In today’s climate, organizations must assume a cybersecurity breach. It is unlikely you can prevent an attack. Still, you can prepare for the almost inevitable so it will be promptly spotted and isolated to mitigate the damage when it happens. That, as imperfect as it might seem to security experts schooled in prevention, is the pinnacle of cybersecurity excellence: an acceptance of the almost inevitable and meticulous preparation for it.
Why do I say, “almost inevitable?” Because of numbers like these recently reported by McAfee and CSIS. Global losses from cybercrime now total more than $1 trillion, more than a 50% increase from 2018. IP theft and financial crime account for at least 75% of cyber losses and pose the greatest threat. The average cost of a breach is $4.24 million, a 10% increase from 2020 to 2021, accounting for the cost of resources and loss of business and brand reputation.
And here is one of the main reasons preventive measures are insufficient: Most significant data breaches are caused by human error. And humans are human, after all. Aiming to please, they respond to phishes that purport to be from someone they respect or wish to impress without validating it. They are curious. When something appeals to their interests, they are likely to click on it or visit an unsafe website. They may be generous in sharing their credentials or devices with someone they should not. They procrastinate installing their security updates or changing their passwords and get distracted.
So, in a company of hundreds or thousands of those imperfect, mistake-making humans, it only takes one mistake spotted by an alert malefactor – or an automated program incessantly scanning the cybersphere for holes – to bring on the ransomware, DDOS, IP theft, embarrassing exposure, release of PII, or other devastation. And yet, according to that same McAfee/CSIS Report above, 56% of organizations surveyed indicated they do not have a plan to prevent or respond to a cyber incident. Considering that it can take months to identify and contain a data breach, with some research showing anywhere from three to nine months, imagine how exposed those organizations are to whatever the bad actors have in mind for them.
Protectionism is dead. Long live response.
If your organization is in that 56% with no plan, here’s your six-step process to keep your organization out of the headlines.
- Adopt a Framework – To identify where and how you are most at risk for breaches or compromising activity and to reduce your exposure, adopt one of the many best practice frameworks available. You can build your own, but that takes time, which you really don’t have. There are a lot of great frameworks available, probably tailored to your sector, that will work for you with minimal effort.
- Trust No One – By now, this shouldn’t need explaining, but the truth is that many cybersecurity professionals believe that once somebody is inside the castle, they’re legitimate – they’re trustworthy. Outside of security, trust is something we inherently want to do. Wanting to live safely, we hope to trust those we encounter, so when it comes to cybersecurity, it takes a mental paradigm shift to actively mistrust every person, every ping on the network, every text, email, or link. If you don’t make this mental shift before you have a breach, you definitely will once you find yourself reacting to a breach and discovering that too much “trusting” was going on in your network.
- Establish an Active Response Strategy – You can’t hope to protect your organization unless you have an Active Response Strategy (ARS), which must be clearly and consistently communicated.
Remember that many of the people on your crisis management and leadership teams are business people – not cyber experts or even IT experts. The language you use to communicate with them needs to be their language – not the jargon and acronyms that typify your own team’s communications.
And keep your ARS communication consistent and conversational – not just high-pitched warnings when risks or incidents arise. Business people need to feel comfortable asking you questions about it, even making their own suggestions. And you need to have a positive working relationship with them. You don’t want them to dread a call from you – perceiving any outreach as bad news. Instead, reach out to them to ask questions, get advice, run ideas past them, or make them aware of something to prevent it from becoming an incident.
To develop your ARS, you need to understand the Cyber Kill Chain created by Lockheed Martin. It breaks down the seven steps an attacker (human or automated) goes through to conduct an attack so that you can understand how they operate, recognize their signs, and defend against them.
The first step is reconnaissance. Every breach starts with an attacker performing network reconnaissance. So you might think an IT team would be on high alert for any evidence of recon being performed on their network. But I suggest you check with your IT team. Ask them how many of their user accounts, computers, or servers, are authorized to perform network recon. The answer is going to be zero or close to it. Then ask them to look back and see how many network recon incidents have occurred on your network. You may be shocked. And remember, network reconnaissance is the primary indicator of a developing breach.
The next thing you’ll want to understand is isolation – how any sign of a breach calls for instant isolation of that user account or device – even if it belongs to your CEO. Which would you rather tell your CEO? “We took you offline because something happened, and we’re investigating it.” Or, “Nine months ago, something happened to your account, and everything you’ve done since then is all over the Internet.”
- Build Advocacy for Clear Communication
Since we’ve already established the near-inevitability that you’ll be breached, what is one of the first things your C-officers will want to have at hand? Statements. What to tell the press. What to say to customers. Investors, the board, employees, regulators, vendors, partners – maybe even competitors who can help.
If the first time you’re building out your communications is in the middle of a crisis, you will make a mess of it. It needs to be done when all is calm. Corporate crisis and communications teams need to collaborate in advance to create breach scenarios and “holding statements” for those who will need them. Then when you’re dealing with a real scenario, you’re not asking executives to wordsmith some of the most important statements they will ever make.
- Practice Cyber Events Regularly
You can’t just have a written response plan ready to pull out when a breach occurs. You have to practice regularly – and sincerely, not in a perfunctory, check-the-box way. With regular practice, once the crisis occurs, everybody knows their lane, knows their part, carries it out, and gets it done quickly.
That’s not the only purpose of practice. It’s also to find flaws. If you’re practicing right, you’re always finding things to do better. Practice lets you see in advance any deficiencies that need correcting in your processes, techniques, infrastructure, or policies.
Remember, there is learning in the failures. You will learn how your people handle stress and failure – critical things to know about your people.
- Continue to Learn and Evolve
The more you practice, the more you study other breaches, how the breached organizations dealt with them, how your own people respond, and the feedback they give you, the more you will learn. You will increase your response capabilities, and your programs will evolve. You will discover gaps that you can close before they cause a disaster during an actual incident.
Consider holding cybersecurity tabletop exercises – simulating a breach of one kind or another in a low-stress environment, clarifying roles and responsibilities, identifying additional preparation or mitigation needs, and improving the ARS plan. Part of the exercise can be to call predefined individuals and leave a pre-scripted voicemail, “This is a tabletop exercise…we are calling to notify you…here is what you would do now if this were an actual incident, etc.” However, be sure all people know that this is only a simulation! You don’t want someone acting on the information, triggering a series of unfortunate and perhaps irrevocable mistakes.
Cyberattacks are and will continue to be a lucrative business and a favorite weapon of hostile nation-states, terrorists, organized criminals, and loners with laptops whose success depends on exploiting other people and their systems. Their numbers are growing along with the sophistication of their techniques. Preventive measures should be rigorously implemented and updated, but relying on them will never be safe. The only reliable countermeasure is excellent preparation for a rapid response.