September 24, 2020//Tony HowlettLast Updated: November 24, 2020
If you interview the IT and security staff of a company that has had a breach, very few of them would say they were expecting to get hacked. These “survivors” are often in a state of disbelief that it has happened to them and suffer from analysis paralysis when it comes to taking the steps needed to stem the breach. There is a certain overconfidence when it comes to being breached—most companies assume they’ll never get hacked. But most (if not all) companies that do get hacked probably had that same mindset.
Personally, when I’ve run tabletop incident response exercises for companies in the past, the team usually had good responses to every scenario posed, being able to bat down most possible breach situations with their myriad controls. But if you presented them with a hack as a fait accompli, they were stumped and sometimes indignant. “That’s impossible!” they would say. “That could never happen because we do X process or have Y software that prevents that!” Again, all the companies that have been hacked probably said the same thing during their incident response exercises right before they got hacked.
When it comes down to it, the root cause of most big breaches is simply a failure of imagination. Like the famous Apollo 13 adventure, the rocket designers thought they had done all the right things but they didn’t think of that final outlandish scenario that came to fruition. Luckily for the astronauts, the mission control team didn’t panic and put their heads down to focus on the solution because they had trained to deal with scenarios you might not expect.
Another very real recent example is the COVID-19 global pandemic and its impact on IT operations. While we have been hearing about the possibility of pandemics for a while, very few people thought it would really happen. Even fewer had fully played out all the impacts and possible responses to a global pandemic, such as switching to a 100% work-from-home workforce overnight. Most companies didn’t plan for that. Do all of your business operations over video? Yeah, we missed that one, too.
It’s okay to have confidence in your IT security, but also have the forethought to imagine that it might fail and what that looks like. Embrace the idea in your incident response and disaster recovery exercises. The hard truth is that most companies will be hacked in some manner eventually. Over 76% of companies report that they have experienced a successful cyberattack in the last year. Most of these never become front-page news, but almost every company will have some sort of security incident, whether they realize it or not. Maybe an employee’s PC gets infected with a virus or ransomware. Maybe an employee leaves and manages to exfiltrate some proprietary data. Or maybe it’s the big one—a possible company-destroying, massive breach. Whatever it is, you will be better prepared and have a better eventual outcome if you go through the exercise of assuming you are hacked and what happens next. Doing this mental exercise will break down the barriers of inter-department communication and make the actions you need to take come quickly rather than the “I never thought it would happen to me” shell shock.
In the early moments post-breach, when the fog is still thick, decisive actions can save lots of money and possibly keep additional data from being breached. Being indecisive—or worse, acting without knowledge or coordination—can actually make things worse. Witness the ham-handed incident response of Garmin during its recent multi-day outage due to ransomware. For days, it made incorrect or vague public statements. The company clearly hadn’t rehearsed a ransomware outage scenario fully or coordinated with its PR, legal and forensics teams, and this showed in the terrible press it received in the aftermath. Given that many of its devices deal with public safety, the company’s response definitely damaged its reputation beyond the fact that it got hacked.
Ransomware is an important area that often is not fully discussed or planned for. Do you have a plan for a successful ransomware attack? Have you discussed with your senior leadership and legal whether you would pay a ransom in the event that systems are not recoverable? How long could you be down before you would consider it? Do you have enough cash to pay a ransom or have insurance that covers it? What we often see is companies inoperable for days or even weeks before deciding to pay the ransom—definitely the worst of both worlds. There may also be regulatory limitations on making payments in cryptocurrencies, especially for financial institutions. The time to ask these questions and get answers is BEFORE the ransomware bomb goes off inside your systems.
Make sure that all the relevant players are in the loop and on the same page so that your organization moves as a team in remediating the event. Technicians trying to do their own investigations can damage or destroy evidence that law enforcement and forensic professionals will need and may keep you from being able to identify the attackers or pursue criminal or civil actions against later. Also, get your compliance team on board. They should have a representative in your meetings, as well as any outside consultants or entities such as PR firms, outside legal counsel and other providers who would be involved such as an incident response firm, if it’s feasible financially. If you don’t already have one, consider putting an incident response firm on retainer so that they can quarterback any response for you from the first hour onward. Many of them will help you run these exercises as part of their annual fee. Do a mock press conference with your top executives. Can they say the words that need to be said about a breach to reassure customers and employees that it is being dealt with competently? Denial—or, even worse, lying—to the public can not only make it worse when the truth eventually comes out but also lead to additional penalties or even jail time, as it did with the CSO for Uber when it had a breach.
In a breach, minutes matter, and going through the mental exercise of “what if, in spite of all we’ve done, we are hacked” will mean you have the “muscle memory” you and your team need to respond quickly and effectively, lessening the impact of a breach and ensuring a more positive outcome for the companies customers and its reputation.
So let’s get started. You’ve been hacked. What do you do?