“In business, we plan for success. In cybersecurity we have to plan for failure,” a Fortune 500 executive said to me recently, summarizing the close alignment between business goal and cybersecurity.
A cyber breach can cause untold damage to a company’s operations, sales, reputation and stock price. It can also suddenly end the successful career of a CEO or CSO, as happened with some cyberattacks in recent years.
In fact, Allianz Risk Barometer 2020 – the largest risk survey worldwide – recognized critical business interruptions caused by cybersecurity breaches as the most severe risk to organizations.
Now, while you can never predict when you’ll be hit by a cybersecurity crisis, you can buy time by putting in place a well-rehearsed and effective cyber resilience plan, which is essential to mitigating the worst effects of an attack while keeping the business going. This is becoming a hot topic for chief risk officers, chief information security officers, and company boards as they look at how to bounce back from cyber assault.
Good preparation for a cyber crisis is half the battle. To be able to react quickly and avoid long-term damage, businesses need to simulate a cyberattack to figure out the right responsibilities, potential process gaps or technology issues. This could involve a tabletop exercise where relevant executives gather around a table to wargame how a scenario could unfold.
However, even for the best prepared, a cyber crisis could hit anytime. What should you do if you are the CEO of a hacked company?
Rule 1: Take command. This is personal.
Roll up your sleeves. Merely delegating the work to the IT team during a cyber breach can be dangerous for the company and for you personally. A number of CEOs of large companies recently learned this the hard way. Cyber risk does not affect only your IT network but also your overall business.
Operational disruptions and litigation costs have an immediate effect on your reputation if not prioritized correctly. Hence, it’s not surprising that shareholders are starting to seek personal consequences for companies involved with a cyber crisis. Effectively management of a cyber crisis involves board level engagement at both the COO and CFO level. But a CEO is often the best person to manage it.
Rule 2: It’s all about communication.
When hit by a cyberattack, nobody wants to be in the news and challenged by the public and press. Was it poor cybersecurity or a nation-state hacker? Do you really understand the full extent of leaked data? Are there any further backdoors the attackers might use for sabotage activities?
A cyber crisis is almost always very complex. It can take months to years to answer all those questions. However, the right communication strategy will determine public opinion about how professionally you have managed the incident. So, what are you going to do? Secrecy, full transparency, or the dangerous way in between?
While we can only speculate about the success rate of incidents that were kept secret, there’s enough evidence to show this: Most large enterprises that tried to keep a cyber crisis secret and were busted afterwards failed big time with their reputation.
Moreover, you have to manage all relevant internal stakeholders and vendors to comply with potential regulations for obligatory reports. Some regulators ask for extremely fast reports, such as the Monetary Authority of Singapore (MAS) that demands notification within a few minutes.
But there are many technical variables you can’t control. For example, a range of impactful cyber breaches such as Stuxnet were reported by security researchers who identified evidence of a compromise based on external telemetry and malware samples.
Treating your cyber crisis transparently will bring you benefits such as public support by authorities, researchers and customers. But you need to be ready to take the pressure in communication and execution.
Rule 3: Access cybersecurity expertise.
Most companies employ their own CISO and security staff who will respond to the cyber crisis. But, let me ask you a question: Did your staff really see the full cyber crisis and experience it end-to-end? If you have not run proper tabletop exercises yet and your team has never dealt with a cyber crisis, don’t try to work it out alone. Instead, consider using the following stakeholders in the crisis process:
- Cybersecurity incident and crisis experts: Reporting of the crisis and technical analysis can likely be done more effectively by external companies that have dealt with similar situations or the same threat actor. For instance, most companies often lack legal experience or are not familiar with the Tactics, Techniques and Procedures (TTPs) of the threat actor.
- Security vendors: Most companies are shy to consider security vendors as partners. The reality is that security vendors are perhaps the best partners to help you mitigate the threat given their experience with your security controls.
- Peers: Cybersecurity is a team sport, so we have to be humbler when working with our peers or even competitors. Most of the threats your organization faces have already hit some of your peers. Engaging peers and asking for help is critical.
- Law Enforcement: In many countries engagement of law enforcement is more of a formal act to register the incident. However, some countries have strong capabilities that focus not only on investigation of the threat actors but also help defend your networks. To address the problem of cybersecurity in a sustainable way, it is always good to engage with law enforcement during or after an incident.
Rule 4: Use smart containment.
Containing a cyber crisis could take years if you randomly follow all recommendations available out there. How do you challenge your CISO on the balance between incident containment and keeping the business going and avoiding panic mode?
Instead of doing everything, your task force can apply a risk-driven containment approach addressing the most important questions: 1. Why were we hacked? 2. What are our crown-jewels and were they impacted? 3. How do we mitigate the threat?
In order to understand how to mitigate the threat, you have to triage the first and second question properly. Sometimes, it is even required to keep the attacker for a while in your own network in order to determine his true motivations. If the motivation is destructive you better get him off the network asap.
For all targeted attacks aimed specifically at your company and with a defined purpose, such as trying to steal information for espionage or to sabotage the IT system, there is one key question you should always ask your CSO: Have we identified patient zero?
Similar to virus outbreaks in our human world, patient zero can help you reconstruct the path of attack and identify potential hidden backdoors the attacker created as a backup in your network in case he gets identified. If your task force can’t identify patient zero, they won’t be able to confirm if the attacker is still in the network or determine the full scope of the attack.
Rule 5: Be safe, don’t be sorry.
How has the cyber breach impacted your business from a reputational, legal, financial and technical point of view? Have you lost money because you weren’t able to run a server for the last 20 hours?
Estimate the overall cost of the attack. Look for an ongoing operational impact if time was lost working on important projects. This analysis is not only required in case you have hedged your cyber risk with insurance but will also help you derive your investment required in cybersecurity.
In the end, most organizations that experience a cyber crisis make a significant increase in cybersecurity investment. Focusing on principles such as Zero Trust, improving cyber hygiene, and simplifying security process and technologies are some of the most important – and basic – things to do.
Cyber resilience in a nutshell
No matter your industry, a proper cyber resilience plan is a must if you want to be prepared for the worst-case scenario. Reducing the scope of damage caused by a cyberattack is the primary aim of a cyber resilience plan. Attempting to secure the network is one thing. But activating a well-thought out and stress-tested business-continuity plan in the event of an attack can save your organization enormous money and time. So be well prepared.
Sergej Epp is chief security officer, Central European region, for Palo Alto Networks.