Maksim Kabakou - Fotolia
The actions that a chief information security officer (CISO) and an organisation take in the aftermath of a cyber attack have a profound impact on their ability to recover and demonstrate their resiliency.
Mature organisations include actions to take after the initial incident response occurs in their incident response plans and incorporate them into their cyber exercises and drills to ensure that all echelons of the organisation are prepared to quickly, efficiently and effectively guide the organisation in its quest to bounce back from the attack.
The best organisations have a formal “after-action” process that reviews the facts and circumstances of the incident to answer such questions as: what happened, what went wrong and what went well?
The process should be guided by a working group that includes representatives from the security and IT teams, as well as from entities such as business units, legal, finance and public relations. Contributions from outside entities such as law enforcement and contract incident responders should also be considered.
Typically, the working group supports the organisation’s senior leadership and its “cyber war council”, ultimately performing a root-cause analysis and identifying courses of action for the organisation to manage its cyber risk better.
Such a disciplined process is an essential part of an overall campaign to restore the brand and reputation of the organisation.
Regardless of whether you are the victim of a cyber attack or a self-imposed cyber incident due to the actions of a careless, negligent or indifferent employee, to bounce back effectively, you must demonstrate to your board, regulators, current and potential investors, partners, suppliers, employees and insurers that you are implementing due care and due diligence in addressing the conditions that led to the incident and are taking the right actions, in the right way, at the right time to restore your operations.
If you do so properly, you will be able to demonstrate that your organisation has greater cyber hardening and is in an exemplary state.
A control that you can use to ensure that your recovery plan is effective is to hire independent third-party penetration testers (pen-testers). I want pen-testers that test my organisation on the inside as well as the outside. I want them to look at my policies and procedures and assess not only their adequacy, but also whether they are being followed by the staff.
I want them to do “announced tests” as well as “unannounced tests” to gauge whether performance changes when the staff know a test is occurring. Ideally, there should be no difference in performance, and staff should always be performing at high standards.
The principal objective of pen-testing is to find deficiencies in your cyber eco-system. The best pen-testers look at people, process and technology as potential risks. You should too, and regularly assess your risk with the aid of independent third-party pen-testers.
I also recommend using hunt teams to protect high-value assets. Hunt teams are specially trained cyber personnel who quietly patrol your networks looking for evidence of malicious activity.
Many cyber security incident response companies offer “hunt” capabilities, with personnel and technologies that will persistently evaluate your network for signs of hackers, cyber criminals or other potentially malicious activity.
For organisations that want to train their own personnel to develop “hunt team” capabilities, there are numerous training platforms, including Isaca’s Cybersecurity Nexus, which identifies the required skills and best practices to field a capable “hunt team”.
Read more from Computer Weekly’s Security Think Tank about how to survive a cyber attack that could potentially destroy a business
- How to reduce the impact of a potential cyber extinction event.
- BC/DR plan key to cyber attack survival.
- Incident response vital to guard against catastrophic cyber attack.
- Aim for integrated resilience, continuity and recovery.
- Cyber attack survival not a matter of luck.
- Seven steps to manage risk of catastrophic cyber attack.
- Surviving the existential cyber punch, part 1.
- Surviving the existential cyber punch, part 2.
A third recommendation is to implement a bug bounty programme in which your organisation offers a financial incentive or “bounty” to registered individuals who discover and report to you cyber weaknesses in your organisation.
Bug bounties are a cost-effective means of finding and fixing issues before they turn into huge cyber incidents and problems. They also demonstrate your organisation’s commitment to a strong cyber programme in the aftermath of a cyber incident, thereby boosting confidence that you are exercising due care and diligence in implementing best practices.
Such activities are essential to restore your brand and reputation, yet only if choreographed with your marketing and sales efforts.
Many organisations have traditionally viewed cyber investments as a cost centre not contributing to profits. I think this is a flawed approach because proper cyber investments protect the organisation’s critical information and should be viewed and promoted as generating value in the organisation.
I see several companies now touting the strength of their cyber capabilities as a positive discriminator in the marketplace. After a major cyber incident, it can can enhance your organisation to work with your marketing team to advertise the positive response you and your organisation have taken.
Finally, I recommend you and your organisation to carefully share the lessons learned. All too often, cyber attacks are part of a campaign where malicious actors attempt to attack multiple targets. By sharing what happened and the lessons learned through forums such as information-sharing and analysis organisations, you contribute to what I call “the cyber neighborhood watch”.
Such transparency gives you and your organisation a valuable platform to advertise your commitment to cyber security and risk management, that you are exercising due care and due diligence, and that you are a leader in the community. When that happens, you will find others will share with you, better preparing you to thwart the next cyber attack.
A cyber incident or attack can happen at any time. Yours may be occurring right now. Preparation is the key to effectively detecting, responding to and recovering from any cyber event. Proper planning, exercises, pen-testing, hunting and commitment to continuous improvement provide the shock-absorber every organisation needs to bounce back from a cyber event.