The sophistication and frequency of cyber attacks increases every day. In this year alone, major hotel chains MGM and Marriott suffered huge leaks and data dumps. The highest-profile Twitter accounts were compromised in a scheme involving classic social engineering and crypto payments. And Magellan Health, a Fortune 500 company, suffered a phishing-based ransomware attack.
When these events occur in your company (and that is “when”, not “if”), how can you be sure that you are responding to them in the best possible way to limit the financial and reputational damage to your organization? Now, we are beginning to see broader adoption of Digital Intelligence (DI) tools by multinational companies, major government agencies, and law enforcement agencies looking to keep up with an ever-evolving landscape. Digital intelligence is defined as the data collected and preserved from digital sources and data types (smartphones, computers, and the cloud) and the process by which agencies access, manage, and obtain information from this data in order to conduct their investigations in an efficient manner. more efficient. Incident Response (IR) is a key component of any company’s DI strategy and often represents the “front line” – the first and best opportunity your organization will have in response to a potentially devastating event.
A simple framework for successful IR can be divided into Before, During and After incidents occur.
Before: preparation is essential
Like most successful things in life, good IR begins with good planning. We divide it into four pillars: Detection and Reporting, Triage and Analysis, Containment and Neutralization, and Recovery. Your organization needs to have the tools and processes to manage each of these segments, and even with the basic concepts in place, you are much more likely to identify an attack in its early stages. If you can do that, you’re much more likely to thwart threats in the long run.
The heart of these four pillars, the tools themselves, can be developed in-house or with help, and the best approach is to make sure your organization has the answers to these fundamental questions along the way.
- Detection and reporting: Is your organization confident that it can detect significant anomalies in a timely manner and does it have clear and well-publicized processes to report them?
- Triage and analysis: Can the organization act quickly and accurately to classify threats, respond appropriately, and does it have the tools to analyze and understand the root causes of problems?
- Containment and neutralization: Can the threat be adequately and accurately contained without major systems disruption? Can it be neutralized in a way that preserves as much information as possible for research?
- Recovery and learning: In the event that damage has already occurred, are there comprehensive contingency plans beyond technical safeguards, including immediate public relations and future process directives?
During: Education, cultural factors and good processes
Obviously, a malicious actor or hacker won’t walk in the front door or try to get the safest part of the business first. In many cases, they will seek to gain a foothold by targeting employees who are not considered “targets” of cyberattacks (eg phishing and social engineering). Organizations must do two important things:
- Educate employees. Companies should educate all employees, regardless of position, about common security risks they may face and how to start recognizing something that seems “out of place.” In one case, a CFO received an urgent message from her CEO to wire her a large sum of money for a business opportunity that was soon to expire abroad. Pressured to secure a deal, the CFO transferred the money only to find, of course, that the CEO had never sent such an email and was being digitally spoofed. The CFO, especially any member of senior management, must be fully aware of these tactics. However, we would never view this as a personal failure, but rather as a deficiency in proper safety education.
- Establish a culture of trust. Employees need to feel comfortable admitting they were the victims of a phishing attack (for example) so that response teams can get started quickly. They should know that they are in a safe environment and that security teams want to help and respond quickly, not find someone to throw under the bus.
After: Develop the sophistication to be proactive about security.
With good planning, education, and culture, a company can begin to be proactive in the face of security threats. By having the process and habits ingrained in employees, security teams (and the entire organization) can begin to tackle more threats before they have a major impact. And, with some investments in digital forensics, they can even begin to understand who they are targeting and why. The far-reaching reputational and financial consequences of a cyber incident can be devastating or even end the business, and companies should invest in RI accordingly.
After any significant event, an organization must move to establish a “new normal.” This is an opportunity to find areas for improvement and prepare even better. The goal should be that next time, because there will be a next time, the company’s response will be even better and faster. Even when things are working as they should and attacks are stopped before they can cause serious damage, there is a lot to learn. Can employees be better educated? Do cultural issues continue to negatively affect the security of your organization? Are technology updates needed?
A simple framework for a successful response to incidents can be divided into before, during and after incidents occur. #cybersecurity #respectdata
With the right expertise, tools, and strategy, organizations can turn seemingly disastrous events into moments of real learning, additional preparation, and actionable business insight – the promised land of sophisticated enterprise-level digital intelligence.