How Not to Become the Next Victim of a Breach

The recent confrontation between the U.S. and Iran raised concerns that organizations may become collateral damage in the event of a “cyber war” between the two nations. Cyber warfare is no longer theoretical. Texas Gov. Greg Abbott recently noted that the Texas Department of Information Resources had seen a spike in attempted cyberattacks from Iran on state agency networks at the rate of about 10,000 per minute over the previous 48 hours (Fort Worth Star Telegram, 1/7/2020).

In the course of just a few weeks we have witnessed: increased IT threats from cyber threats, potential loss/reduction of workforce and associated life safety issues due to pandemic threat, financial risks associated with both, life safety concerns from recent active shooters incidents, and more. Is your organization prepared to effectively address threats from multiple fronts?

Don’t let the pandemic threat impact your cyber threat or breach vigilance and response. With the potential impact of a reduction in your IT workforce, what are your plans to remain vigilant and responsive to cyber threats? A good information foundation and response plan supported by technology will put you in a better position.

Cyber is a risk for any organization. You need a solid cybersecurity program and action plan to ensure good decisions when an incident occurs. Effective response, successful recovery and complete remediation are dependent on timely decisions based on accurate, current data. Preparation and information availability will ensure the right decisions from the right people at the right time.

If your organization is breached, you need to act swiftly, no matter the current risk landscape. Consider:

• Your response to a cyber incident must not be focused solely on IT. Your response requires a holistic approach to engage cross-functional teams throughout the enterprise at the right time, with an appropriate level of security.
• Your decisions should be made based upon impacts. To understand impacts, a robust data model of your environment should contain a single source of truth for critical business processes, risks, IT applications/components, suppliers, etc. A solid information foundation not only supports quick, sound decisions at the time of an incident, but also assists in the preparation phase, including plan development.
• Your actions must be well orchestrated. Due to complexity, required speed of response and number of stakeholders, an incident management strategy or system is necessary to achieve an integrated, orchestrated response.
• Your response plans should support your response strategy. All cyber threats are a serious risk and should be treated as such. A cyber response strategy supported by documented policies and controls will provide guidance and direction.

Cyber threats present a unique type of risk for all organizations. The threat is constant, making the likelihood of occurrence extremely high, unlike the relatively low potential of most risks. Due to the sheer magnitude and ever-changing nature of cyber threats, it is not a matter of “whether” an organization will be impacted, it is a matter of “when.” Very few are fully prepared to respond to an incident at an enterprise or organizational level.

Response to a major cyber incident requires not only current, effective, IT-focused cyber plans, but also participation from all lines of business and operational support areas to ensure a successful integrated, orchestrated response. The increasing velocity of today’s threats heightens the need for a robust response strategy.

Listed below are some actions for consideration to improve your cyber risk preparedness:

• Perform/review vulnerability assessments
  • Include critical business partners
• Review/update enterprise cyber risk policies and definitions
• Review/accelerate cyber risk controls and risk control test execution
• Review/enhance current cyber threat strategies, capabilities, and actions
  • Detection, alert, escalation
  • Data backup strategies
  • Forensic actions
  • Remediation actions
  • Post-event reporting requirements
• Review/enhance your organizational data model – information foundation
  • Identify/review critical elements of your ecosystem (internal and external)
  • Identify/review critical dependencies
  • Identify/report sites, applications, and data vulnerable to attack
• Develop/review/enhance your Cyber Incident Response Plan(s)
  • IT/IT Security: Remediation actions should include application, data, and access tasks
  • Business departments: Plans should address specific cyber actions under a Loss of Technology scenario
  • Media Relations: Develop pre-approved messaging, trigger points, and reporting requirements
  • Third Party Management: Survey/review critical partner/vendor/supplier capabilities
  • Compliance: Identify any regulatory reporting requirements
  • Legal: Determine potential financial liabilities
  • Facility Technology: Review software patches
• Facilitate tabletops/simulations at the executive and departmental level (test the integrated organizational response, not just the IT response)
  • Test capabilities to communicate, orchestrate, and monitor the response
  • Include critical business partners

Much like protection from kinetic (or physical) terrorist attacks, organizations must be right every time to successfully defend against all cyberattacks. The bad actors only have to be right once to inflict severe damage on an organization. Without documented and integrated response plans and a formalized incident response strategy, the damage realized from a cyberattack may be irreparable.

While much has been written concerning hardening against cyber threats, now is the time for a prudent review of your cyber risk, your defenses against cyber threats, and your documented remediation actions in your cyber incident response plan.