Stories about breaches, hacks and attacks litter the headlines every day. In the US, the Colonial Pipeline experienced a Darkside ransomware attack that affected more than 10 000 gas stations. Virgin Active was also hit by a hack early in May this year and took weeks to re-establish its systems. And these are just two examples among many.
Stephen Osler, co-founder and business development director at Nclose, says: “The sheer volume of events is a concern. The threat actors and the methods they use are increasingly sophisticated and complex, taking advantage of even the slightest gap in a company’s defences. Many attacks are extremely malicious, and some are driven by intentions other than just money or data.”
The first step the CISO should take is to set the disaster recovery and business continuity plan in motion by notifying leadership. “Transparency is key, as is full insight into how serious the compromise may be, and the challenge that lies ahead. Next step – contain the breach. Determine which servers and systems have been infected and contain them as quickly as possible to minimise the damage and the spread. Notify the teams and get people off the network as fast as possible – from the mobile device to the server mainframe.”
Once the breach has been contained, the next step is identifying the source, says Osler. It’s critical to identify how the event happened and what level of access the bad actors have.
“Even if you switch everything off and rebuild everything from scratch, you still need to know how they got in so you don’t add that vulnerability straight back into the business. Find patient zero.”
What is important, he stresses, is not to panic or pay the ransom, as hackers are unethical and there’s no guarantee that paying will unlock your data and systems, or that they won't sell your data anyway.
“Payment also paints a big, red bullseye on the back of your business, and perhaps your whole industry,” says Osler. “Payment is a risk; non-payment is a risk. Either way, you’ve been hacked and you need to have plans in place to protect your business and your information.”
This means business continuity and disaster recovery strategies need to be rigorously tested, as far as they can be, to ensure the business has clearly defined processes in place for remediation, and that detection systems are as cutting edge as they can get.
“No business or system is perfect – it’s like hitting a moving target that changes shape every 10 seconds – but having the right procedures in place can help you minimise the damage done,” he ends.
Share