Cyber attacks come in all shapes and forms. Organisations of all types and sizes face a growing variety of threats. It’s important to understand that while some attacks are a result of organised and targeted cybercrime, some are the result of one employee mistakenly clicking on a suspicious link at work and downloading malware to the company system.
Therefore, businesses should understand that every person who has access to your network can cause a security incident, and they should plan accordingly. Over a 12-month period, we logged more than 245,000 Distributed Denial of Service (DDoS) alerts across AT&T’s global data network. AT&T’s Global Cybersecurity Readiness survey revealed that more than 60 per cent of businesses had an IT security breach in 2015.
In the past year, security incidents have caused major enterprises an average of 23 hours of down time. Within this, 42 per cent of those organisations said a breach had a major negative impact on its business.
An effective incident response can make or break your business. Some companies have tallied losses in the hundreds of million dollars after suffering severe breaches. In those cases, the CEO, CIO, or other executives may take the fall. Security is vital to every process in our operations. The insights from AT&T’s Global Cybersecurity Report show that companies need to adapt and stay protected from the latest threats.
In the first 24 hours, executives must deploy an incident response plan to remove or isolate the infection. C-suite executives must assess legal issues, determine the root cause and define critical business impact.
Preparing for the inevitable
The question is not if, but when a cyber breach happens. Therefore, companies must have an up to date and effective incident response program. In recent years the number of attacks have scaled as the methods and tools become available to the masses. Other threats like ransomware are more recent — and can cause significant damage.
Executive teams need to be proactive in order to lessen successful cyber attacks. They need to adopt the “when, not if” mind set of the market. Unfortunately many companies don’t have an incident response plan in place. Among these organisations that don’t, 40 per cent cite a lack of resources or budget as the reason.
Companies need to be prepared in the event of a cyber breach. Regular practice drills can give agency employees practical experience in reacting quicker to an insider breach. All of these steps can prevent the loss of data and maintain business continuity.
Before the breach: The best offense is a good defense
Incident response requires company-wide cooperation and should include a stakeholder from every department. An effective response team should include representatives from a broad array of stakeholders.
- Senior leadership must empower people who provide support for initiatives. In turn, CEOs should help reduce risk and prevent the effects of an incident.
- IT security should determine, analyse and interpret the damage. Teams should also lead forensic assessments and organise recovery efforts and internal talks.
- Legal teams must provide legal guidance, review press statements and contact for outside legal representation or law enforcement.
- Communications teams must draft press statements and contact the media and the public. Their role is to assess potential public reaction in response to a security incident.
- External groups may provide expert help in response forensics and liaise with management on legal, regulatory and service issues.
The CSO will often serve as the primary team leader and coordinator. However, the CEO must be a visible and vocal proponent as well. CEOs should help aid the creation of response plans and support their teams where required.
Ultimately, CEOs need to assess the strengths and weaknesses of their in-house response team. It is crucial to seek help from outside experts before a breach occurs.
What’s in your incident response playbook?
Members of the leadership team must participate in some practice sessions. In some cases, the CEO will take part. Executives should oversee sessions that involve report structures, executive decision making, and external communications. These exercises should happen twice a year, if not quarterly.
As business models and cyber threats continually evolve, so must incident response plans. CEOs must make sure that the responses are part of their larger business recovery plans. But a CEO also needs to be flexible. Remember that no matter how well prepared you may be, always assume that something unforeseen will come up.
After the breach: Rapid response
Post-breach activities fall into two main categories:
At the first hint of a breach, the playbook identifies a likely threat and places the next steps in order. CEOs should consider building a set of tiered responses to combat any early threats. These ought to be put in place when teams escalate the nature and severity of the threat.
Secondly, security and IT teams must perform a post-mortem analysis. Computer forensics and other tasks will help senior teams understand the root cause of the breach. In the event of major breaches, the CEO often serves as the lead public spokesperson to deliver messages. Any communication should also include what the company will do to support and compensate customers or any other injured parties.
The priority for IT professionals is how to prepare and defend against cyber attacks. But many organisations are underprepared. This is because they lack an effective incident response strategy. The process itself is so complex and critical that CEOs must invest significant resources. They should make the process part of a company policy in order to keep major breaches at bay.
Our data shows that most of the threats are well known and easily defended. With the right controls in place, executives should have a custom response plan and a cooperative team at the ready. It is not possible to predict when a cyber breach will hit you. But as I’ve said, the question is not if, but when. A sound cyber security practice consists of strong preparation and a rapid response. This is the same for garden-variety attacks as well as emerging threats. But remember that either cause damage.
The ability to respond quickly and thoroughly will is critical. This will determine whether the breach becomes a minor footnote, or a major distraction that hinders company growth for years to come.
John Vladimir Slamecka, AT&T Region President-Global Business, EMEA
Image source: Shutterstock/GlebStock