Getting ready for the next cyber disaster
Getting ready for the next cyber disaster. Are you ready for the next cyber disaster? You may not ever be fully ready. Given the ever-increasing number and variety of threats out there, it’s hard to imagine the many ways in which you could be hit. Twenty years ago, who would have imagined 9/11 or ransomware or the sophistication of today’s social engineering techniques? But even if you can’t be fully prepared, you can avoid being totally unprepared.
There are many things that you can do to be more likely to recover from a major attack or limit how hard it hits you. Being more in touch, more aware, and more prepared are key. Given the proliferation and variety of the threats today, avoiding disaster is a big deal and limiting impact a worthy goal. What are those who deal these issues everyday trying to tell us and how can we put their insights to good use?
Connect, plan, train, and report
The Department of Homeland Security offers these tips for both businesses and communities. Each step in this four-phased approach to becoming more safe and resilient is worth some time and focus. If you need help remembering the four words, think of them as the four consonants in the word “captor”.
- connect — reach out to others in your community, including law enforcement
- plan — make clear plans on how you would handle a security event including disaster recovery and building evacuations
- train — provide your staff or community members with skills on how to recognize and react to suspicious events
- report — report known and suspicious events and make sure your staff knows how to report events as well — including who they should be reporting them to.
Consider the flaws in human nature
The main reason that human engineering attacks work is that people are trusting and often too focussed on being helpful and polite. I’ve heard it said that a hacker’s best friend is often the “nice employee” — the one who goes out of his or her way to make sure that the person on the other end of the line gets what they need.
Ever wonder how easy it might be to trick support technicians on a vendor site into compromising someone’s cell phone account? Check out this ploy played out a little over a year ago at DEF CON — with an allegedly upset woman and a baby crying in the background. Then ask yourself what could have been done to change the outcome. Then ask yourself if someone on your staff would have been so easily duped out of “kindness”.
Get and stay on top of the threats
There are a lot of ways to stay informed and be reminded of ways you can go about being proactive about security. Consider joining Infragard (a partnership between the FBI and members of the private sector) to stay on top of the latest cyber and crime trends. Find out what your peers across the industry are doing by getting to know your local law enforcement representatives and DHS and FBI contacts. Know how to get in touch, along with what to report and when. Become aware of your organization’s vulnerabilities — what is most valuable to you, what is at risk and, to the extent possible, keep sensitive data off systems that can be reached from outside. Educate employees all of the time, though not so much as to numb them to the warnings. Help them to understand that they can be one of the biggest problems. Compromising their systems potentially compromises anything they might have access to.
Practice, practice, practice
Practice emergency response procedures. Today’s preparedness tests are a lot more complicated than the fire drills from your childhood. In an active shooter event or some other event that threatens the lives of your staff, where should they go? How should they exit the building? Where might they go for cover? Will they know how to avoid standing in the line of fire? Who will be coordinating things, reporting to senior management and law enforcement?
Give thought to the “run, hide, fight” responses to attack. This video is probably a good place to start.
Also be sure to provide staff training and periodic reminders of the most important rules that staff members need to follow — not clicking on links unless they absolutely know that they’re legitimate, not allowing “piggybacking” into restricted areas, being careful what they leave exposed on their desks, and always safeguarding the security of their credentials.
Don’t overlook the insider threat
Don’t lose sight of the fact that insiders can be threats too. Even staff that might have been thoroughly investigated when they started working with you might be living under very different circumstances five, ten, fifteen years later. To the extent possible, be tuned into the stresses that might influence people’s motives. And make sure employees understand the implications of non-disclosure agreements that they might have signed many years ago. Company trade secrets are still secrets and they can’t use all the information that may still be in their heads when they move on. Be sure that your company’s exit procedures are clear when it comes to sensitive and proprietary data.