Cyber threats are skyrocketing. As we’ve recently seen, hackers come up with increasingly sophisticated malware, targeting all industries, including the financial sector. While they easily trade hacking tools on the dark web, many companies still fail to properly take into account cybersecurity risks. Since crises are hard to anticipate and complicated to manage, we’re giving you five best practices to avoid critical mistakes:
April and May have been very active months in terms of cyber-attacks. We’ve witnessed not only an increase in volumes but also in the variety of means. On 12 May, hackers launched a cyber-attack considered unprecedented in scale by the Europol. They used the WannaCry ransomware program to encrypt data on hundreds of thousands of computers in over 100 countries and demanded payments to restore access to files. Although we don’t know yet who’s behind the attack, hackers seemed to have used the NSA-developed toolkits that a hacker group has stolen and made available end-April.
Among the many victims are multiple NHS Trusts in the UK, Renault and Nissan in the automotive sector, Fedex and Deutsche Bahn in the transport and logistics sector, and Telefónica and Telenor in the telecommunications sector. Previous attacks include a combined in-memory malware exploits and physical drilling to successfully cash out, in a single night, USD 800,000 from several ATMs in Russia. Hackers have also made the headlines in Dallas, in April, by turning on every emergency sirens at once and causing an evacuation panic around midnight. It took the city’s officials no less than two hours to quiet down the situation, as they were left with no other choice that disconnecting the sirens.
Are companies in Luxembourg at risk?
In Luxembourg, the two most common types of cyber threats remain phishing schemes and the fake president fraud. For the latter, hackers impersonate a trusted party, such as a CFO or a subcontractor. They combine targeted phones calls and emails to get accounting employees ordering wire transfers to bogus accounts. You may argue that a basic attack like this would never pass due diligence processes and the four-eye principle. In practice, it actually does, and more often than you think. Hackers call when employees are alone in the office, sometimes late on a Friday, fake a stressful context and use their empathy to go around controls. Beware: fraudsters are not only after money; they could also target confidential files.
Our 2016 Economic Crime surveyhighlights a significant increase in economic crimes in Luxembourg, with cybercrime ranking first. Losses can be stiff: nearly a quarter (22%) of respondents experienced losses between USD 100,000 and USD 1 million and 14% of respondents suffered losses of even more than USD 1 million. Yet, only 37% of organisations believe they have a security incident response plan fully operational.
Cyber threats involve reputational damage and financial losses, but their impact can go even further. A cyber attack crisis can affect employees, destroy their cohesion and reduce trust levels in the leadership team. When you put in place your crisis management plan, you have to take into account all potential consequences. Here are our five best practices that will help you avoid critical mistakes:
1. Take a step back
When dealing with an information security incident there’s a risk to rush in and take the wrong decisions. Take a step back. In most cases, when you discover the breach, it’s already too late. Hackers have already compromised your confidential files or encrypted your servers with a ransomware. Although the management asks and expects quick solutions from their technical team to fix the issue or at least to limit the impact, rushing in could do more damage than good. For example, shutting down servers would make RAM analysis impossible for forensic teams. Disconnecting them would, however, contain the incident and prevent the ransomware from spreading further in your network. In addition, intruders could be monitoring your reactions and move their timeline accordingly. They could transfer data, destroy servers or erase their logs, which would further complicate the investigation afterwards.
Taking a step back allows you to explore all the available options, assess the impact correctly, choose the most suitable solution and communicate perfectly along the resolution.
2. Involve the right people
Before getting started with the incident containment and recovery, you want to get the right people around the table. For too many times we’ve seen internal squabble polluting the debate among the Crisis Committee’s members. People naturally look for someone to blame and, at the same time, everyone tries to get off the hook. You must keep sight of the objective: the point of managing a crisis is to find solutions, rather than finding a scapegoat (this can wait until later in the process).
Grégory Blachut, Response and Incident Forensics Expert
Often, companies caught in a crisis situation get third parties branded as ‘technical experts’ to help them remediate the situation (e.g. Security Operation Centres or IT companies). This is like allowing an orthopaedic specialist perform a heart surgery. No matter how great their technical expertise in cyber threats is, these people often don’t know your business.
Information security crises are by definition business incidents and the best way to tackle them is getting the right experts, who understand which technical actions to rule out. Otherwise, their actions could irreversibly damage your business. So, make sure you have a trustworthy team combining both technical expertise and business knowledge.
3. Assess the impact
Before investigating the root cause, you have to assess the impact of the security incident. Your technical teams should do this at least once before summoning the Crisis Committee. Unfortunately, due to poorly enforced incident management governance processes, people frequently skip this step.
Assessing the impact requires extra efforts to gather pieces of knowledge, but it’s essential to make sure you deploy the right resources to manage the incident. Since you need to react and evaluate your options with serenity, you must know what’s going on. Information is the core of your defence against cyber threats. You have to list the involved assets and evaluate their information classification level. Companies with poor events and logging capacities subsist until they’re caught by surprise. Even when they reach out to their Crisis Committee in a hurry, wasting resources in the process, it’s most of the time too little, too late.
4. Communicate clearly and honestly
Communication is the toughest element to master during a crisis. Outstanding communication can smoothly get you out of a crisis situation, while a single misguided public statement could make your market share plummet. Keep in mind that you can’t fully control communication. There are too many external parties who can comment on the events: media, competitors, employees, authorities, etc.. The best you can do is issue the right statements, at the right time.
Your messages have to be clear and honest about the incident, especially when there’s a breach of customer data. You need to appear on top of the situation and show strength with a mitigation plan. Rather than listing tedious technical details, insist on the lessons learnt and focus on earning back clients’ trust. This is particularly important in a public sphere dominated by social networks and viral messaging.
Communication needs to happen at the right time, which is when you have sufficient information. Coming back on your own statement can be tough. Waiting too long to communicate may lead the public to think you’re not in control. Designing communication templates ahead and testing them gives you a great advantage. This could also ensure your communication remains professional and tailored to the incident.
5. Keep preparing for the worst
Preparation for cyber threats is key. The more prepared you are, the easier will be to deal with the incident’s impact. Preparation incentives must come from the top. The Chief Information Security Officer (CISO) and the information security stakeholders have to define the right incident management governance.
Your incident management process should describe the five main steps shown below, and mention the role and responsibilities of your employees for each of them.
Incident detection: which detection mechanism to put in place (i.e. logs from monitoring servers, intrusion prevention and detection systems, antiviruses, etc.) and which ticketing systems to use to centralise the reporting and facilitate the incident’s confirmation.
Impact assessment: how to assess the impact and how to classify incidents once they’re confirmed.
Containment: how to conduct the analysis and which containment options to consider from the analysis results, or how to escalate as a last resort.
Recovery: how to remediate the incident and prevent similar ones from happening again.
Conclusion: which key performance indicators (KPIs) to consider and how to draw valuable and meaningful lessons from the incident’s resolution.
What we think
Vincent Villers, Cybersecurity Leader
Feeling prepared can lead to overconfidence in your capabilities. When is the last time you performed a stress test in your company? Are you confident your infrastructure is bullet proof to cyber threats? Do you believe your employees know how to spot phishing emails? Is your Board accustomed to managing crises? If those questions raise doubts, you may want to think twice. In our experience, companies which report no cybersecurity incidents are the ones with the lowest detection capabilities. There are several options available if you want to test your business resilience to cyber threats: penetration testing on your infrastructure, custom phishing campaigns to challenge your employees or even crisis simulation games for your Board. These leave you with all cards in hand to protect your business.
If you’d like to know more about cybersecurity and existing solutions, click here.
