Threats to the business can come in various forms but by far the most common and significant is a data breach. Usually leveraged via a successful phishing or spear phishing attack, this then results in either sensitive information (such as a username and/or password) being disclosed or a compromise of target endpoints such as laptops or mobile devices
Both attack vectors could then see unauthorised remote logins to organisational services or data, which an attacker can then use to exfiltrate sensitive information. This could include personal data (names, addresses, dates of birth, medical data et al), banking details, credit card information, or company intellectual property.
The information will then either be sold (usually at a price per record), used to target other individuals with fraudulent attacks, or be associated with a ransomware situation where either it may then be permanently encrypted and/or released publicly if the attackers do not receive payment within a certain time. Over the last few years, it’s this latter scenario that has come to dominate, as organised criminal gangs become more adept at extorting funds from targets.
Yet, despite the dearth of data breaches reported year after year, organisations still fail to prepare for what is rapidly becoming almost inevitable. If the business isn’t ready, it can’t respond effectively or communicate with internal and external stakeholders such as customers and clients, C-Suite and third-party organisations such as the ICO. This results in a loss of confidence and unwanted publicity, as well as the organisation spending unnecessary time resolving incidents effectively and the potential financial loss of paying the ransom.
To protect themselves from such attacks, organisations should implement a variety of defences. It’s important to deliver regular security awareness programs to staff, warning of the risk of clicking on unknown links or opening files or attachments, for instance, but these need to be regularly scheduled and be appropriate. The most effective security awareness briefings will be relatively succinct and interesting to staff, for example by containing relevant and interesting examples of the potential impacts, rather than being a lecture.
With regards to technical security controls, the business should implement endpoint and cloud-based protection which can protect against known and new attacks and as well as monitoring and alerting systems to facilitate rapid identification and reporting of any potential attempts and actual breaches within the business environment. Also, put in place strong endpoint configuration that limits the privileges of users, restricts the execution of unknown and untrusted applications and reduces the attack surface through reduction of unnecessary functionality (Command Prompts, Powershell, default bundled software etc).
Locking down data is essential so ensure that data storage is resilient to unauthorised attempts to modify files, using techniques such as inherent versioning and/or offline data snapshots and backups. Remain vigilant through the implementation of monitoring and alerting mechanisms across server, endpoint and cloud environments and keep things fresh through regular security reviews of device endpoints and data storage and applications to test their resilience to ransomware attacks.
If the worst does happen, you’ll want to rely on an effective incident response plan being in place as well as team preparedness, having conducted scenario-based penetration testing (“red team”) attack simulations as well as desktop simulated breach exercises to ensure that the security teams know how to handle breaches quickly and effectively.
However, it cannot be overstated how important it is to have a reasonable and applicable (to the business) set of security policies, procedures and plans to support information security and to govern user behaviour.
An overarching information security policy should put security centre stage and reveal the management commitment to it as well as prescribing a framework of other documents such as an acceptable use policy, incident response plan, access control and data handling policies. Many organisations are now already aligned or certified to standards such as ISO27001, which provides a framework for management of an information security management system (ISMS).
Finally, be proactive. Regularly review the data that is being collected and stored by the organisation, whether on-premise or in the cloud, assess its importance to the business and ensure that there are suitable controls in place to protect it from exposures and loss. Ensure that offline backups, snapshots, and/or data versioning exist and consider the impact of data being deleted, encrypted or leaked. Regularly advise your staff on existing and new cyber security threats, and consider future and evolving attacks such as voice/messaging attacks, as detection of email based phishing attacks forces attackers to seek alternative avenues.