In 2017, numerous security breaches have come to light with some of the largest companies falling prey to cyberattacks – TNT Express, BUPA, Equifax, Deloitte, Three, Sports Direct, NHS and the list goes on. The impact of the security incidents has been materially significant. The recent NotPetya attack has cost big companies millions of dollars in lost revenue.
These companies have at their disposal a fair amount of resources, capital, people and capabilities. So, why can’t organizations get it right when mitigating the effects of security breaches?
Lax approach to security fundamentals
Many organizations are blatantly ignoring security hygiene, which is the leading cause of breaches. The latest report by the National Audit Office, which unequivocally states that the WannaCry ransomware attack could have been pre-empted had basic security protocols been followed, is evidence.
No amount of security investment in the latest, most sophisticated security solutions can eliminate the need for fundamentals like data back-up, patching, network segmentation, security awareness programs and so on.
Also, organizations need to look at security more holistically: ‘knowing what you have before you can protect it’ is the foundation of a successful approach based on the application of relevant security measures geared towards an asset’s importance to the business. Continuously assessing their security maturity is key to understanding all the measures (people, processes and technology) that are in place. This will allow them to determine where changes need to be made to mitigate the impact of a potential breach.
Detection is only part of the solution
A vital mistake that most organizations make is to invest heavily in detection, but not in skills and measures that are needed for incident response. It’s akin to installing security cameras around the building: what happens once the intruder is caught? An international company set aside a big budget to invest in incident detection, but then realized that once incidents and weaknesses were identified, there was no budget, resources or skills to help mitigate and remediate them.
A broad domain
Many organizations fail to appreciate that incident response is a broad domain that can’t be outsourced. It includes all aspects of the business – legal, forensics, internal and external communication initiatives, HR, wider IT and infrastructure and security. Therefore, it is a fundamental business decision (just like finance or any other function) that carries accountability and impacts the bottom line in a tangible way. Different aspects of incident response require different skills and so it cannot and should not be viewed as a single function.
There’s no truly effective ‘off-the-shelf’ solution or approach that organizations can deploy to respond to an incident. Organizations must have in place processes that must be executed when an incident actually happens so that damage and disruption to the business can be minimized. This includes everything from knowing who the first responders in the organization are, who to call and what communications should go out to what the regulatory obligations are. This means that staff need to be trained regularly and well-versed of their actions in this emergency.
Tactical versus strategic
While some security issues can be resolved with a tactical approach, building up the security defenses of an organization often requires a more thorough and strategic approach. If a system has been contaminated with malware, the team can fix issues on a case by case and potentially, on a daily basis. This approach is time-consuming and inefficient.
Organizations can go further. To illustrate, a bank was re-imaging about 100 end-user devices a day to eliminate the risk of malware infecting the business. When they looked closer, they found that the majority of the malware coming into the organization was the result of personal online surfing by employees at lunch time. By moving personal surfing to virtual machines, the bank was able to reduce the need to re-image systems to just 20-30 times a day which reduced both IT costs and lost employee time.
Incident response is about having a smooth process in place to rapidly and effectively respond to a security issue inside the organization in order to minimize damage to all the stakeholders and the business.
To achieve this, organizations must first understand their IT infrastructure and security systems with a clear focus on business-critical systems and regularly put them to the test so that the gaps can be remediated routinely. This requires having the right skills (be they internal or external), to identify issues, prepare an evolving security strategy, plan for the worst and in the event of a breach take urgent action to minimize damage. This approach will go a long way in potentially preventing a crippling attack and/or mitigating its impact on the business.
This approach is no different to stopping a leak in a house. Measures must be taken to prevent a leak from happening, but if it does take place, the house owner must know where the stopcock is to halt the flow of water immediately, and then take action with the advice and guidance of knowledgeable, skilled professionals to fix it so that the event doesn’t repeat.