We’ve been hearing a lot lately about the significant rise in cyber-attacks. The UK’s National Cyber Security Centre (NCSC) recently reported that 480 major cyber incidents required its attention this year – an average of 60 per month.
While this is an astronomical figure, it is likely to rise even further as organizations improve their detection efforts and increase their willingness to report attacks to organizations such as the NCSC. However, being able to detect attacks is only a small fraction of the process. Organizations must also be suitably prepared to defend themselves from potential attacks and respond effectively if an incident occurs. Only when we accept that it’s not a matter of if, but when, an attack will happen, can IT teams really adopt the right mindset to get their organizations ready to deal with future attacks.
Detection
Detecting an attack is crucial, but it’s even more important to identify potential threats before they become serious attacks and flag them in real-time for investigation. Having the right tools in place to do this could save a company millions in potential damages to both their revenue and reputation.
For example, if 50GB of sensitive data is being transferred from the main system and sent to an unknown location, getting an alert about it at the end of the day, after the data is gone, will not help; getting an alert as soon as suspicious activity is detected, however, could help an organization minimize the impact.
Staying on top of emerging threats requires the implementation of a seamless threat detection and response plan. To start with, identify assets that are most important to your organization – this could be sensitive data, servers, apps, networks—anything that could potentially put you out of business if it were compromised or forced offline.
Next, talk to the executive leadership team about the current security posture of the company, highlighting any key areas of concern and anomalies that could signal a potential incident. These relationships do not have be exclusively with the IT department; you should also forge links with your HR, legal and marketing teams to set up a cross-company strategy for dealing with the inevitable attack.
The harsh reality is that no number of security systems will be able to stop an attack; they can only reduce the risk that a company faces. The severity of an attack is therefore determined by how well a company can mobilize and respond to the threats they detect.
Battle Stations
Analyzing the best way to attack your security network should, in theory, help you stay one step ahead of would-be attackers. However, should an undetected vulnerability be exposed and your organization be breached, don’t panic. The top priority during each attack discovery and remediation is to make clear decisions and to act upon them.
Key steps include assessing the scope of an attack, locating the systems that require immediate attention, and beginning to prioritize the necessary response efforts. Get any unaffected systems back up and running, then focus on ‘stopping the bleeding’ by blocking the necessary network ports, and taking infected systems offline to prevent further damage. Implementing a security platform that can orchestrate several technologies and allow them to work together will make the whole process more efficient, especially if that system automatically quarantines the exploited software.
The personnel driving the response is just as important as the technology. When responding to a cybersecurity incident, IT teams will lead the technical aspects while executive assistance will be given by HR, legal and marketing departments to communicate with law enforcement and regulators, the media (if the incident is publicly visible) and customers (to offer advice or support).
Making It Out
The full cure for a cyber-attack can often be a long process, so it’s important to have a robust plan in place that will allow the business to keep running even while some systems are affected. Business continuity measures include having a full system backup and recovery so that business operations can continue.
For example, ransomware attacks could affect parts of your network and render some data and services unavailable. If manual processes are unavailable, having partnerships with similar organizations could allow you to outsource some business operations and continue trading.
Another important step is to exchange threat intelligence with peers to see what’s happening, understand how the attack works and determine what the best preventative measures are. Once you have identified and eliminated the root cause of the infection, the recovery can really begin.
The most important lessons to learn after an incident are how to prevent similar incidents from happening in the future. By planning for the worst now, you can expect a better outcome in the future. Stay aware of the risks and practice test runs so that you are fully prepared for the inevitable incident.
The last thing you want to be doing is responding to a breach by “making it up as you go”. The cyber-threat landscape is continually changing, and the need to be proactive and well informed about basic security best practices has never been greater. With the right preparations in place, you can considerably limit the risks to your organization.