Aphelion Ltd

Aphelion Ltd

Aphelion Blog

Website URL: http://www.aphelion-group.com

Data Breach Response: 4 ways the most resilient businesses respond to hacks

Published in Business Continuity

Data breaches can trigger fines, deflate stock prices, irreparably damage reputations, lose customers and attract more cyber-attacks.

But they don’t have to.

By responding quickly and decisively at the first sign of a data breach, you can limit its impact, preserve trust in your business and keep customers safe.

The consequences of a botched data breach response

For many small and medium-sized businesses, a hack can end their existence: 66 percent of them go out of business after a data breach.

Large companies are more likely to survive, but suffer severe damage. Shortly after Equifax announced a data breach that had compromised the personal information of 143 million Americans (recently updated to 148 million), it quickly shed more than $4 billion in market value as its stock sunk 20 percent. It hasn’t recovered.

The two massive data breaches Yahoo reported in 2016 gave Verizon a $350 million discount when it finally purchased the company in 2017.  When it was revealed that Uber had kept quiet for more than a year about a data breach that affected 57 million people, the public outcry added to the growing reputational damage the company experienced in 2017, trimming its value by about 30 percent.

Throughout 2017 companies large and small suffered data breaches, often with a larger overall impact than necessary. If you want to mitigate the impact of data breaches at your company, and hopefully prevent them, follow these four principles.

  1. Act quickly

A data breach requires an immediate response from every part of your organization. Your IT and business teams will need to locate and close any vulnerabilities in your IT systems or business processes and set in motion your disaster recovery plan if they uncover a data corruption. Your business units may need to invoke their business continuity plans, and you may need to assemble your executive crisis management team.

You can improve the speed and effectiveness of your response with regular testing that will ensure everyone is ready to go and knows what to do as soon as a breach is recognized.

Another advantage is having the results of a Data Protection Impact Assessment (DPIA) at your fingertips. It details all the personal data you collect, process and store, categorized by level of sensitivity, so you’re not scrambling around after a breach.

With a clear sense of who should be taking charge and what exactly should be done, you can better contain the damage caused by the data breach.

  1. Be open and honest

A data breach is never ideal, but if your business suffers one, it’s important you inform anyone who is affected as quickly as possible. This will allow them to implement their own self-protecting measures.

We live in a highly connected world with hyper-extended supply chains. Create a crisis communication plan that sets out in advance who needs to be contacted should a breach occur. That way, you’ll never forget important stakeholders in the heat of the moment.

Failing to inform people in a timely manner can cost you in fines, reputation loss and disgruntled customers.

  1. Figure out what went wrong

After a breach, IT administrators should comb through network traffic archives to look for any abnormal activity. How did the breach occur? Was it a vulnerability that should have been patched? Innocent human error? A process gone wrong?

It’s equally important to review your DPIA to ensure it’s up to date.

If the breach is a criminal matter, make sure you pass on any and all relevant evidence to the police so that those responsible can be brought to justice.

  1. Pre-empt future attacks

Prevention is always better than cure. It’s good business practice to continuously monitor risk, including information risk and ensure the controls are adequate.

Conduct physical and logical penetration testing and check your organization’s susceptibility to social engineering. Ensure you have effective business continuity and back-up solutions in place. Check in on any vendors or partners that have access to your network to review their security practices and level of access. Seek out executive coaching to ensure that your C-suite has the skills, competencies and strategies to lead your organization through the complex, uncertain and unstable environment that is the aftermath of a data breach.

Facing the inevitable

Data breaches are growing more common, not less. How you respond in the aftermath of a data breach says volumes about your organization and how much you value customers.

If you delay disclosures; suffer repeated, preventable breaches; and leave vulnerabilities unfixed, you’ll shed customers and market value.

Quickly take action, however, and be proactive in your notifications of a breach and fixing vulnerabilities, and you’ll contain and weather a data breach better than most businesses.

Share this story
Read more...

Do you Know Which of These Cyber-Attacks isn't Real?

Published in Security

When CentaurWipe infected hundreds of companies in December 2016, IT departments were left flat-footed. Named for its dual attack of locking down devices while systematically erasing files, CentaurWipe was finally contained after an emergency patch was deployed.

Sound familiar?

Knowing what malware does, what it targets, and how to stop it can help you keep your systems safe.

It shouldn’t. It never happened.

But in a recent survey of 510 IT decision-makers, more than 85 percent thought CentaurWipe was a real cyberattack when we asked them to pick the fake among a list of real attacks. More respondents picked WannaCry as the fake cyber-attack than CentaurWipe.

What’s going on here? Are there just so many cyber-attacks that it’s hard to remember all the names?

Or is there a lack of awareness that could be putting organizations in jeopardy?

Which cyber-attack isn’t real?

We posed this simple question to CSOs, CIOs, CTOs, CISOs, IT VPs, Heads, Directors, and Managers, Information Systems Security Engineers, Cyber Security Directors and Managers:

Which of the following is not a named or known cyberattack?

  • WannaCry
  • Petya
  • NotPetya
  • Goldeneye
  • Heartbleed
  • CentaurWipe
  • POODLE

Any surprises for you in that list? There were for the respondents.

Only 15 percent of respondents correctly chose CentaurWipe as the phony attack. Just two out of the six real cyberattacks received more votes than that.

A surprising 15 percent picked WannaCry as the fake. That seems impossible to fathom, since WannaCry affected over 150 countries, 300,000 machines, and was covered extensively in the media.

A quarter of respondents – 25 percent – chose POODLE. That’s short for Padding Oracle on Downgraded Legacy Encryption. Granted, POODLE may seem like it happened forever ago (it first appeared in 2014) but this “man-in-the-middle” attack fooled a good portion of respondents.

Close behind CentaurWipe, 14 percent chose NotPetya, while 13 percent chose Goldeneye.

The two most recognized cyber-attacks on the list were Petya, chosen by just 10 percent of respondents as the fake, and Heartbleed, which 8 percent thought wasn’t real. It should be heartening that these two didn’t get past many surveyed participants.

What does this say about security awareness?

The shocking thing about these results is that CentaurWipe wasn’t the overwhelming choice. What can we attribute this to?

For one, some strains of malware have multiple names. Depending on who you ask, Petya, NotPetya and Goldeneye might all refer to the same June 2017 ransomware attack. In these cases, it can get confusing for those trying to stay on top of the ever-growing list of cyber threats – they might know the attack by one name but not another.

The term “cyber-attack” is also up to interpretation. For example, POODLE isn’t actually an attack, but a vulnerability that could be exploited.

There’s also the sheer quantity of attacks – thousands of new ones appear every year, and organizations tending to their security are left untouched by the vast majority.

Or maybe, and this is more concerning, it’s just a true lack of awareness.

Knowing what malware does, what it targets, and how to stop it can help you keep your systems safe. How do you know you’re immune to a threat you aren’t aware of?

Armed with knowledge, you can stay safe and prepare for whatever hackers conjure up next. But also make sure you’re covering the security basics.

Share this story
Read more...

Cybersecurity Myths You Should Stop Telling Yourself

Published in Security

Cybersecurity can be a magnet for myths. Attacks emerge and cripple systems availability or swipe data quickly and unexpectedly. It happens so fast that the myths so many of us hold onto as facts are only apparent in the aftermath of an attack.

While many cybersecurity myths persist, some are more damaging than others. Let’s examine four common cybersecurity myths and their impact on risk.

Myth 1: Small organizations are low-value targets for hackers.

Cybersecurity Myths You Should Stop Telling Yourself

Buying into cybersecurity myths can leave your company vulnerable to attack.
Learn about common cybersecurity myths and how they impact risk.

Thinking you’re not a target is one of the biggest mistakes your company can make. According to data collected from more than 2,200 confirmed data breaches, 58 percent of security event victims were small businesses. Why would malicious actors target small companies?

  • Compute resources are valuable – Malicious actors seek out available computing resources as network nodes to expand their bot networks, which they use to initiate DDoS attacks, for cryptojacking, to propagate ransomware and spam or for numerous other crimes. Malicious actors build their networks by leveraging free resources, and your systems might be among them.
  • Data is power  Every organization stores some data that’s critical to its business, but holds little value to others. Malicious actors exploit this by unleashing ransomware that cuts off data access, availability, or both, crippling the organization. Malicious actors then generate revenue through ransom payments.
  • You’re an easy target – Malicious actors use continually running, automated tools to target vulnerable organizations that allow them easy access. That increases their chances of a quick win, especially since vulnerable targets might not realize they were attacked for months.
  • Your access is valuable – Small businesses can be used as a “beach head” into other targets. Malicious actors might target seemingly innocent, low-risk third-party vendors to get to those vendors’ customers. A breach at customer service software company earlier this year gave malicious actors access to Delta Airlines, Sears, Kmart and Best Buy.

Myth 2: There’s no reason to invest in security when organizations with tight security controls still experience security breaches.

Some organizations rationalize a small cybersecurity budget by arguing that investing in security is a losing game. They hear about security breaches at large organizations, with presumably large cybersecurity budgets, and assume if these organizations can fall victim, then what chance does their organization have? Let’s look at a few reasons why this is not the case.

  • Tools are just one pillar of a solid security strategy  People and process are the two others. An organization allocating budget toward security might not be funneling it to the most effective areas. An organization can have a big budget for tools but if it lacks the right cybersecurity talent or its processes are faulty, it can still get hit.
  • Tools do help – Multiple breaches have illustrated how long it can take before an intrusion is detected. Malicious actors stole 880,000 payment cards from Orbitz in a data breach that occurred between October and December 2017, but the company didn’t spot the evidence until March 2018. Tesla only discovered a cryptojacking operation in a cloud account when third-party researchers tipped off the car maker. Organizations that invest in reactive security controls like SIEM tools, in combination with proactive security controls such as Intrusion Prevention Systems (IPS), may identify suspicious behaviors earlier and limit the damage. With such security controls, an organization can more quickly and easily identify when the breach occurred, the potential infiltration source and how the malware spread.
  • The cost of recovery can be higher than the cost of security – Organizations that shrug off tight security controls are focusing solely on the immediate effects of infiltration, not on the total cost of the security incident. Granted, security controls are not 100 percent effective at detection and prevention, but they can save significant time and money during each of the subsequent incident response stages: analysis, containment, eradication, recovery and post-incident activities.

Myth 3: Our organization has not been breached before, so we’re still safe.

Often, organizations incorrectly assume their security risks remain relatively static, when they don’t have a way to effectively evaluate those risks. Projecting future risks based on historical events can be dangerous, especially because people often underestimate the following:

  • What needs to be secured – Defining the scope of what to secure requires identifying exactly how many applications, servers, network devices, storage devices and more are within your organization. When faced with either insufficient or overwhelming amounts of data, the scope may be simplified and assumptions drawn that can lead to vulnerabilities.
  • Unexpected delays – An organization might not include adequate protection for an obsolete server that’s being decommissioned. Schedules slip, and vulnerabilities are introduced when the old, no-longer-patched Windows 2003 server remains connected to the environment months later.
  • Underestimated targets – Similarly, organizations might assume a particular server doesn’t contain sensitive data and is less likely to be the target of an attack. As we’ve discussed, it might not be data that malicious actors are after. Your servers might be valuable as a foothold into the environment, for example.
  • Human psychology – Lastly, people often underestimate risk due to future aversion – the problem of assuming that because the future is unknown it cannot be tested.

Myth 4: Security is an expense, not a revenue generator.

Organizations prioritize investment in services that generate revenue, especially when budgets are tight. This can leave cybersecurity, viewed as an expense, on the back burner. But cybersecurity can be a revenue generator – here’s how.

  • Security influences buying decisions – Organizations that store personal, financial and other sensitive data need to ensure it’s secure. Organizations can influence customers’ perception of security by proactively marketing the high level of security they adhere to, differentiating their organization from their competitors.
  • Lack of security impacts availability – Data breaches are only one impact from an adverse security incident. Another is downtime. Consumers can’t purchase products or pay for services if a web site, or the infrastructure that supports web transactions, is unavailable. When ransomware brought the City of Atlanta to a standstill, for example, it couldn’t accept payment from residents for common city services for six days. The lack of adequate security directly impacted core business operations.
  • Security can be a value-added service – For instance, a Software-as-a-Service (SaaS) provider may offer three tiers of service to its customers: gold, silver and bronze. It could bundle in a Service Level Agreement (SLA) with higher levels of availability and higher levels of security controls associated with higher service tiers. Whether your organization has the in-house tools and skill sets required to offer specific security services or you’re passing the costs of a Managed Security Service Provider onto the end customer, security can become a new revenue stream.

The bottom line

Whether it’s assuming you’re not a target or that security spend is only ever an expense, buying into these common cybersecurity myths can set your organization up for serious disruption, unhappy customers, a tarnished reputation, not to mention the cost of recovery.

What are some other cybersecurity myths you’ve encountered?

Share this story
Read more...
Subscribe to this RSS feed