Five steps to defending against and recovering from a cyber attack

By Alan Calder, Chief Executive of GRC International plc, parent company of IT Governance

Given how commonplace cyber attacks have become on a global basis, the topic of cyber security is moving increasingly up the board agenda, and rightly so. 

72% of large businesses in the UK said they had identified at least one cybersecurity breach in 12 months and 40% experienced a breach or attack at least once a month. Clearly, businesses are aware of the prevalence and potential damage that attacks can cause.

But how can they be sure that their defence strategy is up to the task? 

How long would it take you to identify a security breach within your organisation? Hours? Days? Months? The average is 101 days – that’s three months that cyber criminals have to exploit the sensitive data that they have acquired due to a flaw in a company’s security systems or processes.

Simple security measures are clearly not enough. Organisations must be equipped and ready to respond to attacks, control the potential fallout and recover as quickly and easily as possible.

Alan Calder, Chief Executive of GRC International plc, parent company of IT Governance, explains that by following five key steps, organisations can deploy a comprehensive cyber resilience strategy. 

1. Identify potential threats:

The first step should be to undertake a thorough risk assessment to highlight any threats that the organisation currently faces to its information assets. Any data that a company values, be that digital assets, offline content and employee knowledge, will also be valuable to a cyber criminal – they all require protection. 

There are a number of risks that could impact an organisation and its information assets, from cyber attacks to human error, theft or accidental loss and even natural disasters. This is where penetration testing can help to identify weaknesses in an organisation’s infrastructure and networks by highlighting vulnerabilities before cyber attackers are able to exploit them. These risks must then be fully evaluated to determine how significant the threat is – how likely is the threat to happen? What could be the resulting impact? 

2. Protect against attack:

The next step is to deploy tools to prevent the attacks, or at least reduce their likelihood or impact. These should take the form of technical controls, such as firewalls, as well as process controls, including policy changes. Detective controls can also be used to observe the environment to detect risk before it causes harm. This could include CCTV cameras or intrusion detection systems monitoring the network. Reactive controls can be deployed to take action in response to an event, such as locking down a particular area or encrypting data after a certain number of failed login attempts.

While technical functions are essential to keep information secure – it’s crucial to ensure any risks related to human error and process failures are not overlooked and a holistic approach is implemented to keep the organisation secure. Information security frameworks such as ISO 27001 consider the people and process aspects of keeping data secure, such as staff awareness, regular training and a culture of continual improvement. An ISO-27001-compliant information security management system is also a risk management approach, meaning that the security measures an organisation should implement are tailored to the specific threats it could face, as well as its risk appetite. By using this approach, organisations can be confident in the fact that they are addressing real threats to the business and not wasting time or resources protecting against threats that are unlikely to happen. 

3. Detect breaches:

It’s true that not all attacks can be prevented, which is exactly why it’s essential to have robust detection mechanisms, such as reviewing logs and constant network monitoring in place to detect unusual activity. This way, organisations can be in control of their defences and be in a position to identify threats and mitigate breaches before they cause damage. 

4. Respond to incidents:

Training is an important factor in an organisation’s cyber resilience strategy, so that in the event of a breach the right response can be followed to limit the potential fallout. Research suggests that over half of organisations do not have processes in place to appropriately train staff in this area. In the current compliance environment, where legislation such as GDPR requires all staff that handle personal data to receive appropriate training, and imposes strong penalties for organisations that don’t, this is a worrying statistic. 

A Business Continuity Management Strategy (BCMS) will include a comprehensive plan that will detail who to contact in the event of a breach, processes for containing the incident, as well as how to keep the situation stable. With a step by step approach, the fallout from a breach can be minimised as much as possible to keep assets protected, and the organisation running at an optimum level. 

It’s also important to record all available evidence and keep a log of response procedures to be reviewed at a later date. This is not only necessary to legally inform subjects that may have been affected by the breach, but also as an audit trail to improve the response process for future incidents. 

5. Recover from attack:

Once the situation is stable following a breach, action should be taken to prevent similar incidents from happening again, or at least ensure that the incident will have a lesser impact in future. Of course, how an organisation recovers from an attack will vary depending on the nature of the incident and the company. For example, the Security of Network and Information Systems Regulations (NIS) dictates specific business continuity processes for certain essential services, such as transport, energy, health and cloud computing, to ensure the continuation of these systems in an effort to keep businesses, citizens and public services protected. 

The BCMS should be comprehensive enough to enable an organisation to operate as close to normal as possible, while it continues to fully recover from the incident. With an established cyber resilience strategy in place and following these five steps, an organisation will be able to detect and survive any incident – and quickly get back to business as usual. 

Image by Pete Linforth from Pixabay