Working in cybersecurity and running a business have many things in common, but one of them stands out: both require a strong decision-making muscle.
Navigating shifting priorities, dealing with unexpected changes in the environment, trying to curb risky behaviors – all these responsibilities call for making data-driven decisions to avoid crisis situations.
However, the type of data that’s available to cybersecurity specialists may not overlap with business priorities, which is why the gap between expectation and reality continues to be quite wide, especially for the SMB sector:
66% of surveyed SMBs believe that a cyberattack is unlikely — even though 67% of them were actually hit by a cyberattack in 2019 (source: CSO Online).
In this context, preventive cybersecurity measures are one step further than where we need to go. First, you must ensure your company can react to and stop cyberattacks before they make a big impact on your business.
This is a must-have plan not just from the perspective of cybersecurity teams like ours, but also from a legal point of view. In case of a cyberattack, you will be asked to provide proof that you applied all the necessary measures to prevent and stop that attack. If you’re lacking, fines and other legal consequences will most likely appear down the line.
The total of fines companies received after experiencing data breaches is up to $1.45 billion and counting. Caused by hacks and data thefts, enabled by weak security or preventable mistakes, many companies have paid the price not just through fines but also through damage to their public reputation.
In the UK, British Airways was fined a record $230 million for improperly protecting user data and Marriott had to pay $124 million for its lack of compliance and inadequate security practices. In the US, Equifax settled in court to pay $575 million for its 2017 breach and the list of examples continues.
“Easier said than done!” True, but not entirely
You may be thinking: “I want to do all these things too but I can never find the time for them and my team doesn’t know where to start.”
We know the majority of business owners are not oblivious to cyber risks and that they’re challenged by things like:
- The cybersecurity skills shortage, which has a negative impact on incident detection and response for 60% of surveyed companies (Cybersecurity Skills Gap Survey 2019 – Tripwire)
- The limited resources at their disposal, which means 1 in 5 companies only has temporary or no resources to respond to a security incident (2019 Incident Response Report – BAE System).
We empathize.
But instead of allowing the challenging context to confine your determination, we recommend making the most of your in-house resources.
Start with what you have
You don’t have to put everything you do on hold to start preparing for a potential cybersecurity incident. The more agile approach is to break the project down into smaller pieces and start chipping away at them, starting from the inside out.
For example, according to a Ponemon survey, 77% of respondents said they don’t have a formal incident response plan they can consistently apply across their organization. Here’s how this translates into reality:
If a cyberattack compromises the company before it can be stopped, 77% of surveyed companies will discover:
- Employees who discover the breach don’t know who to call to report it
- Employees don’t know who will be blamed for it and what consequences may result from the incident, which often leads to them keeping things quiet and delaying decisive action
- The report gets lot in other priorities and remedial actions are delayed
- Managers and executives don’t know who needs to approve what, so the entire process moves very slowly
- The lack of internal experts can cause cybercriminals to achieve a persistent presence in the company’s network, leading to further damage and attacks, and the list can go on.
You can prevent all this confusion and costly delays by creating an internal incident response plan that includes details such as:
- Name and contact details for the incident response manager
- Name and contact details for the technical specialists who can respond to the threat
- Name and contact details for the legal counsel who must advise on reporting the breach to the authorities and evaluate the legal risk of the compromise
- Name and contact details for the communication specialist who must coordinate the company’s public response to the attack and its consequences
- Communication guidelines for both internal and external communication
- The phases of the cyber incident response and what happens during each stage
- A way to evaluate the incident response process after it has ended so it can be updated and improved.
This simple plan can help you react quickly and realize if you can handle the cyberattack internally or if you need to bring experienced ethical hackers on board to help you handle the cyber incident.
If you’re inclined to externalize incident response management because it’s more cost-effective and because you can’t fill your open roles, you’re not alone. This is a global tendency that reflects the need for agility and collaboration not just in the cybersecurity sectors but across industries.
In 2019, companies spent $64.2 billion globally on managed security services, “more than double investment in infrastructure protection and network security equipment” according to CSO Online.
Having a trusted partner you can rely on and who can effectively guide you through a difficult time is essential. We’ve seen it happen time and again with the customers we work with and the situation is unlikely to change given cyber attacks are increasing both in volume and sophistication.
Cyber attackers use these 4 tactics to make incident response harder
1. Targeted attacks
The 2019 BAE Systems Incident Response Report shows that 30% of the attacks that response teams handle are targeted attacks.
“Besides healthcare and government agencies, a growing number of financial organizations and small and medium-size businesses are being affected by targeted attacks as well.”
2. Island hopping
The 2019 Carbon Black Global Incident Response Threat Report reveals that 50% of today’s attacks leverage “island hopping“. Cybercriminals use this tactic to infiltrate companies like yours through smaller companies that work with you.
Think of companies that handle your HR and payroll, marketing or healthcare firms, and other organizations whose security systems are more vulnerable to attack than yours.
Given this focus on the supply chain vulnerabilities, your incident response plan should also include a potential reaction to one of your suppliers getting compromised.
3. Lateral movement
The same report notes that “70% of all attacks now involve attempts at lateral movement.” What this means for you is cybercriminals gaining access to your systems through a laptop or a server is only step one.
The attacker’s goal in lateral movement is to move through multiple systems in your network until reaching their objective (stealing credentials and confidential data, gaining access to the payload, etc.). That may involve impersonating legitimate users and other forms of social engineering.
4. Destructive attacks
Online criminals know they will encounter some form of resistance, so they implement counter incident (IR) response tactics to the most commonly used defenses.
56% of incident response teams ran into some form of counter IR in their work, while also handling other damaging consequences of the attackers’ thirst for data and networking persistence.
31% of targeted victims now face destructive attacks that leave their systems and data damaged in various forms.
To restore your network activity and online reputation after such an attack, you need to identify and remove malicious code, malware, and backdoors from the compromised network and deeply understand the attack vector so you can proceed to secure your assets and implement a Disaster Recovery Plan.
If this sounds like too big or complex of a project for your current team to handle, there’s always another option, which more and more companies are choosing.
Get the help you need!
When you detect a data breach or another type of compromise in your network, you can contact us for help. Working with us means you’ll know what happens every step of the way.
From helping you assemble your Incident Response Team (IRT) to creating secure communications channels, from collective attack-related evidence to critical mitigation tactics and ensuring business disruption stays at a minimum, we assist, guide, and help you with implementation end-to-end.
Because cyber attacks affect the entire company, our cybersecurity incident response covers all the key areas in your business:
- Organizational strategy and C-level or top management communication
- Technology expertise involving forensics, malware analysis, log analysis, and IT operations
- Business operations, including cyber attack resilience, disaster recovery, and proactive communications
- Risk and compliance management involving liaising with regulators, legal counsel, and law enforcement.
Because we’re relentless learners, constantly broadening and deepening our knowledge and technical abilities, we’re always prepared to face new and evolving threats, which have been the norm for years.
Effective incident response doesn’t have to be a luxury that only big companies can afford.
With the right partner by your side, you can upgrade your cybersecurity to a level that saves you time and energy so you can deal with other projects and burning priorities business owners like you usually face.
What’s more, working on your incident response plans before anything happens has multiple positive side effects.
You may see that your employees start taking cyber security more seriously. You may see your team aligning on this topic because they gain a deeper understanding of the business value attached to cybersecurity tactics. Overall, you may gain more clarity into the inner workings of your tech and how security controls support your organization’s broader mission.
Whenever you want to start, we’re here for you.