How to Stay Out of the “Massive Breach” Headlines in Six Steps
“I fear you’ll be fired in a year or so.” I found myself saying these words to a new CISO after he enumerated the powerful, high-tech cyber-defenses he had swiftly erected around his organization’s critical assets. Why would I say such a thing?
Because of my son. When he was still a teenager, I naturally wanted to lock down our home’s technical infrastructure to prevent it from being infected from the wayward click of a curious youngster or any malicious intrusion. So, I diligently implemented every perimeter-protecting measure available, and I used my cybersecurity knowledge to strengthen them even more. And he, just as diligently, would try to penetrate them. He never failed; he always found a way around the security controls. There was only one way to beat him – shut down our internet. Only when we were entirely offline were we cyber secure.
Of course, “no internet” is really not an option. The offline household can hardly work, study, be informed, be entertained, or do much of any consequence. And it’s even less an option for that new CISO I mentioned above, whose company is doubtless even more dependent on the internet than my household. He has no way of preventing a cyberattack, no matter how much he reinforces his perimeter. If a teenager found a way in, imagine that CISO’s vulnerability to hordes of malicious actors all around the world, constantly besieging companies like his, fearless of consequences and driven by the powerful incentive of a financial windfall from a single hit. They only need to find one small opening – something as simple as an employee clicking on a phishing link, a laptop left unguarded, a legacy system missing a security update, or an admin tempted with a bribe – to launch CISO and company into the dreaded “breach” headlines.
Protectionism is dead. Long live response.
In today’s climate organizations must assume a breach. It is unlikely you can prevent an attack BUT you can prepare for the almost inevitable so it will be promptly spotted and isolated to mitigate the damage when it happens. That, as imperfect as it might seem to security experts schooled in prevention, is the pinnacle of cybersecurity excellence: an acceptance of the almost inevitable and meticulous preparation for it.
Why do I say, “almost inevitable?” Because of numbers like these recently reported by McAfee and CSIS. Global losses from cybercrime now total more than $1 trillion, more than a 50% increase from 2018. IP theft and financial crime account for at least 75% of cyber losses and pose the greatest threat. The average cost of a breach is $4.24 million, a 10% increase from 2020 to 2021, accounting for the loss of business, cost of resources, and loss of brand reputation.
And here is one of the main reasons preventive measures are insufficient: Most significant data breaches are caused by human error. And humans are human, after all. Aiming to please, they respond to phishes that purport to be from someone they respect or wish to impress, without taking the time to validate it. They are curious. When something appeals to their interests, they are likely to click on it or visit an unsafe website. They may be generous in sharing their credentials or devices with someone they should not. They procrastinate installing their security updates or changing their passwords and get distracted from doing so.
So, in a company of hundreds or thousands of those imperfect, mistake-making humans, it only takes one mistake spotted by an alert malefactor – or an automated program incessantly scanning the cybersphere for holes – to bring on the ransomware, DDOS, IP theft, embarrassing exposure, release of PII, or other devastation. And yet, according to that same McAfee/CSIS Report above, 56% of organizations surveyed indicated they do not have a plan to prevent or respond to a cyber incident. Considering that it can take months to identify and contain a data breach, with some research showing anywhere from three to nine months, imagine how exposed those organizations are to whatever the bad actors have in mind for them.
If your organization is in that 56% with no plan, here’s your six-step process to keep your job and keep your organization out of the headlines.
- Adopt a Framework – By that, I mean just a set of best practices to identify where and how you are most at risk for breaches or compromising activity and reduce your exposure. Of course, you can build your own, but that takes time, which you really don’t have. There are a lot of great frameworks available, probably tailored to your sector, that will work for you with minimal effort.
Trust No One – By now, this shouldn’t need explaining, but the truth is many cybersecurity professionals slip into the habit of believing that once somebody is inside the castle, they’re legitimate – they’re trustworthy. Long ago, I worked with a security company that provided physical “break-in” services. It had people pose as employees and attempt to access private facilities. What was amazing is that if someone looked the part and acted busy, they were never challenged. People could walk away with reports, books – even equipment. Once, a “fake employee” asked a security guard to help carry equipment out of the building. The guard helped wheel it out and load it into the person’s car. Mind you, that person had no company badge, and neither he nor the other employees he encountered had ever seen him before.
Outside of security, trust is something we inherently want to do. Wanting to live in safety, we hope to trust those we encounter, so when it comes to cybersecurity, it takes a mental paradigm shift to actively mistrust every person, every ping on the network, every text, email, or link. If you don’t make this mental shift before you have a breach, trust me (sorry), you definitely will once you find yourself reacting to a breach and discovering that too much “trusting” was going on in your network.
Establish an Active Response Strategy – You can’t hope to protect your organization unless you have an Active Response Strategy (ARS), and it must be clearly and consistently communicated.
Keep in mind that many of the people on your crisis management and leadership teams are business people – not cyber experts or even IT experts. The language you use to communicate with them needs to be their language – not the jargon and acronyms that typify your own team’s communications.
And keep your ARS communication consistent and conversational – not just high-pitched warnings when risks or actual incidents arise. Business people need to feel comfortable asking you questions about it, even making their own suggestions. And you need to have a positive working relationship with them. You don’t want them to dread a call from you – perceiving any outreach as bad news. Instead, reach out to them to ask questions, get advice, run ideas past them, or make them aware of something to prevent it from turning into an incident.
To develop your ARS, you need to understand the Cyber Kill Chain created by Lockheed Martin1. It breaks down the seven steps an attacker (human or automated) goes through to conduct an attack so that you can understand how they operate, recognize their signs, and defend against them.
The first step is reconnaissance. Every breach starts with an attacker performing network reconnaissance. So you might think that an IT team would be on high alert for any evidence of recon being performed on their network. But I suggest you check with your IT team. Ask them how many of their user accounts, computers, or servers, are authorized to perform network recon. The answer is going to be zero or close to it. Then ask them to look back and see how many network recon incidents have occurred on your network. I think you’ll be shocked. And remember, network reconnaissance is the number one primary indicator of a developing breach.
The next thing you’ll want to understand is isolation – how any sign of a breach calls for instant isolation of that user account or device – even if it belongs to your CEO. Which would you rather tell your CEO? “We took you offline because something happened, and we’re investigating it.” Or, “Nine months ago, something happened to your account, and everything you’ve done since then is all over the Internet.”
Build Advocacy for Clear Communication
Since we’ve already established the near-inevitability that you’ll be breached, what is one of the first things your C-officers will want to have at hand? Statements. What to tell the press. What to tell customers. Investors, the board, employees, regulators, vendors, partners – maybe even competitors who can help.
If the first time you’re building out your communications is in the middle of the crisis, you will make a mess of it. It needs to be done when all is calm. Corporate crisis and communications teams need to collaborate in advance to create breach scenarios and “holding statements” for those who will need them. Then when you’re dealing with a real scenario, you’re not asking executives to wordsmith some of the most important statements they will ever make.
Practice Cyber Events Regularly
You can’t just have a written response plan ready to pull out when a breach occurs. You have to practice regularly – and sincerely, not in a perfunctory, check-the-box way. With regular practice, once the crisis occurs, everybody knows their lane, knows their part, carries it out, gets it done – and quickly.
That’s not the only purpose of practice. It’s also to find flaws. If you’re practicing right, you’re always finding things to do better. Practice lets you see in advance any deficiencies that need correcting in your processes, techniques, infrastructure, or policies.
Remember, there is learning in the failures. You will learn how your people handle stress and how they handle failure – critical things to know about your people.
Continue to Learn and Evolve
The more you practice, the more you study other breaches and how the breached organizations dealt with them, how your own people respond and the feedback they give you, the more you will learn. You will not only increase your response capabilities, but your programs will evolve. You will discover gaps that you can close before they cause a disaster during an actual incident.
In a previous company as a consultant, I would lead clients in cybersecurity tabletop exercises – simulating a breach of one kind or another in a low-stress environment, clarifying roles and responsibilities, identifying additional preparation or mitigation needs, and continuing to improve the ARS plan. Part of the exercise was to call predefined individuals and leave the pre-scripted voicemail, “This is a tabletop exercise…we are calling to notify you…here is what you would do now, if this were an actual incident, etc.”
After one such exercise that seemed to go well, I returned home, only to receive a panicky call from the CEO with a terse, “We have a problem, come back immediately!” It turned out that after listening to the voicemail and noting that the tabletop “breach” was disclosable, the PR person had promptly written a press release to disclose the “news” and hadn’t run it past the CEO, legal, or the board before issuing it. You can be sure some fast “learning and evolving” took place there.
Cyberattacks are and will continue to be a lucrative business and a favorite weapon of hostile nation-states, terrorists, organized criminals, and loners with a laptop whose success depends on exploiting other people and their systems. Their numbers are growing along with the sophistication of their techniques. Preventive measures should be rigorously implemented and updated, but relying on them will never be safe. The only reliable countermeasure is excellent preparation for a rapid response.