So much so that Allianz Risk Barometer 2020, the largest risk survey worldwide, acknowledged critical business interruptions as a result of cybersecurity breaches to be the most severe risk to organisations.
While you can never pre-empt a cybersecurity crisis, you can buy time by putting in place a well-rehearsed and effective cyber-resilience strategy, which is crucial to mitigating the worst effects of an attack, while keeping the business going. This is increasingly a hot topic for chief risk officers, chief information security officers, and company boards as they consider the best approach to bounce back from cyber-assault.
Good preparation is a must, but in order to be able to react quickly and avoid long-term damage, businesses need to simulate a cyberattack to understand the right responsibilities, potential process gaps or technology issues. This could include a tabletop exercise, where relevant executives huddle around a table to wargame how a scenario could develop.
Yet, even for the best prepared, a cyber-crisis could occur at any given moment. What should you do, if you are the CEO of an affected company?
First - Take command
Get your hands dirty – simply delegating the work to the IT team during a cyber-breach can be dangerous for both the company and for you personally. Don’t learn this the hard way - cyber-risk does not just affect your IT network but also every aspect of your business.
Operational disruptions and litigation costs have an instant impact on your reputation if not prioritised properly. Shareholders are therefore beginning to seek personal consequences for companies involved with a cyber-crisis. Effective management of a cyber-breach necessitates board level engagement at both the COO and CFO level; however, the CEO is often the best person to manage it.
Next – communicate
Nobody wants to be in the news in relation to a cyberattack and be challenged by the public and press as a result. Was it poor cybersecurity or a nation-state hacker? Do you really understand the full extent of leaked data? Could there be any further backdoors the attackers might use to sabotage activities?
A cyber-crisis is almost always very intricate - it can take from months to years to answer all those questions. Though, public opinion on how professionally a company has managed the incident will be determined by its communication strategy. Will you opt for secrecy, full transparency, or the dangerous way in between?
We can but only speculate about the success rate of incidents that were kept in the dark, however there’s enough evidence to support this - most large enterprises that attempted to keep a cyber-crisis under wraps and were busted afterwards failed big time with their reputation.
Furthermore, the company has to manage all relevant internal stakeholders and vendors to comply with potential regulations for obligatory reports. A number of regulators ask for extremely fast reports; for example, the Monetary Authority of Singapore (MAS) demands notification within a few minutes.
Yet, there are of course many technical variables outside of your control. For instance, a range of impactful cyber-breaches were reported by security researchers, who identified evidence of a compromise based on external telemetry and malware samples.
There are many advantages to treating your cyber-crisis transparently such as public support by authorities, researchers, and customers. However, you still need to be ready to take the pressure in communication and execution.
Then - Seek cybersecurity expertise
Most companies employ their own CISO and security staff who are responsible for responding to the cyber-crisis. But, let me ask you a question: Did they really see the full cyber-crisis and experience it end-to-end? If you have not run proper tabletop exercises yet and your dedicated team has never dealt with a cyber-crisis before, don’t try to work it out alone. Instead, consider seeking help from the following stakeholders:
1) Cybersecurity incident and crisis specialists: Crisis and technical analysis reports can likely be done more effectively by external companies that have handled similar situations or the same threat actor. For example, most companies often lack legal experience or are unfamiliar with the Tactics, Techniques and Procedures (TTPs) of the threat actor.
2) Security vendors: Companies are often too shy to consider security vendors as partners. The reality is that security vendors are probably the best partners to help you mitigate the threat given their experience with your security controls.
3) Peers: Cybersecurity requires team effort, so we have to be humbler when working with our peers or even competitors. A lot of the threats your organisation faces have already hit others you may know. Engaging peers and asking for help is critical.
4) Law Enforcement: In many countries the involvement of law enforcement is more of a formal act to register the incident. Yet, a few countries have strong capabilities that focus not only on investigation of the threat actors but also help defend your networks. To address the cause of cybersecurity in a sustainable way, it is always good to engage with law enforcement during or after an incident.
And use smart containment
If you randomly follow all recommendations available out there, containing a cyber-crisis could take years. So, how do you challenge your CISO on the balance between incident containment and keeping the business going, whilst avoiding panic mode?
A company’s task force can be smart by applying a risk-driven containment approach to address the most pressing questions:
1) Why were we hacked in the first place?
2) What are our crown-jewels and were they impacted?
3) How do we mitigate the threat?
Before even trying to mitigate the threat, you have to triage the first and second question correctly. At times, it is necessary to keep the attacker in your own network for a while, in order to determine their true motives. If the motivation is destructive you better get them off the network ASAP.
For all targeted attacks aimed directly at your company and with a defined purpose, such as trying to steal information for espionage or to sabotage the IT infrastructure, there is one key question you should always ask your CSO - Have we identified patient zero?
Similar to virus outbreaks in our world, patient zero can help you reconstruct the path of attack and track down potential hidden backdoors the attacker created as a backup in your network, in case he gets identified. If your task force fails to identify patient zero, they won’t be able to confirm if the attacker is still in the network or determine the full scope of the attack.
Finally - Be safe, not sorry
How has the cyber-crisis affected your business from a reputational, legal, financial and technical perspective? Were there any financial losses as a result of being unable to run a server for the last 20 hours?
Estimate the overall cost of the attack. Identify an ongoing operational impact if time was lost working on important projects. This analysis is required not only when the company has hedged its cyber-risk with insurance but will also help to derive investment needed in cybersecurity.
Ultimately, most organisations that experience a cyber-breach dedicate a significantly increased budget towards cybersecurity. Focusing on principles such as Zero Trust, improving cyber-hygiene, and simplifying security processes and technologies are some of the most important – and easiest – things to do.
Top tip for cyber-resilience
No matter your industry, a proper cyber-resilience plan cannot be neglected if you want to be prepared for the worst-case scenario. Reducing the scope of damage caused by a cyberattack is the primary aim of the plan. Attempting to secure the network is one thing but activating a well-thought out and stress-tested business-continuity plan in the event of an attack can save your organisation huge amounts of money and time. So, be well prepared.
Sergej Epp is chief security officer, Central European region, Palo Alto Networks