Over the last 2 years there has been an explosion of cyber-attacks on all areas of society and business. Ranging from Ransomware, throttled access to services that a company offers to the public or other companies, to outright destruction of production. According to the US company, PurpleSec LLC, in 2021 the trend for cyber-attacks had risen to 600% from previous years. One of the key instigators for this trend was the implementation of the hybrid and working from home environments. This move away from the security blanket of a managed network service, as provided by the associated company environments, opened the possibility of attacks on work orientated equipment taken home. While many companies scaled and adapted their security environment to consider the lack of robust security in the home environment of their employees, there have been a number where the security concern was a secondary priority. For those who have been targeted by threat actors what are the stages they will have to deal with?
Impact
The impact on the any business will vary on how hard they have been hit, what has been hit, and if there is a knock-on effect to external clients and subsidiaries. General areas which may be impacted are as follows:
- Financial: Both in incoming revenues and outgoing expenditure in tackling with the attack in the first instance.
- Disruption to Business: Possibility of being without a working network can lead to loss of ability to engage with existing clients and potential clients.
- Reputation: Existing clients and potential clients may see the attacked company as an additional risk to their business and withdraw any planned business with the aforementioned breached company.
- Professional Standing: Businesses within a similar vertical will be taking note on how the company deals with their situation and how they recover.
Recovery
Possible stages of recovery from a cyber-attack:
- Recognise and stop the attack: The key factor of this is that the victim company fully acknowledges that there is an attack, then focus on containing it and preventing extensive damage. Primarily disabling the threat actor’s access to the system by isolating those areas where evidence of an attack is clear. In the case of an internal attack, it would be necessary to identify the end user involved and revoke any access to their user account and any affiliated roles they hold. Even if that means shutting down the entire system, network infrastructure or even terminate any internet connection until the breach is contained.
- Communicate effectively about the cyber-attack: One of the things which some companies are afraid of is communicating out with their internal bubble. However, if the company is completely transparent and informs all relevant parties, internal and external, they can ensure that only factual information is made available, and no deviation or speculation as to the situation is shared.
- Determine what is lost and extent of damage: There will be a need to stop and take stock as to what has been lost or damaged within the breach area. Once this is done the enacting of a recovery procedure and identifying the full steps to take should be performed. This will involve the IT team gathering all the facts of the situation at hand and deploying an effective recovery plan. A key action to be taken is the full documentation of how the attack occurred, how it may affect the company’s clients, the devices and other assets affected, discovery of any individual victims, and what type of attack was carried out, i.e., ransomware, file deletion, file destruction or file removal.
- Repair damage and restore assets: Depending on the level of damage, whether physical or purely to the data, considerations need to be taken as to whether the breached company will have to repair or replace the items involved within the attack. A primary consideration would be to arrange to restore the missing/damaged data either onto any hardware available or newly sourced from an offsite or cloud-based backup solution. This would be the best solution for keeping the business up and running while the affected equipment is isolated for further investigation and evidence gathering for any potential litigation.
- Take time to understand your organisation’s/company’s ethical obligations:
- One consideration the company management is to take is to be open and honest to their employees and clients with regards the attack. Keeping them on side and informed will give them the impetuous to engage in helping to bolster the internal adjustments required to prevent another attack and consider other possible avenues of attack which could be plugged.
- “Data security should be part and parcel of your company’s culture”.
- Educating the staff about the importance of data protection and highlighting the risks of another breach.
- Training employees on data threats and how to identify and prevent them if it seems they will occur.
- Continual revision and assessment of all current security protocols and processes. If you deem it necessary, add additional security measures and ensure they are properly communicated and identified to all concerned parties.
- Have a response plan in place: It is common knowledge that every organisation or company is at risk of a potential cyber-attack. However, it is important to prepare for this and have some plan in place to handle the attack in the most suitable way. These should be plans for data recovery, strengthening security systems, reporting to the authorities, and prepared statements for clients. This will result in having business remain operational and losses minimized even after the attack.
- Consider Cyber Insurance: Cyber insurance is a service to secure your organization or company. It will help in recovering from a cyber-attack quickly and effectively in terms of the costs which will be incurred. A discussion with your current insurer or with your vCIO at Tycom could assist in clarifying the need for this cover as well as guiding you through the process for including it as part of your company’s full insurance package, or even as a standalone policy.
Conclusion
Due to the sensitive nature of these attacks happening to any company very few are willing to step forward and state that they have been breached. The stigma of being breached can be overwhelming to some companies who fear loss of reputation or customer confidence, leading to loss of income. This tendency to keep everything close to their chest and away from public scrutiny gives them the false sense of “if nobody knows it will be alright”.
In practice the affected company will follow the guidance above and ensure that their data assets are:
- Secure, if the breach didn’t get that far.
- Recoverable, if the breach got that far.
- Further secured, to eliminate any further breaches in any scenario.
Inform the ICO (Information Commissioner’s Office) of the situation, and all actions carried out to mitigate the situation as well as put actions in play that will prevent the situation arising again.
It can be seen as a “culture thing” for some businesses, where they keep the IT world at arm’s length, especially if it isn’t a primary focus of their company. Over the past few years there has been increased focus on use and integration of IT technologies, physical and applications, into all areas of working and home life, with some inevitable bleed effect of the hybrid and home working. Ensuring that the end users, regardless of seniority within the company, are trained and randomly tested in cybersecurity practices is important.
Key areas for employees to be aware of with cybersecurity health are:
- Two Factor Authentication (2FA).
- Multi-factor Authentication (MFA).
- Security of any physical devices (regardless of desktop/laptop/tablet or mobile phone).
- Security of any cloud based, or internet accessed business data.
- How they connect any devices to the internet/wireless connections, whether it be for work or social actions.
- Where they surf to while connected to the world wide web/work network.
- Where they are when they are carrying out any online actions (location).
For the Tycom perspective we refer to previous articles on the use of Virtual Private Networks (VPNs) and Remote Desktop Protocol (RDP) connections while working out of the office, in combination with the use of MFA/2FA (a further article on MFA is included in this month’s Tycom Tips). The recommendation is for a responsible individual within the company to keep abreast of all cybersecurity trends as well as ensuring that end users receive guidance and training in all security aspects, to ensure that “they” are not the access point of any breaches into the business’s data payload (see previous Tycom Tips on Phishing et al). As a final word it should be taken that “all” staff members who use any type of IT resource should be aware, or be made aware, of any potential breach points and how it will affect the company and in turn themselves. To be always vigilant, and ensure they never require enacting their breach recovery protocols and processes.