As ransomware events become a weekly occurrence, we are asked now more than ever before about ways organizations can reduce impact and increase speed of recovery. Unfortunately, it is difficult to avoid a breach and many organizations may not realize they’ve been breached, or that they could be impacted if a vendor is breached, which is what happened with Solar Winds earlier this year.
Organizations need to do their due diligence with vendors to understand what vendors are being leveraged and the security in place such as least privileged end-point security, as well as how they hire employees and operate their business. Organizations should also know if a vendor is white labeled – for example with the Kaseya incident earlier this year, there were companies that had no idea their vendor was actually Kaseya white labeled.
Despite the increases in cyber breaches, there are organizations that are still not willing to invest in cybersecurity protection. For those organizations, it is important to know that, when breached (they will be breached – no one is immune), it could take up to a year to fully recover. Unsurprisingly, a breach can become a PR nightmare – research shows that 59% of buyers are likely to avoid companies that suffered from a cyberattack.
For those organizations with cyber insurance, when a breach occurs and the insurance company dispatches an incidence response team, one of the organization’s greatest assets would be an IT vendor that knows the network. The incidence response team will have no knowledge of the breached organization’s network, but with the support of a vendor that knows the system, they can more quickly identify the initial cause and lock it down. In order to shut down the breach, the team needs to know how the attackers accessed the system – i.e. email or a vulnerable host – in order to find patient zero and determine what needs to be protected. Otherwise, the team is left to lock down everything and hope for the best outcome.
Once the breach is blocked, recovery can take months – sometimes 6-8 months or even up to a year. After the system is locked down, it needs to be restored from backups (if they exist). The team will need to put the frameworks in place to stop the spread and prevent future attacks – harden firewalls, deploy end-point security, testing, patching, setting up multi-factor authentication security, installing backup antivirus protection.
Most importantly, employees need to be trained. Teaching your users to pay attention can have a tremendous impact – users as a security team can stop 70-80% of attacks.
Here are a few ways organizations can prepare for a cyber attack to reduce impact and increase speed of recovery.
- Backups – when your organization is breached, you will lose assets so it is imperative to have strong back-up systems that are frequently tested and verified
- EDR platform – as a business, you need strong antivirus protection – off the shelf products are not sophisticated enough
- Multi-factor authentication – weak passwords are an easy access point for attackers. Organizations need to encourage the creation of strong passwords and multi-factor authentication
- Email security – employees need to be trained on how to identify suspicious emails and what to do if they think they received one
- Testing – testing the system and the protections in place along with the plan for responding to a breach are critical to ensuring the team and all affected employees know how to respond – like a fire drill
In addition to preventative measures, training, and planning, intelligence can help. The FBI provides a lot of information to help teams know what is coming and to understand what an upcoming attack might look like.
Cyber attacks are not going away. They are going to increase and become more devastating as they affect our national infrastructure. We must change the way tech ad security works. In the next 5-10 years, discussions around a new approach to security will come to the forefront.
There is a movement underway to transition from defensive to offensive. We have to treat our technology and security systems like an immune system. There are currently no standards for technology because organizations treat it the same as proprietary products, but that needs to change. We need to require products to have effective APIs in order to communicate with each other so that when threat intelligence platforms see breaches and provide information, there will be tools in place to block the breach across the board.
As cyber attacks become more frequent and more debilitating, it is the responsibility of every organization, no matter its size, to be proactive in developing and evolving its security strategy.