One of the biggest crises facing IT departments is the threat posed by cyber-attacks. It’s no longer good enough to keep an eye on things and hope for the best. Few are naïve enough to think their organisation is too small or not interesting to criminals. The bottom line is if it’s important to you, it’s important to them. At the same time, new and sophisticated attack techniques mean hacks are not as visible as they once were – making them more difficult to spot and react to.
Any IT department worth its salt is now adopting a cyber incident response plan as standard. But how should organisations prepare and react to these threats?
Before the hack
No one can pinpoint the moment they’re about to be attacked but there are certainly steps a business can take to minimise that possibility. A large chunk of this comes down to user education and ensuring that the whole company (not just the IT department) understands some of the different types of threats. In doing so, you create a ‘think twice’ culture whereby staff are more sensitive to those red flags when something’s not quite right.
Whale phishing is one example, whereby an attacker will prey on an unsuspecting employee. They will identify a ‘big fish’ within a company (often the Financial Director or CEO) and impersonate them by sending emails to members of staff requesting a bank transfer or a password. Potential recipients need to be vigilant to notice anything that looks unusual. Is the tone of the email unusually formal for example? Does the font or spacing feel different? If this is the case, they should take a closer look at the email address. It might appear to be the same but on inspection it may have a small letter change or be completely different.
Employee training is not a tick-box exercise; it needs to be carried out regularly so that users are kept up-to-date with new methods of attacks and expected standards.
Companies need to make sure they’re covered from a technical perspective. What anti-malware software is in place? Is the latest patch installed? Is the software up-to-date? Where are files, data and software stored?
Ransomware, for example, will scan a company network and go looking for shared files it can encrypt; this means many vendors have upped their game to develop software that can scan activity on files to detect if they’re being encrypted by a user. Check with the anti-malware vendor to see if this is a feature that is in place – it may be the difference that stops vital data being held to ransom or not.
During the hack
One of the worst things that can happen to a company is to be caught on the back foot. The best way to mitigate a cyber-attack is to have a detailed and well-rehearsed response plan that can immediately kick into action. This playbook should contain several things, including information about who to alert.
Another aspect of the breach response should include public reporting. Organisations could have their reputation damaged by failing to disclose a breach when it happens, only for it to become public knowledge later. This could leave customers, suppliers and staff feeling betrayed. This is where having an internal and external comms strategy is crucial.
After an attack – the post-mortem
A cyber-attack is probably the biggest nightmare any IT director can have. If it happens, the technical side of the security response team needs to figure out exactly what let the attackers in.
Was it a misconfigured web server? Unpatched Windows workstations? Overly permissive web proxy settings? Identify the source to close the doors to new attacks – otherwise, companies can find themselves in an endless loop of clean-up and reinfection.
Having carefully extradited the attackers from corporate systems and surveyed the extent of the damage, organisations must fix as much of that damage as possible. This may involve reinstalling compromised systems from known, good media and potentially restoring data from backup. This remediation process also involves reconfiguring network and server software and then monitoring its operation for a period to ensure that everything is behaving normally.
To truly close the circle however organisations should learn as much as possible from the attack. The results of this review should be fed back into a company security policy.
Using this intelligence in a business impact assessment, so that senior managers can decide on strategic measures can help prevent further attacks. A risk analysis may show that it’s worth investing in more staff security training for example or in a change to management processes.
No one likes facing adversity but one true test of an IT director’s character lies in how they deal with it. When hackers strike, the truly savvy IT decision maker will have the tools, processes and contacts in place to manage the situation.
Co-founder & CEO, Edge IT Group