The recent Petya ransomware attack quickly swept around the globe, moving from computers in Ukraine to more than 65 countries and shutting down systems at multinational businesses such as shipping conglomerate Maersk, global law firm DLA Piper, and pharmaceutical giant Merck. As TSC Advantage VP Natalie Lehr said about the recent Wannacry ransomware attack, “the use of leaked NSA hacking tools means criminal organizations and hacktivists now have sophisticated tools at their disposal. This makes timely risk management no longer an ideal: it is an essential business function.”
Organizations should build out programs focused on recovery, business continuity, and resiliency. While any information security risk management plan should contain investment in controls across prevention, detection, corrective, and recovery categories, it is the latter that will be crucial in the event of an attack. Here, a strong investment in processes – opposed to strictly technology – will be the most critical in the timely and safe transition back to normal.
Six elements to consider when thinking about ways to create resiliency within your organization include:
Understand Business Risks. In the event of an incident, what acceptable risk outcomes can your organization tolerate? What are the consequences your organization can live with? For example, what is your tolerance for lost data, or how much downtime your organization can afford in minutes, hours, and days. When you identify what you cannot tolerate from a risk standpoint, either because of its devastating impact on your bottom line or from a reputation standpoint, then focus your investment in controls around that sensitive data first.
Identify critical assets and functions: TSC Advantage often finds that organizations have not identified, classified, and monitored their critical and valuable assets. While this is not an easy undertaking, it makes the job of protecting those assets virtually impossible if you don’t know what exists or where these assets are located. Take this step to ensure sustainment of business-critical operations and vital records during an incident.
Protect Customers/Clients/Employees: Encrypt sensitive data in transit and in storage to reduce the privacy risks from stolen or inaccessible data stores. This ensures that even if records are stolen from your organization, they are of little use to hackers on the black markets. Despite being a basic security function, there are still approximately more than a quarter of companies who don’t encrypt their business data, and roughly 40% who don’t encrypt their employee data. While having back up records preserves corporate access, securing them with encryption defends them against unauthorized access.
Create a Security Policy: A mature cyber security culture starts with establishing cybersecurity goals, adopting best practices, and developing and enforcing policies and procedures. Important to remember, security is neither a single act, nor a vendor sensor. It is the collection of activities that harmonizes corporate investments in people, process and technology. This perspective should guide your approach to information security risk management.
Codify a Plan. Creating a written plan that spells out what would happen in different disaster scenarios is critical. How would your network be affected? Which staff members or vendors will you need to alert? Who will be held accountable? What happens if an incident occurs on the Friday night of a holiday weekend? These are just few of the types of questions that should be explored and answered.
Test the Plan. Once your plan is developed, it is essential to mature it by testing it regularly. If and when disaster strikes, the last thing you want to have is confusion among the organization’s key players, the definition of their roles, and the processes they are set to follow. This requires coordination, rehearsals, and practice.
The extent of victimhood will always be a function of preparation.
Cyber resilience and the processes established to recover from an event are just as important to an organization’s overall security posture as the deployment of technical controls focusing on prevention and detection.