In an article for Bankingtech.com, Peter Cheney, the director of cybersecurity at independent global risk and strategic consulting firm Control Risks, has identified three essential questions that he believes enterprises must ask within the first 48 hours after a network breach:
1. What is the specific nature of the breach?
Enterprises must quickly and accurately determine when the network breach occurred, how it happened, what assets, devices and endpoints have been compromised, what data has been stolen, and perhaps most importantly of all in an era of multi-phase attacks: whether the breach is still unfolding and, if so, what will likely happen next.
“The more information crisis managers have about the situation, the more apparent it will be how to deal with it,” writes Cheney. “The public, the media and customers may be forgiving if the breach resulted from a new and unforeseen piece of malware. They will be less forgiving if the issue continues or happens again, or if the institution was attacked by well-known malware.”
2. Is there a human element to the breach?
Enterprises need to grasp that while a network breach is technology-led, it is fundamentally driven by individuals and groups. As such, they need to figure out who is behind the attack in order to derive their likely motives. For instance, attacks by nation-states are most likely aimed at destroying data, machines, and disrupting operations, while attacks by criminal cyber gangs are most likely targeting personal information and confidential data.
“Only by getting to the bottom of the context for an attack, will organisations be able to respond effectively,” writes Cheney. “Perhaps M&A activity is prompting the attack or is it just opportunistic? Cyber threat analysts will need to work alongside investigators looking at intelligence on the people behind the attack.”
3. How can we minimize the damage of an attack?
Enterprises need to react swiftly in order to prevent or limit the damage, and just as importantly, they need to clearly demonstrate that they are in charge and following an established post- network breach process. Otherwise they risk losing control to external entities, like regulators and law enforcement agencies — not to mention having their reputations severely damaged.
“[Breached enterprises] need to demonstrate clearly that they are in control of the situation and are handling it, while keeping stakeholders appropriately informed,” writes Cheney. “Otherwise, the danger is that someone else, such as the regulators, will step in and handle the crisis on their behalf. Organizations need to keep their hands firmly on the steering wheel even as others clutch for it as well.”
Cheney’s advice is valuable, and enterprises need to have competent answers to these questions before they’re victimized by a network breach; not after.
However, underlying this guidance is an even deeper message that, surprisingly, some enterprises have yet to heed: there is no way to 100% prevent a network breach. And that means sooner or later (if not already), bad actors — whether nation states, hackers, adversaries, cyber criminals, or even rogue/ex-employees — are going to slip past their conventional perimeter security defenses. It’s a matter of when, not if.
Enterprises that follow Cheney’s advice and deploy technology to detect network breaches that have made it past their perimeter defenses will be safe. Those that ignore Cheney’s advice and fail to adjust in an evolving cyber threat landscape will find themselves exposed — and likely wishing they had a time machine.