Defending Against (and Recovering From) Cyber Attacks: Five Key Steps

Alan Calder

Alan Calder

Given how commonplace cyber attacks have become on a global basis, the topic of cyber security is moving increasingly up the Boardroom agenda, and rightly so. 72% of large businesses here in the UK have said that they’ve identified at least one cyber security breach in the last 12 months, while 40% experienced a breach or an attack at least once a month. Clearly, businesses are aware of the prevalence and potential damage that attacks can cause, but how can they be sure that their defence strategy is up to the task? Alan Calder offers his views. 

How long would it take you to identify a security breach within your organisation? Hours? Days? Months? The average is actually 101 days. That’s three months, then, that cyber criminals have to exploit the sensitive data they’ve acquired due to a flaw in a company’s security systems or processes.

Simple security measures are clearly not enough. Organisations must be equipped and ready to respond to attacks, control the potential fall-out and recover as quickly and easily as possible.

Ranging from the identification of threats through to the importance of response and recovery, let’s address the concerns of business before, during and after cyber attacks and examine ways in which to avoid them altogether.

Identify potential threats

The first step should be to undertake a thorough risk assessment to highlight any threats that the organisation currently faces to its information assets. Any data that a company values, be that digital assets, offline content or employee knowledge, will also be valuable to a cyber criminal – all require protection.

There are a number of risks that could impact an organisation and its information assets, from cyber attacks to human error, theft or accidental loss and even natural disasters. This is where penetration testing can help to identify weaknesses in an organisation’s infrastructure and networks by highlighting vulnerabilities before cyber attackers are able to exploit them.

These risks must then be fully evaluated to determine how significant the threat is – how likely is the threat to happen? What could be the resulting impact?

Protection against attack episodes

The next step is to deploy tools to prevent the attacks, or at least reduce their likelihood or impact. These should take the form of technical controls, such as firewalls, as well as process controls, including policy changes.

Detective controls can also be used to observe the environment to detect risk before it causes harm. This could include CCTV cameras or intrusion detection systems monitoring the network. Reactive controls can also be deployed to take action in response to an event, such as locking down a particular area or encrypting data after a certain number of failed login attempts.

While it’s certainly true that technical functions are essential to keep information secure, it’s crucial to ensure any risks related to human error and process failures are not overlooked and an holistic approach is implemented to keep the organisation secure.

Information security frameworks such as ISO 27001 consider the people and process aspects of keeping data secure, such as staff awareness, regular training and a culture of continual improvement. An ISO-27001-compliant information security management system is also a risk management approach, meaning that the security measures an organisation should implement are tailored to the specific threats it could face, as well as its risk appetite.

By using this approach, organisations can be confident in the fact that they’re addressing real threats to the business and not wasting time or resources protecting against threats that are unlikely to happen.

Detect breaches

It’s true that not all attacks can be prevented, which is exactly why it’s essential to have robust detection mechanisms in place, such as reviewing logs and constant network monitoring in place to detect unusual activity. This way, organisations can be in control of their defences and in a position to identify threats and mitigate breaches before they cause substantial damage.

Respond to incidents

Training is an important factor in an organisation’s cyber resilience strategy, so that in the event of a breach the right response can be followed to limit the potential fallout. Research suggests that over half of organisations don’t have processes in place to appropriately train staff in this area. In the current compliance environment, where legislation such as the European Union’s General Data Protection Regulation requires all staff that handle personal data to receive appropriate training, and imposes strong penalties for organisations that don’t, this is a worrying statistic.

A business continuity management strategy will include a comprehensive plan detailing who to contact in the event of a breach, processes for containing the incident and information on how to keep the situation stable. With a step-by-step approach, the fall-out from a breach can be minimised as much as possible to keep assets protected and the organisation running at an optimum level.

It’s also important to record all available evidence and keep a log of response procedures to be reviewed at a later date. This is not only necessary to legally inform subjects that may have been affected by the breach, but also as an audit trail to improve the response process for future incidents.

Recover from an attack

Once the situation is stable following a breach, action should be taken to prevent similar incidents from happening again, or at least ensure that the incident will have a lesser impact in future.

Of course, how an organisation recovers from an attack will vary depending on the nature of the incident and the company. For example, the Security of Network and Information Systems Regulations dictate specific business continuity processes for certain essential services, such as transport, energy, healthcare and cloud computing, in order to ensure the continuation of these systems in a determined effort to keep businesses, citizens and public services protected.

The business continuity management strategy should be comprehensive enough to enable an organisation to operate as close to normal as possible while it continues to fully recover from an incident. With an established cyber resilience strategy in place and following the five steps outlined, an organisation will be able to detect and survive any incident – and quickly return to ‘business as usual’.

Alan Calder is CEO of GRC International plc (parent company of IT Governance)

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts