Mitigation, protection and response — an approach to cyber security:
If last year is anything to go by regarding the rate and sophistication of cyber attacks, 2017 is set to see a marked increase in both. For businesses, the prevailing attitude has changed. In years gone by there was a wait-and-see approach when it came to cyber security, but as attacks and data breaches were more widely reported many organisations have adopted a “when, not if” approach.
The inevitability of an attack has seen spending on cyber security increase fairly dramatically — in the UK alone, businesses doubled cyber security budgets in 2015 and globally, IDC anticipates that by 2020 organisations will pay out $101.2 billion. While there is an increased awareness of the threat and associated changes to budget, the key thing to remember is that no cyber security approach, tool or software is 100% infallible. This is especially true considering that organisations are not only filled with data and assets that need to be protected, but staff that are often the weakest link in the protection strategy. In fact, according to the Information Commissioner’s Office (ICO), human error is the cause of the majority of data breaches.
Cyber incident response
Part of any cyber security strategy should be incident response — after all, often it is how a business reacts to a breach or attack that can be more detrimental than the event itself. A cyber response process or plan helps you mitigate risk and minimise the impact it will have on your business, employees, customers and your bottom line. An incident response plan can also assist in reducing the time it takes for the business to recover after an event and minimise the costs involved.
Many businesses may not see a need for a plan. Indeed those that have a plan may not even have a successful plan (due to it being out of date, lack of integration across the organisation or lack of knowledge due to changes in key members of staff). Regardless, a workable, up-to-date plan is critical, especially as the likelihood of a cyber attack is high — just consider that in 2016, an average of 230,000 UK businesses suffered a cyber-related incident. Also, according to another study, 49% of companies in the UK fell victim to cyber ransom attacks 2016.
Developing the plan
So what does this response plan or process typically look like? To start, you need to understand the threat landscape and know just what you’re protecting your organisation from. This step includes categorising security events — such as a DDoS attack, malware or breach. You also need to know what business continuity and disaster recovery plans are already in place and who is responsible for which activity, so that you can build this into your response plan.
You then need to identify your most critical assets, where they are located and the risks around that data. This ties back to categorising security incidents as different events will necessitate a different reaction depending on the type of data — for example, customer, payment or operational information. And in turn, this step will shape and develop your performance objectives.
Practice into action
Taking a very high-level approach, once a plan is implemented and needs to be used to deal with an incident, businesses typically follow four broad steps;
The first deals with the actual identification of the cyber security incident, which may in itself be a challenge. This can be done by monitoring, looking at log alerts, cyber intelligence and evaluating threat analytics, which can also assist in finding out exactly what happened. More often than not, working with a trusted IT services company could help in the identification process, as well as what followed.
The second step looks at defining objectives and delving into what happened. Typically, this includes finding out who the attacker/s are, the scope of the attack, what was affected, what was taken, and the timescale of the attack.
From there, gathering that data allows an organisation to take the appropriate action —that includes tasks such as eliminating the cause of the incident, containing the damage, contacting law enforcement and gathering evidence.
The final area is recovery. Here an organisation needs to ensure that remediation has been carried out correctly, gaps closed, and vulnerabilities assessed. Depending on the type of incident and data affected, this could include things such as password resets, enhancing security and testing systems.
One of the most important aspects of cyber security is that organisations can rarely go it alone. While programs, strategies and plans certainly do help in protecting valuable assets and the bottom line, expertise and advice from trusted advisors in the IT and cyber security space can be equally as valuable. Cyber security is an ongoing endeavour — something that evolves and changes according to the threat landscape, the business itself and the risk it faces — and should address mitigation, protection and response.