Managing a Cyber Crisis: A How-to in preparing for disaster
Cyber Security Month, October 2017
A cyber crisis is a disaster like no other. Resolving such incidents demands thoughtful procedures and mitigation processes; otherwise, consequences can be dire.
Whether through social engineering (phishing or malware emails, phone calls or physically entering the premises) or infrastructure weaknesses (hijacking, SQL injection, or vulnerability exploitation), hackers often repeatedly try to infiltrate networks until they can finally gain access. Once in a system, the attackers begin the exfiltration process: sourcing personally identifiable information (PII), credit card numbers, email addresses and other pertinent – often confidential – information, and then doing with it as they so please.
Fast (and terrifying) facts from data records compromised in 2016: 
- 3,776,738 records lost or stolen every day
- 157,364 records every hour
- 44 records every second
Just think, in the time it took you to read the article up to this point, over 100 records have already been compromised. According to a report released by Gemalto, roughly 68% of such breach incidents were done by a malicious outsider. When looking by type, it’s reported that 59% of these breaches involve identity theft, 18% are to gain financial access, 11% to gain account access, 4% are to find existential data, and wouldn’t you believe, 8% are done just to be a “nuisance”. While 28% are targeted at the healthcare industry, other sectors: government, retail, financial, technology and education, are pretty evenly identified as potential victims, all with targeted stats varying between 9 – 15%. Regardless of the reason or method, data or security breaches can hit any company, anywhere at any time.
Incident statistics are staggering, and Canadian businesses are having to spend more and more money to mitigate or resolve criminal or malicious attacks. Compared with 12 other similar countries, detection and escalation costs in Canada were the highest.
The tool du jour – or at least the one gaining the most media attention these days – seems to be ransomware (i.e. hacking into a system and then holding files at ransom until a certain sum of money is paid). According to various sources, ransomware infects 5,700 computers per day, and in 2016, ransomware cost an estimated $1 billion. 62% of all spam messages last year contained ransomware. AIG European cyber claims statistics reveal extortion and ransomware is one of the fastest growing sources of cyber loss, representing 16% of claims from 2013 to 2016. While it may seem to be a simple fix, it was found that even if the sum was paid, less than half of the affected small- to medium-sized businesses never got their data back, according to a survey by Spiceworks.
Anticipating a cyber crisis
The old adage is true: an ounce of prevention is worth a pound of cure. What can you do right now to help yourself and your company weather an incident down the road? One word: simulations. Simulations may be hassle, and yes they will likely cost you time, maybe even money. But would you rather practice in a faux situation at a minor cost, or deal with the real thing, when real time, money, and reputation are on the line, with no practice?
We can’t stress enough out important it is to “create” situations like these. Simulations allow you to get a sense of how your team will react, what messaging you need should journalists start to call, and who are to be the key players at the time of actual need (is it something your IT team needs to handle alone? When do you involve your executive committee? What about your Board of Directors, or employees?)
Update (or firstly, create!) your Crisis Management Plan
Be sure to choose the right players that need to be around the table. Incorporate cyber-crisis management into your organizational processes, and develop cyber-crisis scenarios that challenge the cultural, organizational and operational models you have in place currently. From there:
- Identify and formalize roles and responsibilities for all participants in the crisis management process
- Assemble and document “tribal or community knowledge bases”: inter- and intra-enterprise to improve the security response
- Update such plans as IT incident management processes, and continuity / succession plans
Protect your data – back it up!
With ransomware, attackers are betting on the fact that you won’t have access to your data through other means, so you will need to pay them. Prove them wrong by creating offline backups. Actually, we recommend having three copies of your data – one original and two backups. Store one copy of your data in at least two different types of storage devices (local drives, or network shares), and one copy offline (i.e. the cloud).
We also recommend calling in the experts to run Impact Assessment Exercises, to provide objective analysis of your practices, and identify where you are most vulnerable. Other helpful ways to protect your data:
- Limit system access so ransomware has less “doors or windows” to break through
- Filter email to screen for malicious messages and engage software designed to remove these threats safely.
- Give access to only certain websites or applications that are known to be safe
- Use dynamic passwords and multi-factor authentication
- Use checkpoints to detect cyber-crises as early as possible
- Update your operating systems and equipment – older equipment is also more vulnerable – remember: everything that is considered “smart” must be up-to-date and protected
It’s too late, you’ve been hit!
Now what?? Without a proper strategy in place, this could get messy. While this isn’t a band-aid or one-size-fits-all approach, we would recommend that in most cases, you should take the following steps:
- Do not pay. Keep in mind that you don’t know the full extent of the infection’s capabilities
- Identify the machine that has been infected at the source
- Disconnect that machine from the network immediately
- Alert the experts to help mine for and control the damage
- Identify the impact on your files
- Identify backup availability and integrity
- Restore only to the bare necessities
- Keep a copy of the encrypted files and related information on an external media device with a “DANGER” label
Sadly, keep in mind that cyber-crime won’t be going away anytime soon. Be vigilant, and be prepared. Just like you wouldn’t leave the door to your office or factory wide open at any time, be sure your non-physical assets are given the same due diligence. Cyber-liquidation is a very real risk.
How we can help
We believe it is more efficient to give our clients the opportunities to increase their own skills and be able to practice acting autonomously, rather than having us manage responses in their place if a disaster is yet to happen. But this comes with practicing and learning the proper steps and strategies first. Our cyber security professionals can work with you to test the responsiveness of your team in different scenarios and can organize simulation exercises company-wide, or with your board of directors, your colleagues or your core team. Typically simulations entail a start-up meeting, 1-2 days of workshop(s), followed by a post mortem debrief and documentation update. It is a lot easier to improve your cyber-crisis documentation once the simulation takes place. In the end, what will be mere hours of your time could help save the whole future of your company. “2016 Mining for Database Gold: Findings from the 2016 Breach Level Index”. Gemalto. 2016