The Day of the Ball is not the Time to Learn to Dance
By Rob Sloan, 15 July 2013
For years organisations around the world have looked at the risks that they face and put in place a list of mitigations. Most buildings have a fire risk and in order to mitigate the risk we distribute fire extinguishers around the building making sure the right type of extinguisher is located in the appropriate area. We install sprinkler systems, smoke detectors and have sophisticated alarms which alert the fire service when the alarm is tripped and deliver verbal instructions to staff. We have notices showing escape routes, special emergency exits, meeting points, individuals responsible for orderly evacuation and first aid and most importantly we practice the drill every couple of months, often times gathering data to improve the drill next time. Disaster recovery plans are in place should a building be destroyed to ensure business can carry on. In the event of a real fire everybody knows what they have to do, they are well rehearsed and all being well, minimal casualties and only minor disruption follows. Thankfully, fires are few and far between. So why do we not apply the same level of effort into preparing for cyber incidents given that compromises and data loss are regular events nowadays?
Of course, people rarely die in cyber attacks and few businesses (so far) have actually stopped trading as a direct result of computer network attack or cyber espionage. More often the disruption will be annoying to users, financially damaging, may cause reputational impact, result in the loss of business critical data or intellectual property or risk the security and privacy of your customers. There is no doubt that attacks are ongoing across all sectors of industry; rarely a day goes by without a company releasing a statement about a damaging attack which has resulted in data being lost or confidentiality being compromised. Yet businesses consistently struggle to respond. There is either a shortage of internal skills, external help, an inability to make decisions, a lack of responsibility, lack of technical evidence to support an investigation, or quite often a complete lack of visibility into what is happening on a network leading to organisations not knowing they have even had an incident!
It doesn’t have to be that way, but to improve requires effort, coordination, an organisation-wide group of stakeholders and time.
Proper Planning Prevents…
To be successful the strategy needs an owner, and that owner needs to be suitably senior within the organisation. Often the sponsor will be at board level and it doesn’t always matter what position the sponsor holds. Sometimes it will be the Chief Financial Officer or the Chief Operating Officer, more often it will be the Chief Information Officer. A background in or an understanding of cyber is helpful of course, but not essential; at this level the important thing is the coordination of responsibilities. The cyber incident response strategy is just one, albeit important, part of the wider cyber security strategy.
The strategy owner will want to assemble a group of key stakeholders from across the business to represent various angles of any potential incident: the CISO or equivalent will be essential, as will representation from IT, legal, PR, and data owners from any key area of business who can advise on the potential impact of any incident where data is suspected to have been lost.
This group will be tasked with putting in place the policies which will structure a response, maintaining the relationships with external service providers and authorities, communicating messages about roles and responsibilities, implementing staff awareness campaigns and ultimately, perhaps most importantly, taking the tough decisions during an incident.
If planning for dealing with an incident is the first step, following closely after is anticipating what that incident might look like and this means understanding where the organisation’s risk lies: which data assets must the organisation protect at all costs? Where are the security vulnerabilities which an attacker could exploit and what programs of work are in place to address those? And which threat actors should the organisation really be concerned about, how do they operate and what might be the likely target of an attack?
Answering each of these questions will be substantial pieces of work and will be live ‘programs’ in that as the organisation evolves, so too will the attackers, attack vectors, data at risk and security gaps. Leveraging internal knowledge will be essential, but so too will be finding external partners who can provide independent expert advice on the technical and threat aspects.
You now have plans in place, you have anticipated the incidents and the final step is to practice again and again and again. Individuals need to be given the correct training to ensure that they are capable of carrying out the duties (especially the technical duties) potentially required of them and informing and influencing decisions from a position of knowledge and experience. Defences need to be thoroughly tested using techniques that the threat actors will use against you in order that you get an appreciation of whether your security is adequate and to identify weak points. These ‘Red Teaming’ exercises can also be used as live scenarios for the cyber incident response team to practice their processes. Finally, regular table top exercises which test different elements of response are a must; reacting to different attacks and threat actors requires a familiarity with different response options.
Of course, it should go without saying, if you need help in any aspect of the above, give us a call!