As they say in the security profession, it’s not if, but rather when an organization is going to be hit by a cyber attack. Recent statistics reveal that a cyber attack or data breach occurs roughly every 39 seconds. We interviewed Sassan Hejazi, Director, Technology Solutions, for the February issue of Insights from Kreischer Miller, about what steps to take if your organization experiences a cyber attack.
What initial steps should my business take in the event of a cyber attack?
We recommend a four step process of Containment, Assessment, Management, and Remediation if an incident occurs.
- Containment involves minimizing the damage by limiting the scope. It is critical for containment to occur in a highly urgent manner, as the damage can spread quickly. The key to early response is early detection. Early detection occurs when a user reports the issue quickly or when monitoring tools alert you of an incident. Once you are aware of an attack, it’s important to take basic steps such as disconnecting your systems from the Internet, checking on your firewall settings, changing all passwords, and applying any needed security patches and updates.
- Assessment revolves around determining the extent of the damage. You will need to investigate how the breach occurred and the potential scope of the attack. A security professional will need to review several key IT elements such as system access and security logs, firewall Internet traffic logs, antivirus logs, and internal file and directory permissions and privileges. System access levels should be reviewed by external service providers. It’s important to ensure the security professional has updated system security patches and established proper controls for accessing your systems in a safe manner. You should also have your network architecture, traffic, and segmentation reviewed so that you can determine the extent of penetration throughout your systems. Many companies leverage experienced forensic cyber resources – which can usually be recommended by your cyber insurance firm – to assist with conducting these activities in a rapid fire fashion.
- Management addresses steps that need to be taken to manage any potential legal and public relations fallouts as a result of the breach. It is highly recommended to seek guidance from an experienced attorney familiar with your business and industry. Doing this will ensure that proper steps mandated by state and federal laws are being taken to minimize the aftershocks.
- Remediation efforts should get started after addressing risk containment and management concerns in order to minimize the risk of future occurrences of such events. Fixing the issues that resulted in a breach usually does not address the bigger picture of ensuring higher cyber resiliency levels within the organization. As a result, we recommend conducting a thorough and independent risk assessment to identify all potential vulnerabilities –whether technological or information-related. Then, establish a set of priorities based on risk rankings (critical, high, medium, or low) and devise a longer-term plan for addressing them.
What if my organization does not have a team that is equipped to handle the situation if we do experience a breach?
Having a properly designed cyber insurance policy in place can address many of the challenges stated above. Realizing the need to act quickly when a cyber incident occurs, insurance companies have formed partnerships with an array of cyber forensic, public relations, and legal firms to offer their clients a one stop shop solution approach to dealing with a breach. These arrangements can provide middle market business owners a quick and efficient method for addressing post breach activities rather than having to assemble and manage a team on their own.
Will implementing a cyber program eliminate my organization’s risk of a future attack?
Achieving higher levels of cyber and information security readiness in our increasingly interconnected world is not a one step process. It is a journey that needs to be orchestrated through active engagement of executive management and based on the organization’s risk tolerance and available resources. Having an effective cyber program in place will not eliminate the possibility of a breach, but it will reduce the chances of an attack and enable your organization to respond quickly if an incident occurs.
Sassan S. Hejazi can be reached at Email or 215.441.4600.
You may also like: