is not a nice-to-have. The illusion of Cyber Security is gone. Cyber Security incidents will disrupt your business. As leaders, we’re responsible to do business confidently knowing that when unplanned events (like cyber attacks) disrupt our business, our employees, partners, and clients can count on us to lead the way through.
Firewalls and antivirus are not a plan anymore, they’re doors and windows that are quickly circumvented. Expecting criminals to keep off of our networks is foolish. No one ever knows the moment they’ve been hacked. We find out much later, after our networks have been compromised over long periods of time. It’s no longer about the illusion of keeping threats out of our network. It’s about how quickly we can respond to attacks when they occur. It’s about Resilience Strategy .
Here are some important things we should do, using what we already have in place in our offices and homes, technology-wise:
UNDERSTAND OUR NETWORK
Responding to an incident without adequate understanding of our network is an exercise in frustration and can make us appear incompetent to our own employees, partners, and clients. How can we possibly determine when activities are suspicious or not if we don’t know where to look? When something happens, how will we isolate and mitigate an attack without the knowledge of how to effectively do so without just “shutting everything down”?
Incident response typically consists of identifying the source and shutting it down but that’s not enough. Without a complete understanding of our network and associated resources, we cannot determine if other systems were infected before the most obvious threat was shut down. When an attack occurs, the ability to discover lateral movement to stop the spread of an infection is critical, otherwise it leads to deeper data breaches and more costly risks.
Obtaining thorough knowledge and documentation of our network, both internal and external, is challenging. Cloud architectures and mobile technologies add complexities to the task. There are tools and methodologies to help us do this quickly but it must be done with intention and care.
Data collected from these need to be collected, analyzed, and stored over the long term to provide value for audit trails and our actionable intelligence. Done according to best practices, though, using the right tools, makes our finding needles in haystacks more efficient, less frustrating, and helps us sleep better at night. Building documentation about the network using this information is well worth the investment of time and resources. It helps us to swiftly detect and respond to attacks. Don’t rely on others to inform us that our network has been compromised.
HAVE THE RIGHT EXPERTISE ON THE TEAM
Most security experts are not necessarily experts at incident response. Organizations need staff or consultants skilled at responding to incidents. An incident response team that includes someone intimately familiar with our network environment will produce more relevant, accurate information faster and enable us to properly respond to an incident when needed.
For an incident response plan to be effective, it also needs to include everyone. Other departments will be potentially impacted and should play a role in helping to plan for incidents before they happen. Bringing these departments up to speed on how to best respond in the event of an incident is important. No one wants to wait until a breach occurs. No one enjoys scrambling to figure out what to do when time is of the essence.
SHARE WHAT WE LEARN
Budgets are always tight. The budget for something like this is there, just typically not allocated ahead of time. Establishing a formal budget for Resilience Strategy requires we prove its value to the organization. Need help translating the technical stuff into formal business relevance when the time comes? Get in touch. We are experts at this.
Management teams need to be kept in the loop when it comes staying educated about the current threat landscape, eliminating preventable risks, and planning. We’re all smarter when we share our areas of expertise and, in doing so, make the Web safer to do business. Not to mention, if our management team has no idea what is going on, and we don’t take the time to inform them, then there’s little hope they will support us in these mission-critical efforts. That puts everyone’s livelihood at risk.
HAVE A CONCRETE PLAN
we also need a concrete, actionable plan. Not having one results in everyone running around making hasty, uninformed decisions in the midst of a crisis and that is never good. A documented Resilience Strategy that very clearly delineates roles and approved procedures for handling an incident is the goal. Resilience Strategy planning will ask and answer questions like: Is the team authorized and enabled to take services offline during an attack? Are such actions permitted when necessary? What legal, regulatory, and contractual requirements need to be observed when a breach is discovered? It is critical to have these answers in writing and approved by the collective before an incident happens.
BUILD POLICIES TO FIT OUR CULTURE
Resilience Strategy is not one-size-fits-all. Context is key to building it well. Make sure to take into account specific types of critical assets, processes, and roles, where they’re located, our overall risk tolerance and how much leeway and latitude our response team will have to make major decisions that will involve changes to our technology infrastructure. Resilience Strategy needs to strike a balance between having policies in place to ensure that the right decisions can be made in a crisis, without too many layers of complexity of approval that hinders their efficacy. Protect the cultures we’ve built by building a Resilience Strategy that uses allies as assets, rather than choking the culture into submission to unrealistic expectations.
FOCUS ON THE RIGHT THINGS
Focus on protecting what is most valuable. No one can protect everything all the time, so it is critical to understand where our organization’s owned risk really lies. Knowing which assets have the biggest impact if taken down by a broad spectrum of cyber attacks is key. Give thought to the types of scenarios that would put those assets at the most risk.
PROPERLY CONFIGURE DEVICES FOR OUR NETWORK
Improperly configured devices on our networks account for more than 75% of breaches that involve those types of cyber attacks. The maximum value of network devices is almost never achieved. Busy IT teams often hurriedly deploy devices with default configurations, fresh out-of-the-box. Too many organizations do this and it is an avoidable risk.
Today’s complex network infrastructures require that devices are tuned with intention according to the size and need of the infrastructure they are attached to, their purpose, and more. These devices need to be consistently tuned, updated, and reconfigured as our needs change and as the threat landscape continues to evolve and better practices emerge.
Don’t neglect to properly configure a device. That leads to a myriad of problems, which actually makes responding to incidents harder instead of easier. Some products, when not properly tuned, end up not being used at all. Companies that have been breached often find out later that one of their tools had not been implemented correctly and could have detected the attack before it was too late. When we purchase a new tool, take time to learn how it works best for our environment.
ACCEPT HARD TRUTHS AND LEARN FROM OUR MISTAKES
When a cyber attack happens, our investigations reveal a lot. Somehow, more than 50 percent of companies who experience a breach do not implement other suggestions made by investigative teams. 54 percent do not collect threat indicators from their own incidents for use in fighting future attacks. Organizations need to learn that information uncovered during an incident investigation is valuable in determining the types of attacks we may anticipate and how to be more aware and better prepared for them.
It’s important to keep in mind that even experienced and talented attackers often reuse attack methods, exploits, and infrastructure. Like the organizations they target, if their tool set seems to be working, why change it? Learning as much as possible when an incident occurs enables us to gather insight for the future. While breaches are not awesome for business, they are unique and valuable learning opportunities. Make the most of them.
Do business more confidently knowing that when Cyber Security events disrupt our productivity we have a complete blueprint and intentional understanding of our technology environment and a customized Resilience Strategy for incident response to quickly, accurately, and confidently respond and protect our clients, our reputations, and our bottom line. Our teammates, partners, and clients are counting on us to lead the way.