Sadly, it is no longer a question of if you will be attacked, but a case of when. If you haven’t been breached, it’s only because you don’t know that it has happened yet. Should you find yourself asking, “we have been attacked, now what?”, then you are already in too deep. Every organisation should have a plan of action ready for their next attack in order to respond and recover as quickly and efficiently as possible, limiting the financial, operational and business impact.
Last week’s InfoSecurity Europe 2015 at London – Olympia, was home to many talks and presentations, including a particularly insightful discussion named “You’re Under Cyber Attack. Now What?” During this discussion, a panel of security experts advised on the measures which organisations should have in place to mitigate the risks and ensure that they are able to withstand the impact of a breach.
Panellists:
Chris Gibson, Director, CERT-UK
Tom Mullen, Head of Cyber Response & IT Security, Telefónica UK
Jon Townsend, Head of Cyber Intelligence and Response, Department for Work and Pensions
Moderator:
Dave Clemente, Senior Research Analyst, Information Security Forum
Below, compiled from the InfoSecurity Keynote discussion, is a check-list of the critical measures which organisations must adopt before, during and after an attack, in order to minimise potential damage.
Before an Attack
- Use automated tools and have a security company on call. Make sure you use a company with good credentials. Although this may seem expensive, it will save the company money in the long run. However, you must make sure you also understand what this company is doing and the security measures in place.
- Asset Management. Do you know how many assets you have, where they are located and who is responsible for them?
- Vulnerability Management. Keep systems up to date and discover what makes you vulnerable. What are your crown jewels? Whatever is most valuable to your business is what makes you most vulnerable.
- Monitor the news. Just like a human virus, if an attack has been reported, look out for symptoms on your system. If the attack was due to an unpatched vulnerability, check that your network doesn’t have the same vulnerability.
- Staff training. Teach staff how to minimise risks such as being able to recognise phishing emails. The HR department should also monitor staff to minimise insider threat from disgruntled employees.
- Identify the critical elements of an effective incident response plan, ranging from the actions which the IT team will need to take, to releasing a PR statement. If there is not a plan in place and panic occurs, this will not only sabotage effective recovery, but also affect a court case.
- If dealing with a partner/supplier, make sure security is in the contract and then physically check that the company is abiding by these rules.
The supply chain often serves as a vector for a breach. Regardless of how secure your own network is, if a supplier has vulnerabilities, these will be breached at your expense. Unfortunately, organisations often neglect such security measures as they think it may not be feasible to check each supplier. The key to minimising such risks is making sure that suppliers do not have access to any more information than is absolutely necessary. Following the appropriate checks of suppliers, it is vital to work with them to patch any vulnerabilities rather than beating them with a contract because ultimately, by helping them, you are also securing your own organisation.
During an Attack
- Document everything, even the rationale for making decisions. This will provide as valuable information in your own investigation as well as in a court case.
- Investigate whether a breach has actually occurred.
- Find the balance between forensics investigation and getting the business running again for customers.
- Do not rely on cyber insurance to take the responsibility. You have an obligation to your customers. In order to get cyber insurance you must first demonstrate a good level of cyber security. The better your security the cheaper the insurance will be.
After an Attack
- Reflect on the actions and processes you took: Did they work? Can anything be done more effectively?
- Release a well thought out PR statement, while also considering breach disclosure requirements and what they mean for your organisation.
Falling victim to a cyber-attack has many negative implications for an organisation including; financial loss, drop in share price, reputational damage and public distrust. Therefore, the way an organisation handles a breach is vital in minimising such damage. Too often, cliché PR statements are released. Every attack seems to be “sophisticated” and “unprecedented”. The truth is, most attacks do not start in a very sophisticated or unprecedented way. Usually, something as simple as opening a phishing email is enough to snowball into a detrimental attack. People are tired of hearing the same excuses over and over and such evasion of responsibility can actually result in a loss of confidence from the public. Instead, a truthful statement should be released, explaining what happened and what actions have been taken, as far as it is safe to reveal.
Although this may seem daunting, don’t be disheartened by the alarming forecast of cyber-attacks. By carefully implementing these steps you will be on your way to a much safer network and prepared to overcome the challenge of a breach with minimal damage.
By Iva Kuosseva