Are you underestimating the evolving cyberthreat?

Protection comes from proactive security

They should start by throwing out the old rule book. The traditional approach is a reactive one that involves building high technological walls around the organization. Over the past decade, it has become clear that once attackers breach that barrier even a single time, and through whatever means, they can do almost whatever they want.

In a world where many employees work from home and use a multitude of connected devices, it no longer makes sense to focus exclusively on an increasingly indistinct perimeter. Proactive security, on the other hand, assumes that a breach of corporate IT systems is inevitable. It then works out how to minimize the related damage and continue with business as usual while dealing with the incident.

As the name suggests, proactive security also involves ongoing preparation. As a starting point, businesses need up to date expert threat intelligence about the nature of attacks that those in their sector and country are particularly exposed to. For example, some businesses are especially likely to be hit by ransomware while others are more likely to experience a denial-of-service attack. Knowing how you might be targeted enables you to prepare accordingly.

Many companies have plans in case of incidents, but too often these just sit there. Instead, businesses need to practice executing their contingency arrangements – including for recovery. They need to:

• Document key weaknesses

Sound preparation requires rigorously keeping up to date with upgrades and patches. It may sound simple, but many businesses miss upgrades or do them too late for fear that it will disrupt operations. The reality is that the downtime caused by upgrades is negligible, especially compared with the disruption that a cyber-attack could cause. 

Even if upgrades and patches are executed in a timely manner, some systems are naturally more vulnerable than others. Documenting weak spots can help mitigate the fallout from a breach because it gives IT teams a head start in identifying the system that was originally compromised.   

In addition, companies must probe actively for vulnerabilities, including by employing ethical hackers to test for weak spots both in corporate systems and in how employees interact with it. Digital transformation has made the attack area much bigger, which means that no organization has the time to find everything that could go wrong. So-called white hat hackers can step in here to find the most dangerous gaps in security.

• Know exactly who should lead the response

When a major cyber event occurs, an incident-response team needs to assemble rapidly that can identify the source of the problem, direct action to get key systems back up and running and communicate to the public. This team must therefore include the Chief Information Security Officer, if one exists, an IT director that has knowledge of the business’ IT architecture, a PR director that can draft communications to customers, and a legal director. The latter is vital because there are certain regulatory reporting obligations that need to be met if personally identifiable information has been breached. It’s also vital for a C-level executive such as the CEO or CIO to be part of this group so that they can update the board.

• Gather all of the information that is needed to evaluate ransom demands

A fundamental question that will need to be answered very quickly in the event of an attack is whether the ransom will be paid. And to answer this, businesses need to know whether they are insured against a ransomware attack and what the Terms & Conditions are. They also need to understand their financial exposure to the disruption, and whether this eclipses the size of the ransom. Understanding the legal implications is also critical as paying ransoms to certain organizations could result in criminal proceedings according to US law. Multiple factors need to be weighed up when determining whether to pay, so those making these decisions need to have this information at their fingertips.

Ransomware demands are extremely challenging to respond to. It is therefore also vital to plan how you will respond in advance. This means determining who will negotiate on behalf of the business, and whether this should be an internal employee or an outside negotiation expert.

Although the majority of businesses ultimately pay up, some do not. For example, Norwegian renewable energy company Norsk Hydro received acclamation for its refusal to pay and its swift and effective response after being hit by a major ransomware attack. Very soon after suffering an attack, the business consulted external experts and took the decision to be completely transparent about the impact of the breach.

But the culture must be right

On its own, however, this new approach will not provide enough protection. Organizations also need to make a cultural change, and that includes the corporate leaders themselves. Cybersecurity can no longer be seen in isolation, and the people responsible for IT and physical security need to work closely together – at a minimum.

More generally, Chief Information Security Officers are too often given a mandate to provide security but gain no visibility in the boardroom. Instead, they typically report to CFOs, where it is often a struggle to demonstrate any return on investment. This can make it a thankless job, where success is achieved when nothing happens. CISOs could get better at communicating their challenges, but to do that they also need an audience that is ready to listen. When cyber-risk is growing this rapidly, security must become a board-level issue.