WyzGuys Tech Talk

Ever feel like there should be a 12-step program for your cybersecurity career?  “Hello, I’m Bob and I’m a recovering cybersecurity professional.”  Doing the same old “defense in depth” stuff and still the barbarians get onto your network and wreak havoc.  Remember the definition of insanity?  “Doing the same thing and expecting different results.”  As with any 12-step program, the first step would be to admit that you are powerless against the cyber-attackers.

Am I joking?  Well maybe a little.  But suffering a cyber-attack, ransomware exploit, email account hijack, or data breach is inevitable.  The key to network security may not be how well we keep them off our network, but rather how well and quickly we can identity an incident and “recover” from an intrusion.

The defender’s dilemma is this:  You have to defend everything.  You have to find and close all the vulnerabilities.  But you also have to wait until after the zero-day attack to see how you are going to defend against the new exploit.  Defenders are always playing catch-up, and are always a step behind the attackers.

The attacker’s advantage is they only have to be good once, they only need a single hole in the defensive perimeter to reach their objective.

If we are going to focus on speedy and successful recovery from a cyber incident, what are the steps we need to take to build our “recovery” program?

• Create an incident response plan – Pick your incident response team.  This should include a member of senior management, and your legal counsel. This may require a budget if tools are required.  Check out NIST Special Publication 800-61r2 for guidance.
• Table-top exercises – Your incident response team should schedule practice sessions 3 or 4 times a year on simulated intrusions to learn the skills needed to work together during an actual crisis.
• Legal and regulatory compliance – Your plan should include the required notifications if the information that is breached is covered by law or other governmental or industry regulations.
• Cyber insurance – Recovering from a breach can be costly.  Cyber insurance is one way to fund that expense.  If you haven’t looked at cyber insurance recently, premiums are more affordable than then were a few years ago.
• Seek professional help – Small companies do not usually have the talent they need to recover on staff.  Check to see if your computer support company is able to supply cybersecurity professionals.  Line up the expertise you will need in the fields of cybersecurity, computer forensics, public relations and cyber law.
• Prepare for public exposure – When your company’s breach goes public, and the KARE 11 news team is sitting in your parking lot, it is too late to draft a statement.  Prepare for this eventually as well.  Be honest, be transparent.  Your company had an incident. (NOT a breach.  A breach triggers legal notification requirements.)  Your recovery team is analyzing the situation and you will have more information as the investigation progresses.
• Law enforcement – Should you report your incident to the police?  Your cyber insurance policy may require it if you plan to make a claim.  Understand that once the police are involved, you no longer control the direction of the investigation.  You may want to call the FBI.  But for sure, you want to report your incident on the Internet Crime Complaint Center (IC3.gov).

Preparing to recover from the inevitable computer incident will help your company reduce the overall expense of the recovery, and prevent costly and unfortunate missteps.