At Softcat we’ve approached our cyber security marketing differently – we’re not about scaremongering, big dramatic adverts or people in hoodies; instead we focus on what successful security looks like. However, sadly there is one point that everyone else discusses that I do agree with when it comes to cyber, which is the momentum in cyber attacks is increasing.
The operation of the hacking world isn’t actually a million miles from that of other service businesses; the key difference being that the threat actors create their own demand and supply through illegal means. The maturity of some approaches however are increasingly professional, such as the recent CWT ransomware attack, where $4.5 million dollars were paid. What strikes here is the similarity between the ransomware negotiation and that of any other commercial negotiation in business. It normalises that which should cause outrage. Why am I telling you this? Recent research conducted by the Ponemon institute recently reported that 77% (of a sample of 3,600 organisations) do not have an incident response plan, and of those that do, 54% do not regularly test their plans.
The challenge here is that when it comes to cyber, we can’t just think preventatively – and whilst a significant amount of spend within this industry is spent on prevention, isolation, or mitigation of a cyber threat, the same might not be said for the response of success. We’ve heard it all before: ‘nothing is 100% secure’, ‘there’s no silver bullet’, ‘it’s not if, but when’, so I’m not about to spout yet more cliché’s at you. What I can offer is a pragmatic view of how to balance prevention with response. I’ve detailed a three-step process below:
1. Prevent that which is Common.
Every organisation should be looking to prevent the cyber attacks that are common; your everyday, common or garden variety attacks. Phishing, ransomware and social engineering attacks are the ones that often arise here, and are the elements you expect in large volume, and are generally more “try my luck” style attackers. This should be the first step in your maturity process.
Prevent that which is Likely.
Let me make a clear delineation here; likely attack scenarios are ones that you are at a high risk of due to factors such as your industry, geographical location, media coverage, type of organisation and so on. These can, and sometimes do, cross over with common attack scenarios, but that doesn’t have to be the case. For example, if I were to set up a fracking organisation, a likely attack scenario for me could be that of ‘hacktivism’. Whilst for other organisations this may not be common, it is something I should expect due to my industry type. These attacks are often more targeted, more persistent, and can sometimes be executed with greater sophistciation, so expect these to be more mature in nature.
3. Define a process for anything outside of these two categories.
We undertsand the cost of cyber security is growing at a time when budgets and businesses are not so, pragmatically speaking, it’s unrealistic to expect to stop everything unless you have unlimited time and unlimited resources. That being said, what is common and what is more likely to affect your organisation is not a static list – this is a dynamic concept and should be reviewed regularly.
Stakeholders should be involved and progress against these attacks should be monitored. Additionally, if you use monitoring tooling or services, these can be a huge asset in giving quantitative data against these attacks, for example by looking at your email security solution to assess volume of detected phishing attacks. To get the most of this process we should look to the (some would say riveting) world of health and safety. Think of cyber incident response as akin to first aiders. Whilst we take preventative measures as an organisation to make a safe and secure workplace, the reason we have first aiders is because we acknowledge accidents can and do happen, and we need trained, tested, and accountable individuals to act decisively when they occur. Cyber is no different. I’ve no doubt a significant amount of the cyber security budget goes to making your organisation safe and secure, but we need to acknowledge that cyber attacks do happen. Just like first aid, these incident responders should be:
Trained Ensuring the individuals and teams involved in responding to the incident are adequately qualified and capable of executing those duties means your respond will be rapid, well executed, and (with any luck) will work first time.
This response, if not tested, doesn’t provide much comfort. Not only will it provide validation that the response works, it will also enable each individual involved to be able to act confidently. Without testing, if the first time your team comes together during an incident is owed to a real-life attack, there’s a chance things may not work as well as your process hopes.
At the end of the incident, when all the tools are packed away and (hopefully) we all sigh in relief, now the real work begins. Again, much like first aid, we need to systematically review what events lead to this incident occurring, how we acted during and after the incident, and what lessons we can learn to prevent this in future.
Health and Safety vs First Aid Kit
Overall, remember, if your cyber security approach is akin to that of wrapping your workplace in bubble wrap by having as much preventative stuff as possible but no first aiders; or more akin to ensuring you have the best, most well stocked first aid kits with all the elements available for any scenario (even if you don’t necessarily need them!) but no one qualified to use them; then whilst good efforts are not necessarily bad in their own right, the priorities are in the wrong order. Treat cyber like health and safety. Take a look at your organisation, what’s common, what’s likely, what could occur based on how you operate, and start addressing those risks. If we work backwards from there, along with preparing response efforts similar to first aiders in the event of an incident, we will have a truly resilient approach.