Cyber Incident Prevention: First Steps
31.03.2022
No business is 100% immune from data breaches and cyber incidents. Any information security expert in such a situation will, first of all, advise resorting to a system recovery plan in case of an incident. The size of the company, in fact, is not important, in 2022 absolutely any business deals with information technology, albeit on a different scale. Today we will share what can be done when a critical situation has already happened to restore work faster, and what to do to prevent a leak.
Assign responsibility for the response plan
The most important thing in a critical situation is the speed in order to preserve and restore what is recoverable. Much earlier, company management should appoint trusted people from the information security department who will notify management in the event of an attack or leak. Those responsible for the plan should be literally on speed dial with the manager in order to instantly give instructions and coordinate actions at the right time. These people should not only perfectly know the company's system from the inside, but also be aware of the work of the departments in order to be able to explain what exactly needs to be done to the management of different departments of the company in order to block the flow of information to the attacker, or, conversely, to heed the action plan and contribute to resuscitation work as quickly as possible.
The cybersecurity of a company is one of the constituent aspects of the work of the entire company, therefore the person responsible for the response plan must be a highly qualified specialist and a trusted person of the head.
Identify critical information across departments
As mentioned above, the person responsible for the response plan notifies all departments of the company about the incident and gives the first set of resuscitation actions. It is critical to find out which particular software, applications, information and systems are critical to the current operational functionality of each department. This information is the key to efficient recovery of operations with minimal downtime.
In order to find out, it is necessary to conduct a timely audit of the information security of the company for each of the departments, and, depending on the department, the audit plan may change. It is easy to see that information that is critical to the customer service department is not as critical to the logistics or human resources department, and vice versa. Various information may lose relevance by the end of the project, the conclusion of the transaction, the delivery time, season, quarter, etc. A simple example: data on the cost of purchasing equipment is most relevant at the time of implementation, when such information can be influenced, and not when a deal is done and the loss of this data as a result of a leak, for example, does not threaten the business with great damage.
Be sure to find out about the existence of backup copies of confidential data or determine the reasonableness of creating them (some companies, in the name of greater security, prefer to avoid additional risks and store critical data in a single copy). It's worth noting that the latest version of any major cyber incident response plan should be kept in a safe place—under lock and key if that includes any master passwords for sensitive information. There's no point in having a plan digitally if you can't access it due to a breach in your network.
Identify risks
Identifying potential hazards helps to prevent them, so it makes sense to think through several versions of emergency plans in each of the departments of the company. A popular practice in recent years is to invite a pentester, a qualified white hacker, to the company. This person will take a look at the company's security system from the side of an attacker and try to hack it just in order to identify a weak spot and eliminate the vulnerability in the future.
Remember that the largest percentage of leaks is due to human error, so you should be puzzled by questions such as
- what if a disgruntled former employee decides to delete or steal important data when leaving the company?
- what to do if there is an insider in the company, but it is not yet clear who he is?
- what to do if a company employee has lost a device or media with critical data on it?
We also do not forget about social engineering, from which no one is immune. Hackers use more and more sophisticated methods of stealing information, in particular, ingratiating themselves with the right people and luring them out. Therefore, it is imperative to conduct various training on responding to attacks of different types and recognizing them. It could literally save your organization one day.
Creating this documentation and identifying your weaknesses will point to a lot of problems that you can fix right now. For example, you can prevent supply chain disruption with run-time protection software, secure managed databases with cloud-based data security solutions, or automate API protection. The first step is to know your vulnerabilities and determine and document how you will respond.
Create an emergency communication plan
What to do if the information leak occurred after hours, who to notify first, how to bring the situation to the attention of the right people as quickly as possible? First of all, you need to make a list of those who should be the first to know and whose experience is of decisive importance in the aftermath of the disaster.
In addition, it should be determined in advance whether the incident should be reported to customers or suppliers if their data is involved in what happened, as well as who will inform all these persons and through what channels. Perhaps in small companies, these issues are not taken care of much, but in multi-million dollar corporations, a clear plan for alerts is a must. Imagine that the banking system has leaked information about customer accounts. If you do not promptly respond and inform the right people responsible for eliminating the attack and coordinating actions, the bank will face a huge problem with further work and reputational risks in the future.
Install reliable software against data leaks
All major companies in the world have long since switched to DLP systems and confirmed their functionality and necessity for data protection. A DLP system is a software solution that prevents confidential information from leaking out of a company's internal network. For example, the Falcongaze SecureTower DLP system: 3 in 1 - protection against data leaks due to the fault of employees + control of employees' work on the computer + analysis of user behavior.
How does SecureTower work? The SecureTower program, which controls all the actions of employees on the computer, is centrally installed on all computers of employees. You see everything that an employee was doing during the working day: the beginning and end of work, the time of activity and downtime, the applications used, the sites visited, the sent messages and files. You get full control of all communication channels and data transfer protocols. All actions of employees are analyzed and, in case of a violation, the system will automatically send a notification to the company's security service and management.
Where can you use SecureTower? In the company's local network, in networks with complex architecture, in geographically distributed offices, at mobile workplaces. Implementation and configuration of the system in companies is centralized, and the ability to control the organization's branches from the central office helps to significantly reduce the costs of the security service for personnel.
Thus, we can say that the introduction of a DLP system into a company's corporate network is a key element in building an effective information security management system in an organization.