Maksim Kabakou - Fotolia

Security Think Tank: Cyber attack survival not a matter of luck

How should businesses plan to survive a potential cyber attack extinction event?

Cyber risk should always be considered as a business risk and not just a technical issue. A cyber attack can cause severe damage to businesses large and small and can lead to business failure. 

SMEs can be particularly at risk and it is often stated that 60% of small businesses that suffer a cyber attack are out of business within six months – but larger enterprises are also at risk.

Cyber insurance may be an option, but a small business may not be able to live with the cashflow disruption long enough to collect the pay-out. Surviving a sophisticated or overwhelming cyber attack is not a matter of luck, but of taking appropriate security measures, and having a plan if the worst happens.

Exactly what that is will depend on the business, but some examples might be:

  • A ransomware, or similar attack locking you out from data, financials, and so on, that you need to deliver your business.
  • A DDoS (distributed denial of service) attack on your web services stopping your customers accessing your services.
  • A data breach critically damaging your reputation, or resulting in litigation costs, damages for a personal data breach, or a crippling fine.
  • Loss of business-critical IP (intellectual property) that allows your competitors to undercut your products, or results in a collapse of confidence in the company.

If businesses are to survive such an event, the preparations need to cover legal obligations and customer relations as well as the technical aspects. The choices to be made depend on the type of business and the resources available, but fundamentally, “best industry practice” needs to be used to defend against an attack, and a response plan needs to be in place to enable a rapid recovery. 

Using best practice not only helps defend against an attack, but also shows that the business has done what is reasonable and expected to defend against the attack, and is therefore not negligent. However, “best practice” is not static – it is necessary to keep up as the threat and technology evolve. 

This should cover not only technical measures, but also user training in data protection to minimise breaches and user security awareness training, such as phishing simulation, which, as well helping to reduce (though not eliminate) breaches, shows due diligence. 

When it comes to recovery, in the case of a ransomware attack or a sophisticated attack, it may be impossible to find or remove the attacker’s malware without re-imaging all the hosts and servers in the network and maybe even the infrastructure equipment, such as routers. 

Destructive encryption methods, as seen in NotPetya, require SMEs to recover from archives that either do not exist in totality, or the processes of backup and recovery have never been tested on the scale of a full critical business recovery. This needs to be planned for and made as simple as possible. 

If every machine is different and users store critical files locally rather than on a server, then re-imaging and restoration of data will be time-consuming, if it is even possible. If this is being done to recover from a persistent cyber attack rather than just ransomware, then it must be ensured that the backups do not contain malware which is then restored. 

Ideally, have a common build so that hosts can be re-imaged easily, and stop users saving documents locally. 

Another option, taken by many SMEs and a growing number of large organisations, is to take a cloud-based approach, doing everything through a browser. In this case, the service provider should take care of your backups and every client should be quick to re-image, because they should be all the same. 

Best practice will still need to be followed and users trained, but also, appropriate SLAs (service-level agreements) need to be in place with the service provider to ensure a timely response and fully identify liabilities.

When it comes to web-based businesses, the choice is similar – host yourself, applying all the DDoS protection, backup, and so on, or go with a service provider. For the latter option, however, there will still be content to back up, and/or a development system to protect, depending on the business model. Again, the SLAs need to reflect the business need.

If the worst happens, then it will be necessary to launch the incident response plan. This must be comprehensive and tested, and should not be limited to the technical response. The first thing to consider is who leads the response, what are the roles needed and who are the decision-makers and stakeholders. 

The EU’s GDPR (General Data Protection Regulation), and/or the NIS directive may require you to report and disclose the attack and so you will need to have a communications plan and someone nominated to lead on external communications. Someone who can approve critical business decisions, such as disconnecting the system from the internet, needs to be available, even if it is the CEO. 

Therefore the plan needs to set out the roles, who fulfils them and who the alternates are if the first-named are not available, along with their in- and out-of-hours contact details. The plan should also identify relevant service providers, with points of contact and contact details. 

The detail of the response plan will then be dependent on the system and type of business involved. It is essential that the response plan is exercised and refined on a regular basis, as there will almost certainly be chaos the first time it is used.

In summary, surviving business extinction following a cyber attack is a business challenge that can be eased by taking the appropriate technical decisions in the design of the system and development of processes beforehand to allow a rapid return to normality, support the legal obligations of the organisation and manage customer relationships throughout the event.

Read more on Hackers and cybercrime prevention