Maksim Kabakou - Fotolia

Security Think Tank: Cyber resilience cheaper than attack recovery

What key things should organisations be doing in terms of cyber defences to ensure they are resilient?

The reality of suffering a cyber attack is not a case of if, but of when. With the impact of compromised data including lost productivity, possible litigation, a huge financial hit, the process of recovering from an attack, as well as the damage to organisation’s reputation, this means a cyber attack can be very costly.

According to the 2017 Ponemon cost of cyber crime study, an annual global cyber crime report, there is more than a 27% chance that organisations will have a material data breach in the next 24 months.

The average cost of such cyber crime is a staggering $3.62m. While that number is down from previous years, the average size of data breaches has increased 1.8% to more than 24,000 records.

It is also taking businesses and organisations significant time to recover from these attacks. It takes an average of 191 days for businesses to detect the attacks and an average of 66 days to clean up following the discovery.

While organisations can’t always stop an attack, it can put steps in place to reduce the amount of time it takes to recover quickly, minimising impact and ultimately preserving customer trust and loyalty.

Build the team

There are many moving parts to ensuring networks and information are protected against cyber attacks. Building a team of talented cyber security experts to defend against attacks is a must, but so is building a team of supporters for good cyber security hygiene across your organisation.

It is important to keep key individuals in the organisation in the loop on the status of any real or potential threats against the network and business. This can be achieved through having a cyber security dashboard to measure an organisation’s readiness to withstand an attack, for example.

This tool can serve as your temperature check, ensuring that your top leadership and the board are well informed on all aspects of readiness. If an attack happens, having top leadership on the same page about readiness levels will help the business resiliency team spring to action to repair the damage.

Once the dust settles after an attack, ensure your legal team is prepared to deal with legal issues that may result from the cyber attack.

Issues such as theft of customer information or damage to technology that makes it difficult or impossible for businesses to run normally can lead to costly litigation for your company. It is also worth considering insurance that could help offset future losses and expenses from such attacks.

Information sharing

In 2016, the Financial Services Information Sharing and Analysis Center (FS-ISAC) took a key step in the fight against cyber crime in the financial services sector. Representatives from FS-ISAC signed a memorandum to increase co-operation between financial institutions at a global level as part of the European Cyber Security Month.

This type of regular exchange of risk and threat information between organisations can improve the security and resilience for everyone involved. By coordinating exercises, response protocol materials and training, it not only makes your organisation more resilient, but the industry as a whole.

This type of cooperation – not only the industry, but also with law enforcement and government officials – was crucial in Europol’s takedown of the Ramnit botnet that infected 3.2 million Microsoft Windows computers in 2014.

Backup, backup, backup

It is no secret that backing up data, and backing it up often, is essential to recovery following a significant cyber attack. However, the backups themselves can present their own set of issues.

To limit risk related to backups, ensure they are stored offsite. If backups are kept in the same space as the original servers, one incident, such as a fire, could wipe out everything. 

It is also important to control information access and decide who on the team should have access to that information. Remember to test your backups regularly – they are worthless if you find you backed up the wrong data, or no data at all, after you have been hit with malicious software.

Find your weaknesses

The best defence is informed by a good offence. The first step is recognising how adversaries would attack so you can defend against those attack tactics before they attack.

Use information sharing to learn more about how adversaries operate and use that information to plan and model attacks against your organisation, checking for holes in your defenses.

You may find multiple layers of security controls you thought you had in place are not enough, or that you did not have anything in place at all – check these controls often to make sure they still work.

Consider increasing education for all employees about the importance of network security and the role they play in preventing future attacks. Do not forget to partner with your suppliers on security – they need to have proper defences in place to ensure that their weakness does not bring you down as well.

Know how to respond

Hopefully, you have already practiced post-breach preparedness with your company, but if this is still on your “to do” list, then there are a number of steps you can take to prepare.

If you discover your network has been compromised, the first step is to keep things in perspective and always have a sense of purpose to protect employees, your company, customers and stakeholders.

Transparency goes a long way when dealing with a breach, but so does knowing how to respond when a breach happens, and before it happens. 

Check to make sure antivirus software or other network defences are operating properly before or after a breach, but also remember the human factor in responding to a breach and making sure that lines of communications are open with all stakeholders at all times.

Test these scenarios early and often so that you will have a better chance of fixing problems before they break. Your organisation will be better positioned to know how to respond once you have built muscle memory to defend against an attack. 

Use the attack as a learning experience

Once you recover your network and systems and test them for proper operation, there are likely myriads of other things that must be done.

Document all actions performed during and after the event and then analyse these events to improve. While technical details such as collecting data from network logs and software error reports that describe what occurred prior to the attack are important, it is equally important to get feedback from your partners, colleagues and business stakeholders.

You may find that not everyone views the importance of a breach equally. If you are to use the event as a learning opportunity to limit the likelihood of it happening again, you will need to make sure you are all singing from the same sheet of music.

Now more than ever, organisations can be hit by a cyber attack at any time, so it is critical for organisations to protect themselves, detect intrusions earlier and recover quickly from attacks.

The costs associated with implementing proactive measures are a fraction of the costs of a data breach. When you are protecting a business where time is money, it is money well spent.

Read more on Hackers and cybercrime prevention