Here’s the scenario: Your cybersecurity team comes to you with the news that hackers have successfully breached your network. As a business leader or board member, your first instinct is to tell them to get the affected systems offline or even dispose of them to keep the potential loss as small as possible. And do it quickly!
That immediate reaction may not be the right one, however. In many cases, the more effective way to react is to wait. And watch. Watch what the hackers are doing, what they are looking for, what tools they are using. Wait, let them root around and gather information. You may even be able to identify who they are and what is motivating them
That advice comes courtesy of Dr. Andreas Rohr, Founding Manager and Chief Technology Officer at Deutsche Cyber-Sicherheitsorganization, GmbH, one of Germany’s leading cybersecurity managed services companies. You should wait if you can, Dr. Rohr advices, but you can’t let them get too far.
“You cannot allow the intrusion to progress to the point where data thieves are clearing out the company silverware under the gaze of company management,” he says. “If criminals are starting to work on databases, design drawings, confidential contracts or the entire customer base, you must disable the ability of the attacker to act and cut the connection immediately.”
Once you make a decision to cut the attackers off, just shutting down systems or connections is not enough. The data needs to be completely removed from the compromised network and a transitional structure must be created.
Plan in Advance
In a larger organization, the process of illuminating and tracking attackers can take from eight weeks to six months after they have been discovered, Dr. Rohr says, noting that such a waiting period may be hard to tolerate—particularly for board members and executive management.
That’s why the company needs to be united in its response and set the strategy before an attack takes place. “If the discussion starts when you learn about the intrusion, valuable time is being lost—especially since the outcome of the discussion could well be of questionable quality, due to the massive pressure from the crisis situation,” Dr. Rohr says.
Dos and Don’ts
Writing in the newly released book Navigating the Digital Age, Second Edition, Dr. Rohr offers prescriptive advice to help organizations respond to a cyberattack so they can minimize the potential damage and act in a cohesive, coordinated manner to get back to normal as quickly as possible.
Here are some of his dos and don’ts in responding to a cyberattack:
Don’t switch off the computers affected, but instead monitor the attackers by creating real-time visibility.
Do create an ad-hoc committee in advance of an attack and give them a clearly defined path for decision-making so they can meet as soon as a crisis occurs.
Don’t waste time trying to elaborate on the root cause of the attack. This will just slow down your ability to deal with the crisis.
Do have top management sit down with the ad-hoc crisis committee and allow them to get on with their work. That includes making all required resources available to the committee.
Don’t worry about assigning blame. Ultimately, it is the job of the audit team to answer this question during its follow-up.
Do identify the chair of the ad-hoc committee and define his or her respective authorizations in advance of the crisis.
Don’t require individual, constant reporting as your teams are managing through the attack. Perhaps a committee member can be available once a day for 10 minutes to bring top management up to speed on the latest developments.
Do make sure that all appropriate personnel—not just cybersecurity professionals—can be contacted around the clock and are available to work in shifts during a crisis situation.
Don’t wait until the crisis occurs to think about how to pay for necessary resources. It is possible for a written power-of-attorney to be deposited in advance or, in the best-case scenario, for a crisis budget to be allocated.
Do assign a central control body to coordinate all measures beyond the first two weeks. The employee in charge should have experience in having budget discussions with top management and in issuing instructions to the specialist departments involved. This usually rules our external consultants.
Don’t allocate your entire cybersecurity budget to prevention. A good portion of the money should be invested in mechanisms for identifying successful attacks and after-care measures.
Do ensure that a secure communications platform is made available for communicating with everyone involved. The systems otherwise used for email or instant messaging should be generally considered as compromised, and therefore ruled out as a channel for exchanging confidential information.
Don’t forget that technology is only one part of the solution. Your people will determine your success in minimizing the damage of a cyberattack, so make sure you put budget aside for raising awareness.
Do map out a viable plan in advance. It is true that every crisis involves something different and every organization brings a different set of conditions to the table. But is also true that those organizations that are well prepared are much more capable of mitigating the damage if an attack does take place.
In today’s environment, every organization is vulnerable to a cyberattack, Dr. Rohr warns. “Compromised networks are the new normal,” he says. “It does not matter which sector a company operates in or how large or small it is: Professional attackers find data in every organization that can later be turned into economic advantage or cash on the black market.”
Most organizations will be judged on how they respond to an attack, versus the fact that they were attacked in the first place. As Dr. Rohr advises, organizations should take the proper steps and make strategic investments to respond to an attack before the attack ever takes place.
As he writes in Navigating the Digital Age, Second Edition: When it comes to cybersecurity “it is an ounce of preparation that is worth a pound of cure.”
Al Perlman, co-founder of New Reality Media, is an award-winning technology journalist. For the past dozen years he has focused on the intersection between business and technology, with an emphasis on digital transformation, cloud computing, cybersecurity and IT infrastructure.