What everyone misses when it comes to cyberattacks

What springs to mind when you think of a cyberattack? Two sides, good and evil, locked in battle? The entertainment industry often conjures up war imagery around hackers and cybercrime. And while businesses may feel battle worn, the fighting analogy is somewhat misleading.

Cyber security is not a battle – it cannot be ‘won’, and it is not as black and white as ‘us vs them’. Digital threats are constantly growing and evolving. Hackers, like weeds, adapt to their environment – weaving around defences, looking for new opportunities or forgotten backdoors to access unnoticed and wreak havoc.

Stopping the attackers from trying to breach your business is not a realistic option. Instead, the focus should be on your own cyber security posture as the best way to mitigate the risk. With cyberattacks, it is nigh on impossible to predict what the ‘next thing’ will be. Sometimes the latest attack is simply an age-old tactic, tweaked for the current circumstances.

In 2020, while everyone was worried about emerging sophisticated ransomware attacks, lo and behold it was a spate of DDoS attacks – popular in the 1990s – that made headlines, with NZX and other significant Kiwi businesses targeted.

Today’s hackers are largely driven by money. Any business is fair game if it carries information that can be sold for profit on the dark web, or would pay an extortion fee in exchange for restoration of malware-afflicted systems. Cybercriminals will use any method available to breach your business.

Rather than focusing on the latest emerging threat, businesses need to take a risk-based approach to managing cyber security. The best way to implement an effective strategy is to start by assessing your current environment. If you do not know what data or key systems you have, then you will struggle to protect them.

Identify all the physical, virtual, data and third-party assets – classify their sensitivity and criticality to the business and then assess their risks. Once this is done, prioritise the key assets and look at ways to mitigate the greatest risks to an acceptable level. No company has an endless security budget – this is the key to investing the right amount to suit your risk profile.

For example, third-party attacks coming through software and managed service providers are on the rise, as technology becomes more advanced. If digital acceleration has seen your vendor reliance increase exponentially, you might want to reduce risk by prioritising security vetting and proper management of your partners, particularly if they are entrusted with your key data or assets.

Protective layers need to factor in a range of possible attacks or breaches. We call this a ‘Defence in Depth’ approach. Consider the major attack paths, such as email phishing or unpatched software, and put a control in place to deal with each one.

A combination of controls functioning as deterrents, prevention, containment and detection gives you the best chance to cope with a single control failing or being circumvented. From there, defence must be continually maintained and reviewed to achieve a constant secure status. Real resilience comes from the ongoing canvassing of your risks and constant improvement.

Even if your defences are top-notch, the chances are your business will be impacted at some point – controls can and do fail. This is where the ability to respond and recover comes into focus.

A robust backup and recovery plan is essential. In the unfortunate event your digital assets are compromised, deleted or corrupted, a properly tested and implemented backup of your key systems and data is the best way to get your business up and running, fast.

Once you have done a full backup, look at differential and incremental backups, which will cover you for any new data that is created or changed since the last backup.

The frequency and approach of your backups will be determined by a range of factors, including level of risk, business type, budget and compliance requirements. Store those backups in a separate environment so they cannot be accessed by attackers.

An incident response plan is also essential, which covers roles and responsibilities during a crisis. This is also a good chance to lay out and agree on clear steps the business would take. For example, which stakeholders do you need to communicate with? When do you bring in technical experts? Would you ever pay a ransom?

To ensure your plan is fit for purpose, it is a good idea to test or rehearse it regularly.

A director’s role is not to micromanage every action the security team makes. However, a director can help their organisation better address its risks by encouraging a risk-aware mindset approach to bolstering cyber security.

The mandate is to be cognisant on a high level of the current environment, while encouraging your organisation to develop a risk-based framework. Questions you need to be asking to gain confidence that a risk-based approach has been adopted include:

1. Is there a good understanding of important data and assets, and how is this being protected?
2. Has anyone assessed how a wide range of different cyber incidents would impact the business – a DDoS attack will be felt quite differently from ransomware, or a cloud breach? Which is most likely to impact your organisation?
3. Are there backup and recovery plans in place, along with an incident response playbook, to guide the organisation in the event of a major breach or attack? 

The best takeaway is this: Make sure all risks are understood and managed to an acceptable level. That way you will maximise your investment in your defences and have a clear view of why you are spending that money.

Cyber security cannot be summed up as simply fighting the bad guys. It is about sustaining, maintaining and constantly refining your cyber security posture to withstand whatever threats could come your way.

And that is what everyone misses.