What’s at stake?

Data breaches can range from minor to severe. While ransomware can prevent access to data and systems, the best course of action varies greatly based on the nature of the compromise and the scope of the affected system. If a workstation has been encrypted by ransomware, the cure may be as simple as a complete rebuild, which will cause some downtime but not much else. However, if a data centre or key servers are breached, it might have dire consequences. Even if paying the ransom is only the beginning of your misery, for many businesses the potential damage is so great that transferring hundreds of thousands of dollars in cryptocurrencies to cybercriminals makes sense.

“Even if you can find a means to pay, can afford to pay, and have a trustworthy enough criminal,” says Drew Simonis, deputy chief information security officer at HPE. Restoring systems after a ransomware assault using the criminal’s security keys might take months, even if the victim pays the demanded sum. What’s the maximum amount of time your company can go without producing anything? It may work for a big corporation, adds Simonis. “For a startup? That may mean the end of their company.”

Find out about any and all aspects of safety. Learn the latest developments on a wide range of topics, from zero-trust to trusted supply chains.

The five pillars of cybersecurity

There’s no getting around the fact that your company’s size determines both the nature of the threats you face and the means at your disposal. NIST’s cybersecurity architecture provides the essential steps that must be taken, and they are the same regardless of the size of your business: identification, protection, detection, response, and recovery. Methods are laid out for determining the state of your system’s defences, eliminating as many potential weak points as possible, responding swiftly to attacks, resuming normal operations, and finally, eliminating the source of the problem altogether.

It’s a fact that not every company is the same. According to Simonis, a large corporation already has everything it needs to deal with a data breach in-house, including “investigators, forensic competence, the ability to design a plan based on the breach and put that plan into effect.” Plans for responding vary in scope and cost; many difficulties already faced by small and medium-sized businesses are compounded by the ongoing pandemic.

However, “just because you can pay, can afford to pay, and have a trustworthy enough criminal… does not guarantee that you will escape the attack.”

The COVID factor

The prevalence of remote workers complicates every aspect of crisis management. The COVID-19 pandemic hasn’t changed the basics, but it has generated new chances for cybercriminals: an upswing in content-oriented attacks that target the people in your organization—especially with emotive pleas. Worldwide, the World Health Organization saw five times as many cyberattacks in April as it usually does.

“Security teams have to learn to sift through things they didn’t have to go through previously,” says J.J. Thompson, senior director of managed threat response at Sophos.

Google’s Threat Analysis Group cautions that phishing attacks aiming at the general public are masquerading as government services. Email, message boards, and social engineering attacks will all still be around in the globe after the pandemic, but they will be more successful. Phishing scams pretending to be COVID test results are just one example of the peril posed by assaults related to COVID-19. “We all have a more porous social engineering filter than we did previously,” the group adds.

The difficulties brought to light by the epidemic may not even be new—and they surely aren’t going gone. “What you have to be able to cope with is an environment in which you can’t trust messaging that originates from outside your organisation. Be wary of any request for help that comes from outside sources “The HPE Simonis agrees. He recommends calling to double check any out-of-the-ordinary demands as much as possible.

Eliminating human vulnerabilities also entails developing systems that are prepared for the certainty that individuals will make mistakes. “Assume all of those procedures are going to fail,” adds Thompson. “No matter how many times you train somebody not to click on anything, they’re going to do it anyhow.” The idea is to implement mechanisms that step in when humans fall short, such as detecting anonymous logins even if the user’s credentials are legitimate.

What you can do today

No amount of careful backing up can replace a well-thought-out strategy for handling incidents. There are several security incidents that can’t be restored from a previous backup. Gary Campbell, HPE’s chief technology officer for security, has observed that “almost all ransomware waits three days to get through two or three backup cycles before actually asking for the money.” And even if you have backups, they might not be enough to avert catastrophe. According to him, “re-imaging a server in the data centre normally takes six days, providing the backups are good.” Rolling back could cost more and cause more disruption than paying the ransom if you have tens of thousands of servers.

The development of an incident response strategy is a challenging task for businesses of any size. One of the most effective forms of practise is the tabletop exercise, which may be used by any company. This paper-based simulation of a breach will evaluate your team’s preparedness and ability to make quick decisions under pressure. You will need to bring in outside help to fill up any holes in your capabilities, so it’s important to identify them early in the process, says Simonis.

That could include supplementing any holes in your system’s defences with targeted, specialised solutions or outsourcing your cybersecurity to a professional firm. Vulnerability assessment, when conducted by the right outside party, might reveal flaws that are more difficult to spot during routine exercises.

Having to wait two or three weeks for consulting is the worst case scenario, therefore it’s important to have those answers in place ahead of time, as Simonis puts it. “Minutes and hours can make a difference in these types of breaches. The sooner you can analyse and eradicate, the sooner you can be confident that you’ve done it effectively.”

Responding and recovering

Simonis claims that while everyone has an idea, actually putting it into action is another matter entirely. “Individuals rarely test their ideas with a drill. They never put their strategies through any form of rigorous training, “His words. “The only thing more frequent than not having a plan is having a plan that is very dusty and doesn’t actually work.”

The little things, like knowing who to call at 2 a.m. with bad news, can make a big impact when it comes to incident response, says Simon Leech, senior adviser for security and risk management at HPE Pointnext Services.

In the event of a security breach, it is essential to determine what caused it and then secure the resulting opening. According to Leech, “you’re basically going to be playing Whac-A-Mole, hunting down servers that keep being reinfected” if no procedure is in place to ensure the virus has been controlled before cleaning up and reintroducing them to the network.

Simonis cites boxer Mike Tyson’s famous comment, “Everyone has a plan until you get punched in the mouth,” to argue that it is just as vital to know what to do when your plan is tested as it is to have one in the first place.

Security incident response: Lessons for leaders

• The act of planning is only the beginning. Drills and tabletop exercises should be used to put your knowledge to the test. You should bring in outside help from specialists when you find holes in your capabilities.
• In the event of a ransomware attack, don’t count on backups or having the funds to pay the ransom. These kinds of attacks can be disastrous for smaller establishments.
• Stick to the fundamentals.