen.
The following is a short list of absolute must-have preparations in place to deal with cyberattacks.
1. The organization must have an executive chief information security officer (CISO) or role with an equivalent function that regularly updates, if not reports into, the board. He or she must be responsible for overall cybersecurity with regular and direct reporting to board’s audit and/or risk committee.
2. Every organization must have an incident response (IR) plan that is developed by internal and external IR team members. The members must periodically tabletop, refine, and update the plan to keep it current for any possible eventuality.
3. It’s essential to carry out training and education programs on cybersecurity awareness and response for employees as well as the security team.
4. Vendors and contractors should not be the weakest link in organizational security, but they often are. Many attacks penetrate via a supplier, contractor or even law and accounting firms. Organizations should ensure their partners are also protecting themselves and not being used as beachheads for groups launching attacks. Some of the biggest breaches in recent years have involved weak links in third party vendors.
5. The security team should carry out regular cybersecurity simulations or tabletop exercises to rehearse response efforts and prepare for the eventual crisis.
6. The organization must retain forensics, legal and public relations experts to provide the board and stakeholders with all the information they need about a breach.
7. Cyber insurance should be considered since it will become increasingly prevalent. It will become second nature for companies to have insurance that will cover the costs of forensic analysis, legal services, public relations, credit monitoring, litigation and regulatory requirements if and when a breach were to occur.
When it comes to cybersecurity, complacency is your enemy. To minimize your risk of attack, review your security posture and culture and make the necessary changes. There are many bad guys out there trying to get their hands on valuable data, but instituting the proper precautions can make their mission a lot more difficult and, hopefully, not worth the trouble.