With increased news reports of high-profile attacks, what can you learn from cyberattacks and protect your business? RSI Security teamed up with Bernard Global, a security consulting and advisory firm, to address best practices for cyberattack preparedness.
Eileen introduced the panelists:
- Stevan Bernard, Founder and Chief Executive of Bernard Global and Certified Fraud Examiner, is experienced in threat and incident management. He is also actively engaged with law enforcement.
- John Shin, CISSP, CISM, PMP, QSA, Managing Director at RSI Security, holds over 18 years of IT and cybersecurity management experience. He helps organizations assess and improve their cybersecurity posture.
- Dylan Kelsey, CISSP, CMMC RP, a Security Associate at RSI Security, is experienced in navy computer information systems and intelligence analysis.
Dylan highlighted the need for companies to survive cyberattacks. Specifically, he emphasized the unique opportunity to have Stevan provide insight on cyberattacks from a personal experience.
The Need for Cybersecurity Preparedness
Stevan mentioned that his post-retirement engagement with cybersecurity revealed its growing necessity. Throughout his experience providing security consulting and advisory services and speaking at meetings and podcasts, Stevan learned that organizations in academia and various industries had become increasingly interested in improving their cybersecurity measures.
Stevan feels the need to share his experience since many cyberattack victims typically remain quiet. He also believes that organizations must increase preparedness as they could at one point be victims.
Experience During a Cyber Attack at Sony
The transition from analog to digital media during Stevan’s time at Sony resulted in the global expansion of Box Office revenue, which increased consumer appetite for content and media production. Stevan shared several lessons, both from the 2014 Sony cyberattack and his time as Executive Vice President of Sony for 16 years.
Decision-Making is Critical During a Cyber Attack
The roles of a crisis team must be clearly defined to increase the effectiveness of incident response decision-making. When preparing for the worst-case scenario in a cyberattack (i.e., if complete loss of connectivity), organizations should factor in:
- Delegation of decision-making roles
- Incident management protocols
- Business continuity and operations
- Limitations to connectivity for critical services, including:
- Payroll processing
Stevan emphasized that a swift and effective response on the first day of a cyberattack determines an organization’s survival chances. For Sony, the most important lesson was realizing they needed help from external parties.
Role of External Assistance
The threat actor in the Sony cyberattack was another nation-state. An international adversary posed several limitations:
- Sony did not have the authority or opportunity to address the crime from the United States.
- The heat of the crisis presented other critical priorities for Sony’s leadership to address.
Several external parties helped Sony address the 2014 cyber attack:
- The Federal Bureau of Investigations (FBI) has jurisdiction in many countries and could leverage relationships with host countries to influence investigation outcomes.
- Department of Justice (DOJ) has oversight of the FBI and helped with the investigations.
- One of the FBI agents recognized the malware used in the attack from previous attacks.
One of the internal pushbacks in the crisis was the legal team’s concern about the loss of legal privilege by involving law enforcement. However, he believes that officers from the Department of Homeland Security (DHS) and Secret Service are more capable of conducting cyberattack investigations.
Rather than waiting until an attack, Stevan recommends organizations build relationships with their local law enforcement offices to prepare for streamlined coordination if a cyber attack occurs.
Lastly, involving law enforcement provides an independent investigation into a cyber attack. For Sony, the malware frozen during the shutdown of global operations provided evidence for law enforcement (DOJ) to confirm the attack perpetrators.
Crisis Management Planning
Dylan asked whether the perpetrators achieved their goal. Stevan explained that senior leadership typically focuses on attack containment and business continuity. However, he believes organizations must address cybersecurity during a crisis. Preparing personnel and processes helps mitigate damages. Planning for and managing cybersecurity response protocols is critical to surviving an attack.
Crisis management planning is critical to addressing cyberattack consequences, such as:
- Loss of data, including:
- Intellectual property (e.g., movies in production)
- Sensitive information (e.g., contract and salary details)
- Defamation via online and print media
- Distraction from business continuity
Stevan also emphasized that the same tactics used in 2014 apply today–organizations must remain cautious of malware. It is also critical to document all the decisions made during crisis management to inform future cybersecurity risk management and prevent repeat crises.
Dylan asked about business continuity plans (BCPs). Stevan responded by saying that since many companies have disaster recovery plans (typically for IT continuity during a cyberattack), there is a need for crisis management planning for cyberattacks and beyond. Critical aspects of crisis management include:
- Defining individual and functional roles for all personnel
- Consistent messaging about the attack to all affected parties, including:
- Third-party providers
- Analyzing impact to business to frame:
- Prioritization of applications
- Decision-making roles
- Using backup systems in preparation for connectivity loss (e.g., availing paper copies of critical documents)
Stevan emphasized the importance of completing action items in advance to increase preparedness.
Business Continuity Planning
While discussing business continuity plans (BCP), John presented insurance survey statistics:
- 48% of small-to-medium businesses say they do not have a BCP
- 95% of businesses say they are prepared to deal with ransomware
Based on this disconnect, John says RSI Security advises clients to run BCPs. Specifically, organizations should work with their critical service providers to run through attack scenarios and assess effectiveness.
Dylan asked about distinguishing functional roles from operations to maintain continuity. Stevan mentioned the need to distinguish these roles. However, if planned right, the nature of the incident is not important: not all operational areas will be impacted.
Stevan also emphasized the need to represent various roles in a crisis room to make good decisions on business continuity. Specifically, the entire senior leadership is not needed in the crisis room.
Strategies for Cyber Attack Management
Dylan asked Stevan how it felt to be attacked and what changed in his leadership style. Stevan offered several strategies to effectively manage cyberattacks:
- Flexibility – Cyberattacks result in panic and can affect decision-making. It is critical to plan effectively for:
- Evolving changes to the attack
- Augmenting internal resources (e.g., forensics)
- Resting schedules to prevent burnout
- Supplementing staff by having all hands on deck
- Leadership style – Stevan needed to step back and let his team address the challenges for which they had prepared. Senior leadership must focus on the critical issues of the crisis.
Cyber attack management requires thoughtfulness, flexibility, and patience.
Impacts of the Breach on Companies
Dylan asked Stevan about the lingering impacts of the cyberattack. Stevan mentioned the severity of data loss and the need to manage risks related to resuming connectivity.
Specific risks included:
- Timing and sequencing the reconnection of systems to minimize data loss
- Lost or irrecoverable files and documents
- Compromised data integrity and confidentiality
Stevan also mentioned that compliance is critical to surviving a breach. Insurance companies will ask for proof of compliance before issuing payouts. He advises instituting a risk management department to review the specifics of every insurance policy.
When reviewing insurance policies, John added that businesses must understand what is needed on their end of compliance to ensure loss compensation payouts. It is not enough to just read what is covered by insurance providers. Organizations must involve security service providers in compliance review and decision-making to prevent delays in claims processing.
Impacts of the Breach on Employees
Dylan asked about the impact of the cyberattack impacts on employees. Stevan mentioned that attacks on healthcare providers compromise sensitive patient health data. While it may be used for various types of fraud, the hackers can also leverage contact information within the stolen data to blackmail individuals into pressuring breached companies to pay a ransom.
Stevan emphasized the need for businesses to improve their cybersecurity posture to prevent more substantial threats. The Sony data breach had several impacts on employees:
- Some employees were contacted and threatened with consequences if the movie in question was released
- Leadership was worried about threats extending beyond digital attacks
- Physical attacks on some companies
The increased sophistication of attacks means that businesses have to improve cybersecurity. One of the critical focus areas is addressing phishing attacks, which require dedicated security awareness training to help personnel recognize threat indicators. Protecting the perimeter with firewalls was not enough for phishing and other attack methods, as hackers still found a way to access sensitive data using vulnerabilities.
Dylan asked about the increase in phishing, especially as an insider threat. Stevan mentioned that companies should think about insider threats in two ways:
- Naivety – Employees at Sony mistakenly clicked on a malicious link. It was a naive but not negligent mistake as they didn’t have phishing education.
- Intent – Someone may have only certain levels of physical or data access (e.g., contractor or third-party). With such access, an insider can launch a malicious attack within the organization.
John added that a survey was conducted on 400 companies, finding that 67% of executives revealed concerns about insider threats. This is understandable, as the definition of “insider” has evolved with the widespread use of third-party integrations and services. The DHS has also expanded its insider threat program to include the extended workforce and partner community.
82% of companies say they aren’t prepared for insider threats, which is worrisome.
Questions From the Audience
Dylan opened the floor for questions. The responses are provided below, grouped by focus areas.
Addressing Business Continuity
The first question addressed the importance of differentiating between an incident response plan and a business continuity plan. Stevan mentioned that in addition to crisis management and business continuity, Sony also had an incident assessment team (IAT), as they were constantly under attack.
Although the IAT addressed some cyber threats, it focused more on addressing business continuity. However, organizations must separate business continuity from incident response. Without defined teams coming together to address the crisis, the team tasked with crisis management eventually burns out.
Another question was asked about determining that a crisis will not happen again. Stevan explained that most companies instinctively think the end of a crisis means it won’t happen again. He gave an example of a general counsel who left a chief information officer (CIO) in charge. However, each incident must be thoroughly reviewed and incorporated into the ongoing security program procedures and documentation to truly help prevent a recurrence.
There is a need for accountability and documentation in implementing effective cybersecurity management. Organizations must ask the right questions because the second threat is usually worse than the first.
John also added that companies do not usually declare victory after a cyberattack is averted. Security is a process and must be treated so—the ubiquity of threats requires a sense of urgency and preparedness from organizations, regardless of size or industry.
Addressing Future Cyberattacks
The last question addressed the expectation of countering cyber risk with the continuing state of attacks. Stevan emphasized that attacks will continue since it is highly lucrative and carries little risk. He added that six of the top ransomware gangs live in Russia, which provides a safe harbor for their operations.
Stevan also emphasized the need to implement security via:
- Patch management of legacy systems
- Changing behavior to be more security-conscious
- Creating a sense of urgency by adhering to guidelines in security frameworks, such as
- NIST (National Institutes of Standards and Technology)
- CISA (Cybersecurity and Infrastructure Security Agency)
Stevan also believes there will be more diplomacy between nation-states to address cybersecurity. John added that major nations must come together to enforce cybersecurity laws. If healthcare organizations have come together to address a global pandemic by openly sharing information about threats without exposing liabilities, cybersecurity can be addressed similarly.
Assess Your Cybersecurity Posture
Increasingly sophisticated cyberattacks require preparedness to mitigate data loss and breach consequences. RSI Security’s suite of managed security services will help address gaps in your organization’s cybersecurity, strengthen your security posture, and best prepare you for unforeseen attacks. Contact RSI Security today to learn more!