How to respond to a cyberattack

Cyberattacks are dominating the headlines, and no business is safe from the havoc and damage they have the potential to wreak. As attack methodologies are becoming more sophisticated and those perpetrating them more organised, the stakes are rapidly rising. Even high profile targets such as banks and telecoms giants are finding themselves firmly in the firing line. However, the actual attack is just the start and unless the response is handled correctly, the resulting 'cyber-incident' may end up having a far larger impact than the perpetrator intended.

Why is it so important for businesses to have a strong approach to cybersecurity?

Whilst the Internet is undoubtedly a force for good and has revolutionised the way we live our lives, it is also an extremely hostile environment in which to do business. New vulnerabilities and new ways to exploit them are being developed every day. Having a strong defensive stance sends a clear message to potential attackers that you are not a soft target. With so many potential targets to choose from, that may be enough to deter the attacker from even trying.

Are there any common mistakes that organisations tend to make after initially noticing that they have been attacked?

Fundamentally, the principles of responding to a cyberattack are no different than responding to any emergency or crisis. There are, however, a number of common mistakes that can end up compounding the problem:

• Wrongly classifying a cyberattack: The early symptoms of cyberattacks are often misread as technical glitches, meaning that the attack often isn’t identified in sufficient time to launch an effective response.

• Incorrectly determining what has been compromised: IT systems are complex beasts, and while complexity can offer agility, cost-effectiveness, and resilience, it also makes it harder to work out what has gone wrong and what information may have been compromised.

• Leaving repairs to the tech team: Whilst it’s essential to have technical experts managing an affected IT system, the response team must cover every discipline within an organisation to get a holistic understanding of the attack.

• Failing to arrange alternate working environments: Responding to an attack by identifying and fixing any damage it causes isn’t an overnight job, so without alternate working arrangements for staff while the organisation recovers, the business may be left unable to operate.

• Putting out the wrong fire: Some attackers use diversion tactics like DDoS attacks to draw the IT department away from the main target. Getting sucked into one incident can leave other systems unsupervised, opening up the opportunity for other forms of attack, such as hackers breaking in to steal data.

• Underestimating liabilities: It’s all too easy to focus on damaged reputation after a cyber-breach. Ignoring additional liabilities when carrying out the cost benefit analysis of cyber-breach response measures, such as ransomware and industry penalisations, could leave the business with hefty fines and further weaknesses.

Organisations are often slow to respond to cyberattacks. Why do you think this is?

If your building has been broken into or your basement is flooded, it is fairly easy to spot what has happened. Cyberattacks, however, are often harder to recognise and it is not uncommon for them to go undetected for months before anyone notices. Research by Arbor Networks in May 2015 reported that retail organisations in particular took an average of 197 days to identify when attacks resulted in data breaches and, whilst financial services organisations were better, they were still taking around 98 days to spot and react to a data breach.

Whilst these numbers may seem unbelievable at first glance, given the ability for cybercriminals to operate with online anonymity, they quickly begin to make sense. Conventional security regimes are often tailored to detect large scale incidents rather than small frequent attacks; but with the right approach, the chances of detection can be significantly increased.

Who should be dealing with an attack once it has been identified?

Traditionally, the responsibility to both identify and solve cyberattacks rested solely on the shoulders of the IT department. Perhaps thanks to the department’s tendency to use impenetrable language in describing the events, it has long remained this way. This is far from ideal. For a start, the failure to involve the wider organisation can cause delays in attack identification. Effective incident management requires teamwork, task work, and high levels of personal competencies, such as empathy and diplomacy, to ensure the achievement of group goals.

Whilst it is absolutely essential to involve those with deep technical expertise, the response team must reach across every discipline within an organisation and be coordinated by someone whose competencies match those of an emergency manager.

Are there any best practices to follow when it comes to attack mitigation?

The organisations best placed to survive a cyberattack are those following two key principles: timeliness and a targeted response. Organisations must act quickly. All IT systems need to be monitored continuously and all anomalies should be reported swiftly to a central point. This isn’t something to simply palm off to the IT department. The wider business must be involved, regularly reviewing the organisation’s strategy to ensure that attacks are spotted as soon as possible – most importantly before press, customers, or other stakeholders are alerted.

A quick and targeted response will give businesses the best chance to contain and eradicate an attack before too much damage is done. With this approach, should a serious attack come to light, the business will be in the best possible position to demonstrate that they are in control of the situation.

How should the flow of information be managed when an attack occurs?

Effective communication of a cyberattack requires teamwork as well as open and collaborative channels. This will ensure that information is passed on quickly and coherently to the right points of contact.

Are there any other liabilities organisations should look out for after an attack has been spotted?

Even if an organisation successfully navigates the recognition, response, and recovery stages of a cyberattack, it may fall at the last hurdle by underestimating further liabilities. There are a whole host of additional liabilities, such as blackmail attempts and ransomware, that organisations often overlook when carrying out the cost benefit analysis of cybersecurity and cyberattack response measures.

Other costs include regulatory liabilities: both wide-reaching and sector-specific. Within the UK financial services sector for example, their own industry regulators have historically levied greater fines for security breaches than the Information Commissioner.

Beyond technical fixes, are there any steps businesses should take to ensure they reduce downtime?

The technical recovery from a cyberattack takes time and involves expert resources. The typical steps required to contain a cyberattack are lengthy, as are the processes that allow the system to be returned to its users. Therefore, it is highly recommended that the organisation makes provision for alternative working arrangements and backup systems to allow the business to keep moving during the blocking and rebuilding stage.

Dr Sandra Bell, Head of BC & ISDG Consulting (Europe), Sungard Availability Services

Image source: Shutterstock/m00osfoto