Were not even midway through 2018, and this year has already seen some of the most high profile companies and brands become victims to potentially malicious cyber attacks. Delta Airlines, Sears, and Panera Bread are just a few examples of high-profile companies that have had to contend with data breach and unauthorized access by outsiders so far this year.
But despite all that, many businesses and organizations are surprisingly underprepared when it comes to potential data hacks and breaches. According to a recent study done by the Ponemon Institute, only one-third of all organizations believe they have adequate resources to manage cybersecurity effectively. That being said, Gartner predicts that global cybersecurity spending will rise 8 percent this year to upwards of $96 billion.
Smart organizations are spending much of those resources not just on systems and technology, but on developing internal plans and policies that match current security compliance standards. Effective cyber incident preparation and response plans often incorporate elements from guidelines such as the PCI Data Security Standards (DSS) requirements and are designed to do everything from mapping out potential threats for each organization to threat neutralization and continuing improvement.
So, if you’ve been wondering why information security is important (and how to protect said data), we’ve broken down everything you need to know for your cybersecurity preparation and response plan.
1. Understanding Cyber Threats
The first step towards developing an effective cybersecurity preparation and response plan is understanding the landscape of threats that could potentially affect your organization. There are two main categories of actors that are typically the cause of cyber attacks that organizations need to be aware of, and develop potential responses for. The first is the Small Time Hacker or Hacktivist, which normally seeks to disrupt networks on a minor scale for the sake of the challenge or for nominal financial gain. Typically these are low skilled, disorganized actors where restoring service and mitigating damage isn’t all that difficult.
The second variety is much more serious and consists of State-Sponsored attacks, Organized Crime Networks, or Radical Extremist groups. These are much more organized and well-funded entities whose goal is often to disrupt governments or major corporations on a large scale. They may use very complex, bespoke hacking tools operated by highly skilled (and compensated) professionals to disrupt networks, gain major financial reward, or steal valuable intellectual property. Attacks of this nature are (unfortunately) on the rise, and responding to such an event requires tailored guidance from industry and cybersecurity specialists. Depending on what industry your organization is in, its important to work with specialists when developing a cybersecurity risk plan that will cover threats that are unique to your line of business.
Key Takeaway – Cyber threats come in a variety of shapes and sizes, and differ depending on your industry and location. Work with a professional to identify how your organization would most likely be affected, and develop a plan accordingly.
2. Recognizing the Challenges
One of the biggest reasons for information security preparation is also recognizing the challenges different types of actors and attacks present. The problem is, management and leadership within many organization often don’t recognize said challenges (the it wont happen to me mindset), or severely underestimate the challenges they’ll likely face in the future. The result is a serious lack of preparation and response planning that can be quite costly. First and foremost, organizations need to realize that one of the biggest issues in cybersecurity defense is detecting the breach or major incident in the first place. Oftentimes, breaches go undetected for days, months, or even years due to the fact that organizations aren’t effectively monitoring their systems of unusual occurrences or suspicious activity.
Many organization also struggle to establish clear objectives for incident investigation and clean-up. Although they may have effective monitoring capabilities in place, some companies are left scrambling to address the issue in an effective and efficient manner. You’ll need to lay out a plan to analyze all information associated with the cyber incident, and determine what type of attack took place. This typically includes malware, DDOS attacks, system hacks, session hijacks, or data corruption. Correspondingly, you’ll need to sort out exactly which systems have been compromised, and what sensitive data has been lost, stolen, or corrupted. Another obstacle to surmount is then determining what kind of actor (potentially) was responsible, and for what reason. Was it a crime syndicate seeking financial gain? Or a hacktivist simply playing around? Understanding the motivations behind an attack will often provide clues as to how best to respond and prevent future attacks.
Key Takeaway – Preparing for, and responding to, incidents requires up-front knowledge of the challenges presented. Work with your internal team members and external experts to map out which you’re most likely to face, and how you’ll tackle them.
3. Preparing a for an Incident
While preparing for a cyber incident might seem like a highly time and resource intensive task, thankfully it can be broken down into several steps and milestones that can be achieved over time –
- Critical Assessment – Determine what is the most valuable information that you have, and what systems its stored in as the likely target of a hack. Moreover, think about the overall business impact that would result from a hack (lost customers, damaged reputation, etc.).
- Threat Analysis – Produce a definition of what a cybersecurity incident means to your organisation. Created a set of examples of the types of threats associated with these incidents, such as malware, hacking or social engineering. Know which types of actors you’re likely to come into contact with.
- Consider Implications – Cyber attacks don’t just affect information. They affect people, technology, and processes across your entire organization. Consequently, every person in your organisation will need to be aware of the cyber risk from cyber security attacks, and be educated on how to help reduce the likelihood and frequency of these attacks.
- Control Environment – There are a number of basic controls that you can implement to help reduce the likelihood of a cyber security incident occurring in the first place, such as critical infrastructure like access control, firewalls, malware protection and backups. Even if these basic technical controls do not actually prevent cyber security attacks, they can frustrate or slow-down a determined attacker, providing further time for intrusion detection before the attack gets to a critical point.
- Maintain Readiness – Always have appropriately skilled people guided by well-designed processes that enable effective responses. Having the right capability can help you to conduct a thorough investigation, and successfully eradicate hackers who are deeply embedded in your environment. Different types of organizations require different levels of readiness, so compare your infrastructure with industry peers and fill in gaps where needed.
Key Takeaway – Incident preparation isn’t just about the IT department or technology, its about taking a holistic look at your business. Think about how each and every individual interacts with critical data, and train them accordingly on a consistent basis.
4. Implementing a Cyber Policy
Next, you need to formulate, write, and disseminate a cyber incident response plan that covers everyone in your entire organization. When developing your policy, make sure to incorporate any relevant regulations and standards, depending on your industry and country you’re located in. The PCI Data Security Standard (PCI DSS), for instance, should be complied with and is designed to protect sensitive consumer data wherever its processed, stored, or transmitted. Among the PCI DSS requirements is number 12.1, which mandates that organizations implement a strong security policy to be utilized across the entire company. This policy will set the tone for the organization, and inform employees of their expected duties related to security. Every employee should be aware of the sensitivity of data that they handle, and know their responsibilities for protecting it.
Requirement 12 states that every organization maintain a policy that addresses information security for all personnel. You’ll need to establish, publish, maintain, and disseminate this policy and review it annually (at a bare minimum) so that it can be updated when the cyber threat environment changes. Organizations should also bare in mind that the European Unions new General Data Protection Regulation (GDPR) has also taken effect this year, and your policy should reflect compliance with regards to any sensitive information the you hold in terms of European users. Your policy should reflect any potential legal or compliance aftermath that might be likely to take place following an incident, so that those can be handled quickly and effectively by legal, administrative, or other key personnel
Key Takeaway – According to PCI DSS requirements, your organization needs a detailed cyber policy that covers everyone top to bottom, and is reviewed and maintained on a regular basis. Work with outside professionals, as well as your internal team, to make sure the policy is an accordance with all relevant regulations (i.e. GDPR, PCI DSS).
5. Threat Response
If you receive indication that your system or data has been compromised, your policy should outline how everyone will respond to the threat. Your policy should outline everything from discovering the nature of the threat, eliminating (or at the very least quarantining) it, to restoring systems or service to their normal functionality. The first people dealing with the incident are sometimes referred to as first responders, ideally as part of a team. These first responders should be able to determine whether any specialist resources (including third parties) will be required.
Many organisations do not have the right tools, systems or knowledge to conduct a suitable investigation. You need to identify quickly when the scope and severity is beyond in-house skills, before decisions are made that may adversely affect an investigation. It is critical for arrangements to have been made in advance so that expert investigators are available at short notice and have enough prior information to be able to hit the ground running. One of the next key actions to be taken after the initial investigation is containing the damage being done by the cyber security incident, for example, by stopping it from spreading to other networks and devices both within your organization and beyond.
You should consider creating separate containment strategies for different types of major cyber security attacks, with criteria documented clearly in your policy to facilitate decision-making. After the incident has been contained, eradication is then required to eliminate key components of the incident (such as removing the attack from the network, deleting malware and disabling breached user accounts). You’ll also want to identify and mitigate any vulnerabilities that may have been exploited. Collect and analyze any forensic evidence that may be of future use to your investigators or outside regulators. The final step in your response plan will be to restore systems to normal operational capabilities. Confirm that the systems are functioning normally, and take steps to remediate vulnerabilities to prevent similar incidents from occurring in the future.
Key Takeaway – An effective threat response plan should be included in your policy, and be clear on who is responsible for mitigating the threat, eliminating it, and restoring your systems and services.
6. Follow-up & Improvement
There are many important activities that should be undertaken following a cyber security incident. First, theres typically a need for you to investigate cyber security incidents more thoroughly after the event than when responding in the heat of the battle. This will help you to find out what actually happened, improve controls, share data with partners and prevent the incident from reoccurring. You should carry out sufficient investigation to identify the culprits, which may involve specialist support in the form of forensic investigators, for instance.
Once a cyber security incident has been successfully handled, formal reporting will often be required to both internal and external stakeholders. Some organisations are mandated to report to particular authorities. For example, Energy companies in the UK must report interruption data to the regulator (Ofgem) as part of their regulatory requirements. Other entities or organizations that you may either be required to (or benefit from) notifying are Law enforcement agencies, Computer Emergency Response Teams (CERTs), regulatory bodies with particular market sectors, and any of your collaborative cybersecurity partners or vendors.
Important information about the cybersecurity incident should also be discussed during a review. How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate? What lessons have we learned as an organization? To support an effective post incident review, all key discussions and decisions conducted during the eradication event should be well documented. A report should be produced from the post incident review and presented to all relevant stakeholders within the organization. Finally, communicate the lessons and takeaways to the entire organization, and update your control environment (and policy if necessary) to reflect what you’ve learned
Key Takeaway – Eliminating the threat is only half the battle when it comes to your cyber security response plan. Work with outside entities, conduct a thorough analysis, and make specific operational changes such as risk management that are likely to reduce the risk of similar attacks moving forward.
By now you should have an in-depth understanding of why information security is important, along with concrete preparation and security incident response strategies that you can begin implementing as soon as possible. By recognizing potential threats, formulating a policy in accordance with security compliance standards, and making continuous improvements, you stand a much better chance of staying at least a few steps ahead of the hackers and cyber criminals.