According to a recent survey by HM government, security breaches are on the rise with 90 per cent of large organisations reporting at least one incident in 2015, compared to 81 per cent the year before.
Despite this, many organisations are still guilty of taking a laissez-faire attitude to security – only putting procedures in place to respond to and deal with breaches after suffering an attack.
This ‘head in the sand’ approach to IT security is detrimental to businesses and in this new security age where it’s not a case of ‘if’ but ‘when’ a breach will occur. It is essential plans are in place to make sure organisations know what to do in the aftermath of an incident.
In today’s online landscape, cyber attackers have the upper hand with unfettered access to easy to use tools suitable for cyber criminals of all skill levels. This ‘hacking for dummies’ era means that cyber threats can come from anyone, anywhere, anytime and businesses are struggling to keep up.
As a result, businesses need to adjust their approach to cyber security. Although prevention is and will always remain crucial, businesses also need to have a contingency plan in place for when it does happen. In many ways, this ‘what happens next’ piece of the puzzle is just as, if not more, important than the prevention itself.
Adopting a breach mentality
When adopting a breach mentality, the first dilemma that IT pros often face is whether to shut down the attacker then and there or monitor the activity in a ‘better the devil you know’ intelligence gathering exercise.
Take a data centre for example. These are particularly tempting targets for hackers because of the dense amount of technology and data in a single place. Once inside, attackers can go from system to system, mining the data with impunity, and using the multitude of different systems and techniques to remain undetected.
In this situation, the natural desire for an IT pro on discovery would be shut it down and close the attacker out. But is this the wisest thing to do? And would doing so limit the ability to discover the true extent of the breach and indeed their level of access? For example, close down one attack and they may still have an all access pass to the rest of the infrastructure, so this approach could just force them underground and await another opportunity when no one’s looking.
Alternatively, consider this. What if the policy was to monitor the attacker, analyse their movements and entry points, limiting access to systems as they go in real-time – a form of cyber cat and mouse if you will?
Both have their merits, the key point being both require pre-planning and business buy-in. In an emergency situation these decisions need to have already been made and have pre-ordained actions planned and ready to go at the push of a button before any breach has taken place.
However, it’s not just about the technology a business has in place when it comes to a security breach – communications are just as essential. As such, it’s important to have a well thought out communications plan in place following a breach. For example, do you understand your contractual obligations to notify your customers? Are there local legal requirements to notify law enforcement?
Planning ahead for what is next following a breach, and working alongside the legal department, means communications plans can be swiftly executed to demonstrate an effective handle on the situation and limit brand damage.
Planning ahead and establishing security breach policies are only valuable if they are regularly updated and reviewed. Creating a to-do list style document that gets filed and forgotten about before going out of date is not enough. In fact, this could lead to complacency and a false sense of security, which could end up having a more detrimental effect on the business.
Out of date policies can also be more of a hindrance, slowing down response times as people work through them only to find that specific contacts and system information may no longer be valid, requiring more time to be taken to hunt the necessary information.
The best way to ensure up-to-date policies are in place is to run quarterly tabletop exercises or simulations to make sure staff know how to respond. This will quickly identify any flaws in the plan before it needs to be implemented in a real emergency.
While it is important to invest in prevention, this alone is insufficient. An organisation focusing entirely on trying to prevent a breach will struggle to detect and respond appropriately when a breach does occur. Ultimately, any preventative steps taken are completely devalued by a lack of planning for what happens next.
When a security breach occurs, how a business responds can make all the difference to the impact of the breach and survival in the aftermath. A well-structured incident response plan, which incorporates all components of an organization from legal to sales, marketing to engineering, can be a powerful tool when it comes to minimizing the potential damage from a cyber-attack.
Image source: Shutterstock